CN103152352A - Perfect information security and forensics monitoring method and system based on cloud computing environment - Google Patents
Perfect information security and forensics monitoring method and system based on cloud computing environment Download PDFInfo
- Publication number
- CN103152352A CN103152352A CN2013100842359A CN201310084235A CN103152352A CN 103152352 A CN103152352 A CN 103152352A CN 2013100842359 A CN2013100842359 A CN 2013100842359A CN 201310084235 A CN201310084235 A CN 201310084235A CN 103152352 A CN103152352 A CN 103152352A
- Authority
- CN
- China
- Prior art keywords
- module
- node
- analysis
- data
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a perfect information security and forensics monitoring method and system based on a cloud computing environment, which are used for arranging an entire distributive-type network on the basis of cloud computing. The system comprises a monitoring node, a convergence node and a monitoring center and configures parameters; the monitoring node captures a data packet in a network exchange device to acquire original data which is temporarily stored and analyzed in real time, and the original data and the analysis result obtained through the real-time analysis are uploaded to the convergence node according to a control command; the convergence node compresses, converts and caches the original data and the analysis result is uploaded to the monitoring center; and the monitoring center gathers, cloud stores and analyzes the data received from the convergence node to form a monitoring report, and a security strategy is obtained according to the monitoring report. A flexible arrangement scheme is provided according to real network topological requirement and the capacity of the network so as to realize intranet expansion, and relevant inquiry and operation are conducted through the monitoring center, so that the control of the computer network security strategy can be flexibly and globally realized.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of perfect information security forensics monitor method and system based on cloud computing environment.
Background technology
Along with Internet technology WWW(World Wide Web particularly, World Wide Web (WWW)) fast development of technology, the Internet also more and more is applied among all trades and professions.Human society has moved to comings and goings on the Internet one after another, has formed the various application take E-Government, ecommerce, electronic banking, electronic instruction etc. as representative, makes the use of the Internet become the daily habits and customs of the mankind.In this process, network security problem receives people's concern gradually, and becomes hot issue along with continuing to bring out of security incident.
Main network security problem has assault (Hacking) at present, malicious code (Malware) (comprising Trojan Horse Trojans, worm-type virus Worms, spyware Spyware), rogue software (being again Adware)), network fraud (Phishing Attack) and network attack (Attack) (comprising DDoS, Botnet Botnet) etc.
For these problems, network safety prevention has proposed corresponding solution.Security threat is day by day complicated various, and attack means is day by day comprehensive.A lot of combined type security attacks have been merged as multiple means such as worm-type virus, wooden horse, spyware, rely on merely the conventional security solution take single fire compartment wall as representative can't prove effective.And purchase, dispose and manage multiple independent preventive means such as anti-phishing, anti-worm, IPS(Intrusion Prevention System, intrusion prevention system) etc. safety means often need the huge economy of enterprise's cost and the expense of manpower, and need professional network management knowledge, thereby brought huge maintenance cost to enterprise.
Network monitor can be monitored network state in corporate intranet in real time, can judge inside invasion or attack in time, thereby improve the enterprise network security grade, network monitoring is as a kind of technology that develops comparative maturity, monitor the data of Internet Transmission, the aspects such as eliminating network failure have irreplaceable effect, thereby extremely network manager's favor always.
In the market network monitoring device or packet capturing device kind are fewer, the part monitoring device lays particular emphasis on and improves packet capturing speed, a lot of improvement have been done in this respect, the part monitoring device has been given prominence to the accuracy rate of crawl packet, done a lot of work on the filtering technique of receive data, also having the part supervising device to be devoted to solve in prior art can't the real-time listening target localization, reduces in addition the coarse problem of monitored data content.Current main flow network monitoring apparatus is all isolated operation, lacks unified plan and cooperation between device, therefore also shows perfectly not enough on large storage and high performance demand.Therefore when facing large data, multiserver is concentrated when monitoring, and traditional supervising device can not well adapt to.
Along with the development of network, the service that network provides is more and more, therefore, provides the main frame of various Service and applications also more and more on network, and the system maintenance that brings thus also becomes and becomes increasingly complex; The running of enterprise is more and more stronger for the dependence of IT system, and the user is more and more higher to the requirement of network service, and the fault of therefore serving even interruption meeting is brought complaint to the user, also prestige and the image of government, enterprise is brought infringement.Yet the fault of system even interrupts caning hardly be avoided, and how finds within the shortest time that fault is the first step of retrieving a loss and dealing with problems, therefore, and Host Administration, the network management assistant that is absolutely necessary.Therefore need a kind of network monitoring system to help the network manager to understand whole network system ruuning situation whenever and wherever possible, thereby ensure the safety of network.
Cloud computing is a kind of account form of Internet-based, and in this way, the software and hardware resources of sharing and information can offer computer and other equipment as required.A kind of new IT service increase, use and delivery mode of Internet-based described in cloud computing, provides by the Internet and dynamically easily expands and be virtualized resource.In general cloud computing comprises the service of following level: infrastructure is namely served (Infrastructure as a Service, be called for short IaaS), platform is namely served (Platform as a Service, be called for short PaaS) and software namely serve (Software as a Service, abbreviation SaaS).
Existing network monitoring instrument is mainly to study for the network monitoring of single-point, monitorings extensive, the network environments of serving are not studied more, the server cluster of not noticing present enterprise or government is increasing, network topology spreads more and more wider, more and more highlyer to the requirement of network speed, and the network monitoring of single-point and the monitoring device of low speed more and more are not suitable with the growth requirement of present enterprise and society.In addition, this emerging computation schema of cloud computing is a dark horse in IT circles, and the product income that is driven by cloud computing also becomes geometric growth, as the product of IT field, also to grow with each passing hour, monitoring technique is combined with cloud computing, take full advantage of the advantage of cloud computing, improve the performance of monitoring product.
Summary of the invention
The technical problem that (one) will solve
For defects, the technical problem to be solved in the present invention is how to adopt based on the analysis under cloud computing environment and storage, has realized efficiently network monitoring fast of the multinode overall situation.
(2) technical scheme
For addressing the above problem, the invention provides a kind of perfect information security forensics monitor method based on cloud computing environment, described method specifically comprises the following steps:
S1: based on cloud computing, whole distributed network is disposed, comprised and monitor node, aggregation node and Surveillance center, and configuration parameter;
S2: the packet in the described monitoring node crawl network switching equipment obtains initial data, described initial data is kept in and real-time analysis, and according to control command, the analysis result that described initial data and real-time analysis obtain is uploaded to described aggregation node;
S3: described aggregation node to described initial data and described analysis result compress, conversion and buffer memory, be uploaded to described Surveillance center;
S4: described Surveillance center to the data that receive from described aggregation node gather, cloud storage and analyzing, form and monitor form, and draw security strategy according to described monitoring form.
Further, based on cloud computing, whole distributed network is disposed the deployment that specifically divides the network segment in described step S1, whole network is divided into a plurality of network segments, a plurality of monitoring nodes are set in each network segment;
The network interface of described monitoring node adopts promiscuous mode, takes asynchronous packet capturing to grasp to the packet in the network segment;
Described Surveillance center comprises a plurality of aggregation nodes, and the aggregation node that is under the jurisdiction of described Surveillance center is registered to described Surveillance center, and obtains the configuration information to aggregation node of described Surveillance center issue by described aggregation node;
Described aggregation node comprises a plurality of monitoring nodes, the monitoring node that belongs to described aggregation node is registered to described aggregation node, the monitoring address of node information that described aggregation node receives after the registration of monitoring node each registration feeds back to described Surveillance center, and obtain the issue of described Surveillance center to monitoring the configuration information of node.
Further, in described step S2, described initial data is kept in specifically and comprise: whether the capacity that judges memory space reaches capacity threshold, if reach send and remind or automatically delete the memory time of initial data the earliest, otherwise the storage that circulates.
Further, in described step S2, described initial data being carried out real-time analysis specifically comprises: flow analysis, protocal analysis, alert analysis and query analysis.
Further, the initial data that is uploaded to described aggregation node in described step S2 is exactly the data that are temporarily stored in described monitoring node, and the analysis result that is uploaded to described aggregation node is uploaded by temporary again.
Further, aggregation node described in described step S3 compresses and changes the data that receive, carry out again the datumization format analysis processing, and the data after processing are carried out buffer memory, data upload after buffer memory is given described Surveillance center, during less than the packet capturing speed of described monitoring node, described aggregation node carries out local cache to data when the storage of described Surveillance center and resolution speed, until network just stores the data of buffer memory in database into when available free.
Further, when in described step S4, the cloud of data being stored, access rights are set, forbid those without authority's access or modification;
The analysis of data is specifically comprised real-time query and Accurate Analysis to data.
For solving the problems of the technologies described above, the present invention also provides a kind of perfect information security forensics monitoring system based on cloud computing, comprising: monitor node, aggregation node and Surveillance center;
Wherein said monitoring node comprises packet capturing module, temporary module, real-time analysis module and policy module;
Described aggregation node comprises management of monitor module, upstream data processing module, descending tactful processing module and system configuration module;
Described Surveillance center comprises analysis retrieval module, cloud memory module, policy development module, form derivation module, notice reporting modules and parameter configuration module;
Described system also comprises communication module, is used for communicating by letter of the communicating by letter of described monitoring node and described aggregation node, described aggregation node and described Surveillance center and communicating by letter of described Surveillance center and cloud computing platform.
Further, described packet capturing module is used for the network packet of the crawl network switching equipment, obtains initial data;
Described temporary module is used for the analysis result after described initial data and described real-time analysis module analysis is kept in;
Described real-time analysis module is used for described initial data is carried out real-time analysis, obtains analysis result;
Described policy module is used for receiving the configuration information that described aggregation node forwards, and implements corresponding strategy, controls the behavior of other module.
Further, temporary module specifically comprises judge module, circulation memory module and removing module;
Described judge module is used for judging whether the capacity of memory space reaches capacity threshold, if reach enter described notice reporting modules or described removing module, otherwise enters described circulation memory module;
Described removing module is used for deleting or automatically delete the memory time of initial data the earliest according to the control command that the described notice reporting modules that receives is sent;
Described circulation memory module is used for storing described initial data, and records memory time.
Further, described real-time analysis module specifically comprises flow analysis submodule, protocal analysis submodule, alert analysis submodule and query analysis submodule;
Wherein said flow analysis submodule is used for analyzing the size of the packet that grasps, and calculates the flow of packet;
Described protocal analysis submodule is used for analyzing the protocol type of the packet that grasps, and judges the packet that described protocol type does not meet protocol rule;
Described alert analysis submodule is used for according to the Remote configuration strategy, flow, agreement and content being analyzed, and carries out alarm and records and report if meet alarm regulation;
Described query analysis submodule is used for inquiring about according to the control command that described Surveillance center issues, and qualified data are exported to assigned address.
Further, described management of monitor module is used for receiving described monitoring node to the registration of described aggregation node, also be used for receiving the heartbeat message of described monitoring node, when not receiving described heartbeat message, a period of time reports to described Surveillance center the abnormal information of monitoring node, request Reconfigurations information;
Initial data and analysis result that described upstream data processing module is used for described monitoring node is uploaded compress, changes, then carry out the datumization format analysis processing, and the data after processing carry out buffer memory, and the data upload after buffer memory is to described Surveillance center;
Described descending tactful processing module is used for strategy that described Surveillance center is issued and the destination address of control command is resolved, and is transmitted to described destination address and monitors accordingly node;
Described system configuration module receives configuration information from described Surveillance center, will be transmitted to the configuration information of described monitoring node corresponding monitoring node, and report the state information of self to described Surveillance center.
Further, described cloud memory module is used for the data that receive from described aggregation node are gathered, and is saved in database, and access rights are set simultaneously, forbids those without authority's access or modification;
Described analysis retrieval module is used for data are carried out real-time query and Accurate Analysis;
Described policy development module is used for formulating according to described analysis result packet capturing strategy, storage policy and the analysis strategy of described monitoring node, described aggregation node and described Surveillance center;
Described form is derived module and is used for data and analysis result that described monitoring node and described aggregation node are uploaded are integrated into form and derive;
Described notice reporting modules is used for pointing out when system breaks down or warns;
Described parameter configuration module is used for the parameter of system is configured, be promiscuous mode comprising the network interface that described monitoring node is set, the crawl packet adopts asynchronous Grasp Modes, the capacity threshold of the memory space when also comprising described monitoring node temporal data.
(3) beneficial effect
The invention provides a kind of perfect information security forensics monitor method and system based on cloud computing environment, mainly for enterprise-class tools, monitor for it provides multinode, centralized management, based on the distributed Monitor scheme of perfect information security forensics under cloud computing environment, adopting the cloud memory technology to have large capacity, high-performance, high availability and efficient management, realized the function of file storage, time synchronized, real-time comprehensive backup, support distributed storage and the network storage.The present invention guarantees that Monitor scheme proceeds from the situation as a whole, and has realized the functions such as unified management and multianalysis network safe state.Provide flexible deployment scheme according to the network topology demand of reality, according to network size and demand, dispose flexibly, realize the Intranet expansion, carry out relevant inquiring and operation by control centre, thereby realize neatly, of overall importancely the control of Security Policy of Computer Network.
Description of drawings
Fig. 1 is the flow chart of steps of a kind of perfect information security forensics monitor method based on cloud computing environment in the embodiment of the present invention one;
Fig. 2 is the implementing procedure figure of a kind of perfect information security forensics monitor method based on cloud computing environment in the embodiment of the present invention one;
Fig. 3 is the system architecture diagram of a kind of perfect information security forensics monitoring system based on cloud computing environment in the embodiment of the present invention two;
Fig. 4 monitors the module rack composition of node in the embodiment of the present invention two;
Fig. 5 is the composition schematic diagram of temporary module in the embodiment of the present invention two;
Fig. 6 is the module rack composition of aggregation node in the embodiment of the present invention two;
Fig. 7 is the module rack composition of Surveillance center in the embodiment of the present invention two.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used for explanation the present invention, but are not used for limiting the scope of the invention.
Embodiment one
The perfect information security forensics monitor method of planting based on cloud computing environment is provided in the embodiment of the present invention one, and steps flow chart specifically comprises the following steps as shown in Figure 1:
Step S1: based on cloud computing, whole distributed network is disposed, comprised and monitor node, aggregation node and Surveillance center, and configuration parameter.
Concrete, based on cloud computing, whole distributed network is disposed the deployment that specifically divides the network segment, whole network is divided into a plurality of network segments, a plurality of monitoring nodes are set in each network segment.Surveillance center comprises a plurality of aggregation nodes, after Surveillance center starts, waits for the aggregation node contact, and the aggregation node that is under the jurisdiction of Surveillance center is registered to Surveillance center, and obtains the configuration information to aggregation node of Surveillance center's issue.Aggregation node comprises a plurality of monitoring nodes, and after aggregation node started, the monitoring node that belongs to aggregation node was registered to aggregation node.After aggregation node receives the registration of monitoring node, under storage, each monitors address of node information, and the monitoring address of node information of each registration is fed back to Surveillance center, obtain the configuration information to the monitoring node of Surveillance center's issue, and to Surveillance center's inquiry, whether renewal is arranged, if there is renewal in time to be transmitted to corresponding monitoring node.
On hardware configuration, monitor node and require to possess plural network interface card, one is set to promiscuous mode, is responsible for carrying out network monitoring and crawl packet; Another is responsible for uploading the data to aggregation node and receives the Remote configuration information that Surveillance center issues.The computer network interface card is operated in non-motley pattern lower time, network interface card only accepts to point to from the destination address of the network port oneself data or broadcast data, and for the Frame of other addresses, when network interface is not the address of the machine at its destination address of checking, select without exception to abandon.In the present embodiment, the network interface of monitoring node is set to promiscuous mode, makes to monitor the all-network data message that node can grab its network segment of monitoring, and each is monitored node the data message that grabs is uploaded to aggregation node.
In addition, adopt asynchronous packet capturing mode in the present embodiment, the packet that high speed data transfer is descended grasps and preserves into unified file format, then be kept in local memory block through Preliminary Analysis, packet capturing is uncorrelated with storage, can improve packet capturing speed like this, when storage and resolution speed when not catching up with packet capturing speed, the packet that system can grasp under the automatic buffer memory of aggregation node.In the time of the inadequate store data bag of capacity of buffer area, packet discard automatically.
In the internal network of enterprise or mechanism, pattern based on cloud computing environment, monitoring node is connected with the network switching equipment of the monitored network segment by netting twine, and has independently power supply plan, be set to promiscuous mode by the network switching equipment, monitoring device can listen to the overall network data message by this switching equipment.All monitoring devices are connected with converging device by netting twine, and converging device links with Surveillance center by netting twine and forms the webmaster net.Divide the network segment to dispose, can accomplish comprehensive internal network monitoring, guarantee Intranet safety.
Step S2: the packet of monitoring in the node crawl network switching equipment obtains initial data, initial data is kept in and real-time analysis, and according to control command, the analysis result that initial data and real-time analysis obtain is uploaded to aggregation node.
What keep in this step is not only initial data, also comprises the analysis result that obtains through real-time analysis, and is uploaded to aggregation node.
Concrete, initial data or analysis result are kept in specifically comprise: whether the capacity that judges memory space reaches capacity threshold, if reach send by Surveillance center and remind the prompting user storage space not enough, so that the user can take to delete or suspend the mode of monitoring network and process; Or automatically delete the memory time of initial data the earliest, otherwise the storage that circulates.Wherein capacity threshold arranges on parameter arranges.Because also record the memory time of every data when depositing the data that parse in storage area, so can be with the memory time of data deletion early when exceeding capacity threshold.
Initial data is carried out real-time analysis specifically to be comprised: flow analysis, protocal analysis, alert analysis and query analysis, wherein stress the real time information of present flow rate is analyzed, but the network Global Information is not represented, can not move complicated parser yet and carry out the operations such as data mining.
Wherein flow analysis by analyzing in the packet with crawl, can access the size information of packet, then goes out the flow of packet by statistics of database.The purpose of flow analysis is in order to analyze the distribution situation of flow in the middle of monitoring network, can to make prediction to network flexibly by the flow system in the middle of phase-split network, effective operation that simultaneously also can safeguards system self.
Protocal analysis, by the data packet analysis to crawl, can parse the protocol type of each packet, every kind of packet has own unique protocol type field and content field, by the judgement to the data packet protocol, can carry out effective security monitoring to the data of transmitting in network, when finding the packet that does not meet protocol rule is arranged, can effectively judge the fail safe of safeguards system.
Alert analysis according to the Remote configuration strategy, when flow, agreement and content are analyzed, if the discovery data are responsible for the warning strategies in configuration information, record and reports.
Query analysis, the control command of assigning according to Surveillance center, and manual operation instruction export to assigned address (by modes such as network interface, web interface or file interfaces) with qualified temporary information (original data on flows).
Monitor node and also be responsible for receiving the configuration information that monitoring module is assigned, and implement corresponding strategy and control behavior, namely control the behavior of other modules, major function has:
System configuration information: such as systematic name, secure password, the network address and memory location etc.; And heartbeat etc.
Packet capturing and storage rule: store which kind of packet, abandon which kind of packet;
Analysis rule: such as granularity and protocol contents, the keyword etc. of data analysis;
Alarm regulation: alarm in which kind of situation, trigger which kind of behavior during alarm, and data upload rule, data derived rule etc.
Step S3: aggregation node to initial data and analysis result compress, conversion and buffer memory, be uploaded to Surveillance center.
The Main Function of aggregation node carries out classification control to network exactly, and minimizing equipment location and managerial expense also reduce data and report expense with policy distribution.The next data of node transmission are assembled (compression, conversion) and unified providing data formatting is processed, convenient storage and parsing (uploading to Surveillance center) after this with monitoring.Reliability and validity in order to improve system, be provided with buffer memory at aggregation node simultaneously.Aggregation node compresses and changes the data that receive, carry out again the datumization format analysis processing, and the data after processing are carried out buffer memory, data upload after buffer memory is to Surveillance center, when the storage of Surveillance center and resolution speed when monitoring the packet capturing speed of node, aggregation node carries out local cache to data, until network just stores the data of buffer memory in database into when available free.In the time of the inadequate store data bag of capacity of buffer area, packet discard automatically.
Step S4: Surveillance center to the data that receive from aggregation node gather, cloud storage and analyzing, form and monitor form, and draw security strategy according to monitoring form.
Cloud storage is exactly distributed storage to the packet of crawl through the file after resolving and by being saved in the file in database after real-time analysis.Data file after parsing is saved in increase income cloud computing platform distributed file system HDFS or other similar system.
When the cloud of data is stored, access rights are set, forbid those without authority's access or modification, adopt the storage policy of " write-once repeatedly reads ", in a single day data write, and can not be modified, can only be for reading, to satisfy the demands such as evidence obtaining and audit.
The analysis of data is specifically comprised real-time query and Accurate Analysis to data, to data converge, the complex analyses such as data mining and prediction, emphasize mass data is carried out specific computing, to obtain the result of computing.Take the distributed proccessings of increasing income such as HBASE, Map/reduce, realize real-time query and Accurate Analysis to mass data.
The form that data message in node and aggregation node and analysis result are integrated into form will be monitored by control centre, form allows the keeper browse in the web interface with the html file format, or the mode by the pdf document form allows the keeper optionally derive to check.
Can also make corresponding control operation to the analysis result of system according to the management strategy that the keeper formulates in Surveillance center, operational order is with the xml(extend markup language) document form offers the keeper.The strategy customized content comprises that various packet capturing strategies, storage policy and analysis strategy etc. to monitoring node, aggregation node and Surveillance center itself customize, after the keeper customizes strategy, assign to each target device, each target device just can work.
According to the above-mentioned steps flow process, method implementing procedure of the present invention as shown in Figure 2.
Pass through said method, provide that multinode is monitored, centralized management, based on the distributed Monitor scheme of perfect information security forensics under cloud computing environment, adopting the cloud memory technology to have large capacity, high-performance, high availability and efficient management, realized the function of file storage, time synchronized, real-time comprehensive backup, support distributed storage and the network storage.The present invention guarantees that Monitor scheme proceeds from the situation as a whole, and has realized the functions such as unified management and multianalysis network safe state.Provide flexible deployment scheme according to the network topology demand of reality, according to network size and demand, dispose flexibly, realize the Intranet expansion, carry out relevant inquiring and operation by control centre, thereby realize neatly, of overall importancely the control of Security Policy of Computer Network.
Embodiment two
A kind of perfect information security forensics monitoring system based on cloud computing environment also is provided in the embodiment of the present invention two, and system architecture specifically comprises as shown in Figure 3:
Monitor node, aggregation node and Surveillance center.
Also comprise communication module in system, be used for to monitor communicating by letter of the communicating by letter of node and aggregation node, aggregation node and Surveillance center and communicating by letter of Surveillance center and cloud computing platform.Communication protocol adopts the ICP/IP protocol of extensive use and uses the socket(socket) programme and realize Surveillance center and monitor communicating by letter and time synchronized between node and aggregation node.
The keeper can control and monitor whole network monitoring environment by Surveillance center, but also aggregation node and monitoring node under can controlling it by Surveillance center are controlled, comprise and monitor starting or stoping of node or aggregation node, and the crawl rule, analysis rule, temporary regular etc. of node, aggregation node and Surveillance center self are monitored in configuration.
Monitor the module rack composition of node as shown in Figure 4, specifically comprise: packet capturing module 11, temporary module 12, real-time analysis module 13 and policy module 14.
Monitor node on hardware configuration, require to possess plural network interface card, one is set to promiscuous mode, is responsible for carrying out network monitoring and crawl packet; Another is responsible for uploading the data to aggregation node and receives the Remote configuration information that Surveillance center issues.
Network interface card makes under promiscuous mode monitors the all-network data message that node can grab its network segment of monitoring, and each is monitored node the data message that grabs is uploaded to aggregation node.Packet capturing module 11 adopts asynchronous packet capturing mode, the packet that now high speed data transfer is descended grasps and preserves into unified file format, then be kept in local memory block through Preliminary Analysis, packet capturing is uncorrelated with storage, can improve packet capturing speed like this, when not catching up with packet capturing speed, the packet that automatic buffer memory gets off and grasps is understood by system when storage and resolution speed.In the time of the inadequate store data bag of capacity of buffer area, packet discard automatically.
Temporary module 12 is used for the analysis result after initial data and real-time analysis module analysis is kept in.
The mode that adopts distributed storage and centralized stores to combine in native system.Can keep in and analyze the crawl data monitoring node, and according to strategy, partial data and analysis result be uploaded to aggregation node, and finally upload to Surveillance center and carry out permanent storage.The difference of these two kinds of storages is: monitor 12 pairs of original packet capturing data of temporary module (and the analysis result of real-time analysis is stored) of node, belong to distributed storage; The cloud memory module 32 of Surveillance center is that the data that aggregation node arranges, uploads are analyzed again, and the data after analysis are stored again, belong to centralized stores.
In scratch system, capacity threshold is set, when the capacity of memory space arrives certain threshold value, can gives a warning to the client by Surveillance center, the reminding user insufficient memory, the user can take deletion or suspend modes such as monitoring network and process.If the client fails to take the measure of being correlated with, storage system is automatically according to the data of the sequencing deletion certain capacity on date.The capacity threshold of storage system can arrange by Surveillance center, keeper, and delete procedure is completed automatically, guarantees the consistency of device workflow.
The composition schematic diagram of temporary module 12 specifically comprises judge module 121, circulation memory module 122 and removing module 123 as shown in Figure 5.
Removing module 123 is used for deleting or automatically delete the memory time of initial data the earliest according to the control command that the notice reporting modules 35 that receives is sent;
Real-time analysis module 13 is used for initial data is carried out real-time analysis, obtains analysis result.
Real-time analysis module 13 is the cores of monitoring node, be responsible for data are carried out real-time analysis, analysis stresses the real time information of present flow rate is analyzed, but the network Global Information is not represented, and also can not move complicated parser and carry out the operations such as data mining.
Real-time analysis module 13 has four kinds of functions, is realized by four modules respectively, specifically comprises flow analysis submodule 131, protocal analysis submodule 132, alert analysis submodule 133 and query analysis submodule 134.
Flow analysis submodule 131 is used for analyzing the size of the packet that grasps, and calculates the flow of packet.By the packet of crawl is analyzed, can access the size information of packet, then go out the flow of packet by statistics of database.The purpose of flow analysis is in order to analyze the distribution situation of flow in the middle of monitoring network, can to make prediction to network flexibly by the flow distribution situation in the middle of phase-split network, effective operation that simultaneously also can safeguards system self.
Protocal analysis submodule 132 is used for analyzing the protocol type of the packet that grasps, and judges the packet that protocol type does not meet protocol rule.Can parse the protocol type of each packet to the crawl data packet analysis, every kind of packet has own unique protocol type and content, represents with different fields respectively.By the judgement to the data packet protocol, can carry out effective security monitoring to the data of transmitting in network, when finding the packet that does not meet protocol rule is arranged, can effectively judge the fail safe of safeguards system.
Alert analysis submodule 133 is used for according to the Remote configuration strategy, flow, agreement and content being analyzed, and carries out alarm and records and report if meet alarm regulation.According to the Remote configuration strategy, when flow, agreement and content are analyzed, if the warning strategies in discovery data fit configuration information records and reports.
Query analysis submodule 134 is used for inquiring about according to the control command that Surveillance center issues, and qualified data are exported to assigned address.The operational order that the control command of assigning according to the analysis of strategies result according to Surveillance center and keeper issue by Surveillance center exports to assigned address with qualified temporary information (original data on flows) by modes such as network interface, web interface or file interfaces.
System configuration information: systematic name, secure password, the network address and memory location etc., and heartbeat etc.;
Packet capturing and storage rule: comprise which kind of packet of storage, abandon which kind of packet;
Analysis rule: such as granularity and protocol contents, the keyword etc. of data analysis, and the data upload rule, data derived rule etc.;
Alarm regulation: which kind of behavior alarm in which kind of situation, trigger during alarm.
The module architectures of aggregation node as shown in Figure 6, the Main Function of aggregation node is that the system that realizes classification controls, thereby minimizing equipment location and managerial expense, expense when the minimizing data report with policy distribution, aggregation node specifically comprises: management of monitor module 21, upstream data processing module 22, descending tactful processing module 23 and system configuration module 24.
Management of monitor module 21 is used for receiving monitors node to the registration of aggregation node, also is used for receiving the heartbeat message of monitoring node, reports to Surveillance center the abnormal information of monitoring node when a period of time does not receive heartbeat message, request Reconfigurations information.
Upstream data processing module 22 is used for initial data and analysis result that the monitoring node is uploaded are compressed, change, carry out again the datumization format analysis processing, reliability and the validity of while in order to improve system, be provided with buffer memory at aggregation node, data after processing are carried out buffer memory, and the data after buffer memory are uploaded to Surveillance center again.When the data volume of the network segment of monitoring too large so that storage and resolution speed do not catch up with packet capturing speed, data temporarily can be stored in the buffer memory of aggregation node, wait for network relatively during the free time, then the data in buffer memory are stored in database.When in buffer area not when the store data bag, packet discard automatically.
Descending tactful processing module 23 is used for strategy that Surveillance center is issued and the destination address of control command is resolved, and is transmitted to destination address and monitors accordingly node.
System configuration module 24 receives configuration information from Surveillance center, will be transmitted to corresponding monitoring node to the configuration information of monitoring node, and report the state information of self to Surveillance center.
The module architectures of Surveillance center is divided into capability layer and operation layer is two-layer as shown in Figure 7, and wherein capability layer is responsible for providing storage and computing capability (analysis, retrieval and data mining etc.), comprises analyzing retrieval module 31, cloud memory module 32; Operation layer is responsible for carrying out packet capturing, storage, analysis and the configuration of strategy such as is communicated by letter, monitoring current network state and reception notification report (warning information and summary report), comprise policy development module 33, form derivation module 34 and notice reporting modules 35, Surveillance center also comprises parameter configuration module 36.
Wherein, analyzing retrieval module 31 is used for data are carried out real-time query and Accurate Analysis.Analyze retrieval module 31 and take the distributed proccessings of increasing income such as HBASE, Map/reduce, realize real-time query and Accurate Analysis to mass data.The Map/reduce computation model can rapid analysis be processed the mass data bag, greatly improves the efficient of Study document, guarantees simultaneously the integrality of file, saves cost.
Real-time query: work out querying condition by use, the specific data information in the middle of Query Database also is shown to the keeper in the mode of web page, makes in mass data, can find fast satisfactory data.
Accurate Analysis: to data converge, the complex analyses such as data mining and prediction, mass data is carried out specific computing, to obtain the result of computing.
Cloud memory module 32 is used for the data that receive from aggregation node are gathered, and is saved in database, and access rights are set simultaneously, forbids those without authority's access or modification.
Cloud memory module 32 will be stored the related data that surpasses more than 3 months, to realize the operations such as security forensics and audit.For the initial data of alarm data and satisfied evidence obtaining strategy, cloud memory module 32 is obtained the original evidence data via aggregation node from monitoring node, carries out safe storage, and access rights are set, and forbids that those without authority access or revise.
Cloud memory module 32 adopts the storage policy of " write-once repeatedly reads ", and in a single day data write, and can not be modified, can only be for reading, to satisfy the demands such as evidence obtaining and audit.
The Main Function of cloud memory module 33 is distributed storage to the packet of crawl through the file after resolving and by analyzing the file that is saved in after submodule in database.Data file after parsing is saved in increase income cloud computing platform distributed file system HDFS or other similar system.That data message by analysis is saved in is distributed, in increase income database HBASE or other similar system of row, in order to realize quick-searching and expansion.Cloud memory module 33 has extensibility, has utilized the characteristic of HDFS distributed storage open source software, by realizing expansion at the parallel storage hardware equipment that increases of Surveillance center.
Policy development module 33 is used for formulating according to analysis result packet capturing strategy, storage policy and the analysis strategy of monitoring node, aggregation node and Surveillance center.Policy development module 33 is made corresponding reply to the analysis result of system and is operated and send operational order according to the management strategy that the keeper formulates, and result is with the xml(extend markup language) document form offers the keeper.The strategy customized content comprises that various packet capturing strategies, storage policy and analysis strategy etc. to monitoring node, aggregation node and Surveillance center itself customize, after the keeper customizes strategy, assign to each target device, each target device just can work.
Form is derived module 34 and is used for monitoring data and the analysis result that node and aggregation node upload and is integrated into form and derivation.The major function that form is derived module 34 is to monitor the form that the result of analyzing in data message in node and aggregation node and functional module is integrated into form, form can allow the keeper browse in the web interface with the html file format, also can allow the keeper optionally derive by the mode of pdf document form and check.
Notice reporting modules 35 is used for pointing out when system breaks down or warns.Notice report mainly comprises the fault, security alarm of each functional module etc., and fault wherein mainly comprises the fault that occurs in fault that the operation troubles that occurs in fault that parameter configuration occurs, functional module, keeper's improper operation causes and administration module etc.
The mode that the notice report adopts classification to process, the notice of high priority directly occurs by modes such as note mail, system's pop-up windows, and the low priority notice only is concentrated in the warning file, and the keeper can inquire about by checking relevant file.
Parameter configuration module 36 is used for the parameter of system is configured, and is promiscuous mode comprising the network interface of monitoring node is set, and the crawl packet adopts asynchronous Grasp Modes, also comprises the capacity threshold of the memory space when monitoring the node temporal data.
Wherein parameter comprises system operation basic parameter and attribute, journal format, monitoring nodal community, aggregation node attribute, analytical method and time parameter, memory attribute, alarm procedure parameter, process communication attribute, view display properties, network agent attribute, class of service attribute.The quality of parameter configuration will affect the operation of whole system, so there are the parameter configuration of acquiescence and the parameter area of assurance system normal operation in system, facilitate keeper's configuration and operation.
By using said system, provide that multinode is monitored, centralized management, based on the distributed Monitor scheme of perfect information security forensics under cloud computing environment, adopting the cloud memory technology to have large capacity, high-performance, high availability and efficient management, realized the function of file storage, time synchronized, real-time comprehensive backup, support distributed storage and the network storage.The present invention guarantees that Monitor scheme proceeds from the situation as a whole, and has realized the functions such as unified management and multianalysis network safe state.Provide flexible deployment scheme according to the network topology demand of reality, according to network size and demand, dispose flexibly, realize the Intranet expansion, carry out relevant inquiring and operation by control centre, thereby realize neatly, of overall importancely the control of Security Policy of Computer Network.
Above execution mode only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (13)
1. the perfect information security forensics monitor method based on cloud computing environment, is characterized in that, described method specifically comprises the following steps:
S1: based on cloud computing, whole distributed network is disposed, comprised and monitor node, aggregation node and Surveillance center, and configuration parameter;
S2: the packet in the described monitoring node crawl network switching equipment obtains initial data, described initial data is kept in and real-time analysis, and according to control command, the analysis result that described initial data and real-time analysis obtain is uploaded to described aggregation node;
S3: described aggregation node to described initial data and described analysis result compress, conversion and buffer memory, be uploaded to described Surveillance center;
S4: described Surveillance center to the data that receive from described aggregation node gather, cloud storage and analyzing, form and monitor form, and draw security strategy according to described monitoring form.
2. the method for claim 1, is characterized in that, based on cloud computing, whole distributed network disposed the deployment that specifically divides the network segment in described step S1, and whole network is divided into a plurality of network segments, and a plurality of monitoring nodes are set in each network segment;
The network interface of described monitoring node adopts promiscuous mode, takes asynchronous packet capturing to grasp to the packet in the network segment;
Described Surveillance center comprises a plurality of aggregation nodes, and the aggregation node that is under the jurisdiction of described Surveillance center is registered to described Surveillance center, and obtains the configuration information to aggregation node of described Surveillance center issue by described aggregation node;
Described aggregation node comprises a plurality of monitoring nodes, the monitoring node that belongs to described aggregation node is registered to described aggregation node, the monitoring address of node information that described aggregation node receives after the registration of monitoring node each registration feeds back to described Surveillance center, and obtain the issue of described Surveillance center to monitoring the configuration information of node.
3. the method for claim 1, it is characterized in that, in described step S2, described initial data is kept in specifically and comprise: whether the capacity that judges memory space reaches capacity threshold, if reach send and remind or automatically delete the memory time of initial data the earliest, otherwise the storage that circulates.
4. the method for claim 1, is characterized in that, in described step S2, described initial data carried out real-time analysis and specifically comprise: flow analysis, protocal analysis, alert analysis and query analysis.
5. the method for claim 1, is characterized in that, the initial data that is uploaded to described aggregation node in described step S2 is exactly the data that are temporarily stored in described monitoring node, and the analysis result that is uploaded to described aggregation node is uploaded by temporary again.
6. the method for claim 1, it is characterized in that, aggregation node described in described step S3 compresses and changes the data that receive, carry out again the datumization format analysis processing, and the data after processing carry out buffer memory, and the data upload after buffer memory is given described Surveillance center, when the storage of described Surveillance center and resolution speed during less than the packet capturing speed of described monitoring node, described aggregation node carries out local cache to data, until network just stores the data of buffer memory in database into when available free.
7. the method for claim 1, is characterized in that, when in described step S4, the cloud of data being stored, access rights is set, and forbids those without authority's access or modification;
The analysis of data is specifically comprised real-time query and Accurate Analysis to data.
8. the perfect information security forensics monitoring system based on cloud computing environment, is characterized in that, described system comprises: monitor node, aggregation node and Surveillance center;
Wherein said monitoring node comprises packet capturing module, temporary module, real-time analysis module and policy module;
Described aggregation node comprises management of monitor module, upstream data processing module, descending tactful processing module and system configuration module;
Described Surveillance center comprises analysis retrieval module, cloud memory module, policy development module, form derivation module, notice reporting modules and parameter configuration module;
Described system also comprises communication module, is used for communicating by letter of the communicating by letter of described monitoring node and described aggregation node, described aggregation node and described Surveillance center and communicating by letter of described Surveillance center and cloud computing platform.
9. system as claimed in claim 8, is characterized in that, described packet capturing module is used for the network packet of the crawl network switching equipment, obtains initial data;
Described temporary module is used for the analysis result after described initial data and described real-time analysis module analysis is kept in;
Described real-time analysis module is used for described initial data is carried out real-time analysis, obtains analysis result;
Described policy module is used for receiving the configuration information that described aggregation node forwards, and implements corresponding strategy, controls the behavior of other module.
10. system as claimed in claim 9, is characterized in that, described temporary module specifically comprises judge module, circulation memory module and removing module;
Described judge module is used for judging whether the capacity of memory space reaches capacity threshold, if reach enter described notice reporting modules or described removing module, otherwise enters described circulation memory module;
Described removing module is used for deleting or automatically delete the memory time of initial data the earliest according to the control command that the described notice reporting modules that receives is sent;
Described circulation memory module is used for storing described initial data, and records memory time.
11. system as claimed in claim 9 is characterized in that, described real-time analysis module specifically comprises flow analysis submodule, protocal analysis submodule, alert analysis submodule and query analysis submodule;
Wherein said flow analysis submodule is used for analyzing the size of the packet that grasps, and calculates the flow of packet;
Described protocal analysis submodule is used for analyzing the protocol type of the packet that grasps, and judges the packet that described protocol type does not meet protocol rule;
Described alert analysis submodule is used for according to the Remote configuration strategy, flow, agreement and content being analyzed, and carries out alarm and records and report if meet alarm regulation;
Described query analysis submodule is used for inquiring about according to the control command that described Surveillance center issues, and qualified data are exported to assigned address.
12. system as claimed in claim 8, it is characterized in that, described management of monitor module is used for receiving described monitoring node to the registration of described aggregation node, also be used for receiving the heartbeat message of described monitoring node, when not receiving described heartbeat message, a period of time reports to described Surveillance center the abnormal information of monitoring node, request Reconfigurations information;
Initial data and analysis result that described upstream data processing module is used for described monitoring node is uploaded compress, changes, then carry out the datumization format analysis processing, and the data after processing carry out buffer memory, and the data upload after buffer memory is to described Surveillance center;
Described descending tactful processing module is used for strategy that described Surveillance center is issued and the destination address of control command is resolved, and is transmitted to described destination address and monitors accordingly node;
Described system configuration module receives configuration information from described Surveillance center, will be transmitted to the configuration information of described monitoring node corresponding monitoring node, and report the state information of self to described Surveillance center.
13. system as claimed in claim 8 is characterized in that, described cloud memory module is used for the data that receive from described aggregation node are gathered, and is saved in database, and access rights are set simultaneously, forbids those without authority's access or modification;
Described analysis retrieval module is used for data are carried out real-time query and Accurate Analysis;
Described policy development module is used for formulating according to described analysis result packet capturing strategy, storage policy and the analysis strategy of described monitoring node, described aggregation node and described Surveillance center;
Described form is derived module and is used for data and analysis result that described monitoring node and described aggregation node are uploaded are integrated into form and derive;
Described notice reporting modules is used for pointing out when system breaks down or warns;
Described parameter configuration module is used for the parameter of system is configured, be promiscuous mode comprising the network interface that described monitoring node is set, the crawl packet adopts asynchronous Grasp Modes, the capacity threshold of the memory space when also comprising described monitoring node temporal data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310084235.9A CN103152352B (en) | 2013-03-15 | 2013-03-15 | A kind of perfect information security forensics monitor method based on cloud computing environment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310084235.9A CN103152352B (en) | 2013-03-15 | 2013-03-15 | A kind of perfect information security forensics monitor method based on cloud computing environment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103152352A true CN103152352A (en) | 2013-06-12 |
| CN103152352B CN103152352B (en) | 2016-02-10 |
Family
ID=48550214
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310084235.9A Expired - Fee Related CN103152352B (en) | 2013-03-15 | 2013-03-15 | A kind of perfect information security forensics monitor method based on cloud computing environment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103152352B (en) |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500071A (en) * | 2013-09-18 | 2014-01-08 | 湖南蚁坊软件有限公司 | Method and device for storing performance index data quantitatively |
| CN103685486A (en) * | 2013-12-02 | 2014-03-26 | 中国科学院计算技术研究所 | Distributed system monitoring method stepping over data center clusters and system |
| CN103746858A (en) * | 2014-02-19 | 2014-04-23 | 山东微分电子科技有限公司 | Method for detecting wireless network topology |
| CN103956065A (en) * | 2014-04-21 | 2014-07-30 | 惠州市新思为电子科技有限公司 | Transportation vehicle management system |
| CN104378262A (en) * | 2013-12-13 | 2015-02-25 | 国家计算机网络与信息安全管理中心 | Intelligent monitoring analyzing method and system under cloud computing |
| CN104408165A (en) * | 2014-12-08 | 2015-03-11 | 畅捷通信息技术股份有限公司 | High-concurrency data storage method and device |
| CN104504014A (en) * | 2014-12-10 | 2015-04-08 | 无锡城市云计算中心有限公司 | Data processing method and device based on large data platform |
| CN105207826A (en) * | 2015-10-26 | 2015-12-30 | 南京联成科技发展有限公司 | Security attack alarm positioning system based on Spark big data platform of Tachyou |
| CN106130957A (en) * | 2016-06-08 | 2016-11-16 | 山东师范大学 | Police long-range WiFi network investigation evidence-obtaining system based on Fructus Rubi group and method thereof |
| CN106445704A (en) * | 2016-09-30 | 2017-02-22 | 乐视控股(北京)有限公司 | Data reporting method, device and system |
| CN106528593A (en) * | 2016-09-21 | 2017-03-22 | 徐绍衡 | Synchronous distributed real-time information cloud platform system of distributed database |
| CN106603624A (en) * | 2016-10-27 | 2017-04-26 | 深圳市深信服电子科技有限公司 | Data mining system and realization method thereof |
| CN106713332A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Network data processing method, device and system |
| CN106878029A (en) * | 2015-12-14 | 2017-06-20 | 任子行网络技术股份有限公司 | A kind of network data auditing system and method |
| CN107667371A (en) * | 2015-06-02 | 2018-02-06 | 西门子公司 | System and method for analyzing forensic data in cloud system |
| CN108039956A (en) * | 2017-10-30 | 2018-05-15 | 深圳前海微众银行股份有限公司 | Using monitoring method, system and computer-readable recording medium |
| CN108494625A (en) * | 2018-03-21 | 2018-09-04 | 上海精鲲计算机科技有限公司 | A kind of analysis system on network performance evaluation |
| CN108566377A (en) * | 2018-03-14 | 2018-09-21 | 中电和瑞科技有限公司 | A kind of attack evidence collecting method, device and storage medium |
| CN108696389A (en) * | 2018-04-24 | 2018-10-23 | 国家电网公司信息通信分公司 | A kind of network flow and protocol massages analysis platform based on mass data |
| CN108921728A (en) * | 2018-07-03 | 2018-11-30 | 北京科东电力控制系统有限责任公司 | Distributed real-time database system based on power network dispatching system |
| CN108933707A (en) * | 2017-05-26 | 2018-12-04 | 西门子(中国)有限公司 | A kind of safety monitoring system and method for industrial network |
| CN109828886A (en) * | 2018-12-29 | 2019-05-31 | 南京南瑞信息通信科技有限公司 | CI/CD monitoring method and system under a kind of container cloud environment |
| CN109981702A (en) * | 2017-12-27 | 2019-07-05 | 深圳市优必选科技有限公司 | A kind of file memory method and system |
| CN110309109A (en) * | 2019-05-23 | 2019-10-08 | 中国平安财产保险股份有限公司 | Data monitoring method, device, computer equipment and storage medium |
| CN110445711A (en) * | 2019-09-16 | 2019-11-12 | 陈兖清 | A kind of data traffic monitoring system based on big data |
| CN110493311A (en) * | 2019-07-17 | 2019-11-22 | 视联动力信息技术股份有限公司 | A kind of method for processing business and device |
| CN111526156A (en) * | 2020-04-30 | 2020-08-11 | 广州知弘科技有限公司 | Big data based security cloud platform system |
| CN111951130A (en) * | 2020-08-19 | 2020-11-17 | 重庆市合川区公安局 | Data evidence obtaining analysis method and system of electronic equipment |
| CN112039936A (en) * | 2019-06-03 | 2020-12-04 | 杭州海康威视系统技术有限公司 | Data transmission method, first data processing equipment and monitoring system |
| CN112328704A (en) * | 2020-11-03 | 2021-02-05 | 成都中科大旗软件股份有限公司 | Method, system, computer equipment and storage medium for realizing multi-data source combined query |
| CN112491932A (en) * | 2020-12-25 | 2021-03-12 | 广州金匙信息科技有限公司 | Network security defense system based on Internet of things |
| CN112671916A (en) * | 2020-12-28 | 2021-04-16 | 厦门市美亚柏科信息股份有限公司 | Electronic data evidence obtaining method and edge node |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143022A (en) * | 2011-03-16 | 2011-08-03 | 北京邮电大学 | Cloud measurement device and method for IP network |
| US20120131195A1 (en) * | 2010-11-24 | 2012-05-24 | Morgan Christopher Edwin | Systems and methods for aggregating marginal subscription offsets in set of multiple host clouds |
| CN102541042A (en) * | 2012-03-20 | 2012-07-04 | 无锡职业技术学院 | Internet-of-things (IOT)-based monitoring system and monitoring method for off-grid small wind power plant |
| CN102868749A (en) * | 2012-09-20 | 2013-01-09 | 张晋 | Agricultural planting and breeding-based Internet of things cloud service system and service flow method |
-
2013
- 2013-03-15 CN CN201310084235.9A patent/CN103152352B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120131195A1 (en) * | 2010-11-24 | 2012-05-24 | Morgan Christopher Edwin | Systems and methods for aggregating marginal subscription offsets in set of multiple host clouds |
| CN102143022A (en) * | 2011-03-16 | 2011-08-03 | 北京邮电大学 | Cloud measurement device and method for IP network |
| CN102541042A (en) * | 2012-03-20 | 2012-07-04 | 无锡职业技术学院 | Internet-of-things (IOT)-based monitoring system and monitoring method for off-grid small wind power plant |
| CN102868749A (en) * | 2012-09-20 | 2013-01-09 | 张晋 | Agricultural planting and breeding-based Internet of things cloud service system and service flow method |
Non-Patent Citations (1)
| Title |
|---|
| 李钊等: "信息物理系统安全威胁与措施", 《清华大学学报(自然科学版)》 * |
Cited By (47)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103500071B (en) * | 2013-09-18 | 2017-01-25 | 湖南蚁坊软件有限公司 | Method and device for storing performance index data quantitatively |
| CN103500071A (en) * | 2013-09-18 | 2014-01-08 | 湖南蚁坊软件有限公司 | Method and device for storing performance index data quantitatively |
| CN103685486B (en) * | 2013-12-02 | 2017-01-18 | 中国科学院计算技术研究所 | Distributed system monitoring method stepping over data center clusters and system |
| CN103685486A (en) * | 2013-12-02 | 2014-03-26 | 中国科学院计算技术研究所 | Distributed system monitoring method stepping over data center clusters and system |
| CN104378262A (en) * | 2013-12-13 | 2015-02-25 | 国家计算机网络与信息安全管理中心 | Intelligent monitoring analyzing method and system under cloud computing |
| CN103746858A (en) * | 2014-02-19 | 2014-04-23 | 山东微分电子科技有限公司 | Method for detecting wireless network topology |
| CN103746858B (en) * | 2014-02-19 | 2017-02-15 | 山东微分电子科技有限公司 | Method for detecting wireless network topology |
| CN103956065B (en) * | 2014-04-21 | 2016-11-23 | 惠州市新思为电子科技有限公司 | A kind of transport management system |
| CN103956065A (en) * | 2014-04-21 | 2014-07-30 | 惠州市新思为电子科技有限公司 | Transportation vehicle management system |
| CN104408165B (en) * | 2014-12-08 | 2018-04-13 | 畅捷通信息技术股份有限公司 | Date storage method and device under high concurrent |
| CN104408165A (en) * | 2014-12-08 | 2015-03-11 | 畅捷通信息技术股份有限公司 | High-concurrency data storage method and device |
| CN104504014A (en) * | 2014-12-10 | 2015-04-08 | 无锡城市云计算中心有限公司 | Data processing method and device based on large data platform |
| CN104504014B (en) * | 2014-12-10 | 2018-03-13 | 无锡城市云计算中心有限公司 | Data processing method and device based on big data platform |
| CN107667371A (en) * | 2015-06-02 | 2018-02-06 | 西门子公司 | System and method for analyzing forensic data in cloud system |
| CN105207826A (en) * | 2015-10-26 | 2015-12-30 | 南京联成科技发展有限公司 | Security attack alarm positioning system based on Spark big data platform of Tachyou |
| CN106878029B (en) * | 2015-12-14 | 2019-11-22 | 任子行网络技术股份有限公司 | A kind of network data auditing system and method |
| CN106878029A (en) * | 2015-12-14 | 2017-06-20 | 任子行网络技术股份有限公司 | A kind of network data auditing system and method |
| CN106130957A (en) * | 2016-06-08 | 2016-11-16 | 山东师范大学 | Police long-range WiFi network investigation evidence-obtaining system based on Fructus Rubi group and method thereof |
| CN106528593A (en) * | 2016-09-21 | 2017-03-22 | 徐绍衡 | Synchronous distributed real-time information cloud platform system of distributed database |
| CN106445704A (en) * | 2016-09-30 | 2017-02-22 | 乐视控股(北京)有限公司 | Data reporting method, device and system |
| CN106603624B (en) * | 2016-10-27 | 2020-01-07 | 深信服科技股份有限公司 | Data mining system and implementation method thereof |
| CN106603624A (en) * | 2016-10-27 | 2017-04-26 | 深圳市深信服电子科技有限公司 | Data mining system and realization method thereof |
| CN106713332A (en) * | 2016-12-30 | 2017-05-24 | 山石网科通信技术有限公司 | Network data processing method, device and system |
| CN106713332B (en) * | 2016-12-30 | 2020-04-21 | 山石网科通信技术股份有限公司 | Network data processing method, device and system |
| CN108933707B (en) * | 2017-05-26 | 2021-03-05 | 西门子(中国)有限公司 | Safety monitoring system and method for industrial network |
| CN108933707A (en) * | 2017-05-26 | 2018-12-04 | 西门子(中国)有限公司 | A kind of safety monitoring system and method for industrial network |
| CN108039956A (en) * | 2017-10-30 | 2018-05-15 | 深圳前海微众银行股份有限公司 | Using monitoring method, system and computer-readable recording medium |
| CN109981702A (en) * | 2017-12-27 | 2019-07-05 | 深圳市优必选科技有限公司 | A kind of file memory method and system |
| CN109981702B (en) * | 2017-12-27 | 2022-04-15 | 深圳市优必选科技有限公司 | File storage method and system |
| CN108566377A (en) * | 2018-03-14 | 2018-09-21 | 中电和瑞科技有限公司 | A kind of attack evidence collecting method, device and storage medium |
| CN108494625A (en) * | 2018-03-21 | 2018-09-04 | 上海精鲲计算机科技有限公司 | A kind of analysis system on network performance evaluation |
| CN108696389A (en) * | 2018-04-24 | 2018-10-23 | 国家电网公司信息通信分公司 | A kind of network flow and protocol massages analysis platform based on mass data |
| CN108921728A (en) * | 2018-07-03 | 2018-11-30 | 北京科东电力控制系统有限责任公司 | Distributed real-time database system based on power network dispatching system |
| CN109828886A (en) * | 2018-12-29 | 2019-05-31 | 南京南瑞信息通信科技有限公司 | CI/CD monitoring method and system under a kind of container cloud environment |
| CN109828886B (en) * | 2018-12-29 | 2021-08-24 | 南京南瑞信息通信科技有限公司 | CI/CD monitoring method and system under container cloud environment |
| CN110309109A (en) * | 2019-05-23 | 2019-10-08 | 中国平安财产保险股份有限公司 | Data monitoring method, device, computer equipment and storage medium |
| CN110309109B (en) * | 2019-05-23 | 2024-02-02 | 中国平安财产保险股份有限公司 | Data monitoring method, device, computer equipment and storage medium |
| CN112039936A (en) * | 2019-06-03 | 2020-12-04 | 杭州海康威视系统技术有限公司 | Data transmission method, first data processing equipment and monitoring system |
| CN112039936B (en) * | 2019-06-03 | 2023-07-14 | 杭州海康威视系统技术有限公司 | Data transmission method, first data processing equipment and monitoring system |
| CN110493311A (en) * | 2019-07-17 | 2019-11-22 | 视联动力信息技术股份有限公司 | A kind of method for processing business and device |
| CN110493311B (en) * | 2019-07-17 | 2022-04-19 | 视联动力信息技术股份有限公司 | Service processing method and device |
| CN110445711A (en) * | 2019-09-16 | 2019-11-12 | 陈兖清 | A kind of data traffic monitoring system based on big data |
| CN111526156A (en) * | 2020-04-30 | 2020-08-11 | 广州知弘科技有限公司 | Big data based security cloud platform system |
| CN111951130A (en) * | 2020-08-19 | 2020-11-17 | 重庆市合川区公安局 | Data evidence obtaining analysis method and system of electronic equipment |
| CN112328704A (en) * | 2020-11-03 | 2021-02-05 | 成都中科大旗软件股份有限公司 | Method, system, computer equipment and storage medium for realizing multi-data source combined query |
| CN112491932A (en) * | 2020-12-25 | 2021-03-12 | 广州金匙信息科技有限公司 | Network security defense system based on Internet of things |
| CN112671916A (en) * | 2020-12-28 | 2021-04-16 | 厦门市美亚柏科信息股份有限公司 | Electronic data evidence obtaining method and edge node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103152352B (en) | 2016-02-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103152352B (en) | A kind of perfect information security forensics monitor method based on cloud computing environment and system | |
| US11700303B1 (en) | Distributed data analysis for streaming data sources | |
| US10756949B2 (en) | Log file processing for root cause analysis of a network fabric | |
| US10917417B2 (en) | Method, apparatus, server, and storage medium for network security joint defense | |
| US10257224B2 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
| US10122575B2 (en) | Log collection, structuring and processing | |
| US10904203B2 (en) | Augmenting network flow with passive DNS information | |
| US9860154B2 (en) | Streaming method and system for processing network metadata | |
| US9912638B2 (en) | Systems and methods for integrating cloud services with information management systems | |
| US9071637B2 (en) | Automated security analytics platform | |
| US6704874B1 (en) | Network-based alert management | |
| CN104322010B (en) | System and method for comparing configuration file and generation corrective command | |
| US11924240B2 (en) | Mechanism for identifying differences between network snapshots | |
| US9584533B2 (en) | Performance enhancements for finding top traffic patterns | |
| US20150128267A1 (en) | Context-aware network forensics | |
| US10917438B2 (en) | Secure publishing for policy updates | |
| US10826803B2 (en) | Mechanism for facilitating efficient policy updates | |
| JP2016508353A (en) | Improved streaming method and system for processing network metadata | |
| US20220286373A1 (en) | Scalable real time metrics management | |
| CN112383573B (en) | Security intrusion playback equipment based on multiple attack stages | |
| US11895156B2 (en) | Securing network resources from known threats | |
| CN117579523A (en) | Distributed event high-speed acquisition and analysis system | |
| Blackman | Rapid forensic crime scene analysis using inexpensive sensors | |
| CN117978450A (en) | Security detection method, device, equipment and storage medium | |
| Joubert et al. | Collection and Aggregation of Security Events |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160210 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |