CN105471880B - A kind of implementation method of the distributed security event data transmission agreement of fault tolerant - Google Patents

A kind of implementation method of the distributed security event data transmission agreement of fault tolerant Download PDF

Info

Publication number
CN105471880B
CN105471880B CN201510884097.1A CN201510884097A CN105471880B CN 105471880 B CN105471880 B CN 105471880B CN 201510884097 A CN201510884097 A CN 201510884097A CN 105471880 B CN105471880 B CN 105471880B
Authority
CN
China
Prior art keywords
node
performer
message
transactional
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201510884097.1A
Other languages
Chinese (zh)
Other versions
CN105471880A (en
Inventor
樊凯
梁志宏
吕华辉
王敏
欧阳可萃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Venus Information Security Technology Co Ltd
Information Center of China Southern Power Grid Co Ltd
Original Assignee
Beijing Venus Information Security Technology Co Ltd
Information Center of China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Venus Information Security Technology Co Ltd, Information Center of China Southern Power Grid Co Ltd filed Critical Beijing Venus Information Security Technology Co Ltd
Priority to CN201510884097.1A priority Critical patent/CN105471880B/en
Publication of CN105471880A publication Critical patent/CN105471880A/en
Application granted granted Critical
Publication of CN105471880B publication Critical patent/CN105471880B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

It is an object of the invention to provide the implementation method of the distributed security event data transmission agreement of a kind of fault tolerant.The present invention uses distributed type assemblies mode to process security incident, uses regular election mechanism to determine the things node in cluster, it is ensured that the transactional of message data;In cluster, each node uses message queue mechanism, it is ensured that Security incident handling parallel with expansible;It is achieved thereby that the security incident transmission mechanism of fault tolerant.This method comprise the steps: A, for the whole network security incident use event handling distributed type assemblies mode carry out;B, described event handling cluster can periodically elect things node to be referred to as Transactional;The evaluation factor of C, things node Transactional election;D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node;E, Performer node processing information.

Description

A kind of implementation method of the distributed security event data transmission agreement of fault tolerant
Technical field
The present invention relates to information security field, concrete magnanimity security incident distributed treatment and data transmission.
Background technology
The Internet+theory be rooted in the hearts of the people, in industry-by-industry information network dispose application system and various equipment Quantity sharply increase, under complex environment IT operation audit analysis effective, timely the most urgent.The data base of security audit Plinth is Anti-Virus, fire wall, intruding detection system, vulnerability scanning system, UTM, operation main frame, switch, router, number According to log event, state event and network data package informatins such as storehouse system, middlewares.In current network environment, various set Standby security incident has become as mass data, and syslog is as main Log Types, by various operating systems, the network equipment Extensively support with safety equipment, become the major criterion of daily record, for other kinds of daily record, it is also possible to be converted to syslog day Will form, it is simple to unified Analysis.
By big data security analysis technology, people can preferably solve the collection of staggering amount security factor information, storage Problem, by machine learning based on big data analysis technique and data mining algorithm, it is possible to know information more intelligently clearly With the situation of network security, more actively, flexibly tackle the threat of New Complex and the risk that the unknown is changeable.
The aggressive behavior of assailant is hidden in the security incident of magnanimity, by Packet capturing, also can take comprising of staggering amount The data of attack traffic.It is exactly the big data of safety that all these staggering amount convergences get up.Entered by data big to these safety Row is analyzed and historical analysis in real time, sets up behavior profile, and carries out behavior modeling and data mining, just can help safety analysis teacher Identify assailant and aggressive behavior thereof and process, and extracting attack feature, feed back to Prevention-Security facility and block.
The main thought of network security is active defense, actively resists.The ultimate aim of this thought is not ask prevention to appoint What is attacked, but delays as much as possible to attack, and delays the time of assailant, in order to for finding countermeasure to race against time.Network-combination yarn Being exactly many times a fight capturing the time, the time who obtains is the most, and who gets over the initiative likely grasping antagonism, And have the initiative in hands and mean that more likely obtaining the triumph of antagonism means more likely to obtain the triumph of antagonism.
Under the guidance of this thought, process and transmission to the core number security incident of security audit must be efficiently And it is fault-tolerant.The mainstream technology of industry is still using two-node cluster hot backup as main fault-tolerant networks at present, and this scheme autgmentability is poor, it is difficult to Use the requirement of big data age.
Summary of the invention
The invention aims to overcome the shortcoming of prior art, propose the distributed security event number of a kind of fault tolerant Implementation method according to host-host protocol.The present invention uses distributed type assemblies mode to process security incident, uses regular election mechanism true Determine the things node in cluster, and set up message things mapping table, it is ensured that the transactional of message data;In cluster, each node is adopted By message queue mechanism, it is ensured that Security incident handling parallel with expansible;It is achieved thereby that the security incident transmission of fault tolerant Mechanism.
It is an object of the invention to be achieved through the following technical solutions:
The implementation method of the distributed security event data transmission agreement of a kind of fault tolerant, comprises the steps:
A, for the whole network security incident use event handling distributed type assemblies mode carry out: described distributed type assemblies Each node is referred to as Performer, and each Performer node is the entity services that calculated performance is suitable, independent Device or virtual machine, each Performer node sets up message queue ML (Message List), and this message queue ML is one Individual FIFO array;
B, described event handling distributed type assemblies can periodically elect things node to be referred to as Transactional, described things Node Transcational is responsible for carrying out the fault-tolerant processing of cluster, and things node Transactional is general except possessing Outside the function of Performer node, also can build transaction message mapping table TMM (Transactional Message Map), should Mapping table is backed up in realtime untreated message in each Performer node;If certain Performer one malfunctions, Untreated for Performer node message distribution can be given other Performer nodes by things node Transcational;
The evaluation factor of C, things node Transactional election includes: cpu busy percentage, memory usage and message Untreated message number in queue ML, when things node Transactional breaks down, described cluster can select newly immediately Things node;The scoring algorithm of things node election is:
First the election index of each Performer node in addition to current things node Transactional is calculated:
E I i = C * ( 2 M ) * ( N / L )
Wherein,Representing the election index of the Performer node of serial number i, C represents the CPU of this Performer node Utilization rate, M represents the memory usage of this Performer node, and N represents this Performer node untreated message number, L represents the total length of message queue ML.
Secondly, being defined as new things node Transactional from the Performer node that election index is minimum is T:
T=min (EIi)
D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node, often One security incident of secondary collection, builds the information Message of this security incident, this information include MID and EventEntity field, represents respectively:
The unique serial number of MID: information;
The entity of EventEntity: security incident
This Message is write message queue ML, and the transaction message being simultaneously written things node Transactional maps In table TMM;
E, Performer node, when processing an information, takes out an information from its message queue ML Message process, notifies things node Transactional after being disposed, if things node is online, then and things joint Point transaction message mapping table TMM deletes this information, if things node failure, then re-elects things node.
Preferably, in stepb, transaction message mapping table TMM (the Transactional Message of things node Map), its data structure is as follows: the mode that TMM uses multilamellar Hash mapping list data structure HashMap nested realizes,
HashMap<k_ip, Hashmap<k_message, v_event>>
Wherein,
K_ip is the IP address of certain Performer in cluster;
K_message is the unique serial number MID of information Message;
V_event is the event data of this message.
Preferably, in stepb, the algorithm that realizes of the unique serial number MID of information Message is:
MID=ip_performer+event_ssid
Wherein,
Ip_performer is the IP address of security incident transmission promoter Performer;
Event_ssid is the unique serial number of event data.
Preferably, in step D, event handling cluster can periodically elect things node Transactional, this election week Phase is 1 day, and election time point is 3:00, it is considered that this time point is the security incident the most sluggish time.
Preferably, in step E, the security incident content information that the present invention processes is including but not limited to event title, thing Part summary, event classification, grab type, grade, procotol, network application agreement.
Detailed description of the invention
The present invention provides the implementation method of the distributed security event data transmission agreement of a kind of fault tolerant, including walking as follows Rapid:
A, for the whole network security incident use event handling distributed type assemblies mode carry out: described distributed type assemblies Each node is referred to as Performer, and each Performer node is the entity services that calculated performance is suitable, independent Device or virtual machine, each Performer node sets up message queue ML (Message List), and this message queue ML is one Individual FIFO array;
B, described event handling cluster can periodically elect things node to be referred to as Transactional, described things node Transcational is responsible for carrying out the fault-tolerant processing of cluster, and things node Transactional is general except possessing Outside the function of Performer node, also can build transaction message mapping table TMM (Transactional Message Map), should Mapping table is backed up in realtime untreated message in each Performer node;If certain Performer one malfunctions, This untreated message distribution of Performer node can be given other Performer nodes by things node Transcational;
The evaluation factor of C, things node Transactional election includes: cpu busy percentage, memory usage and message Untreated message number in queue ML, when things node Transactional breaks down, described cluster can select newly immediately Things node;The scoring algorithm of things node election is:
First the election index of each Performer node in addition to current things node Transactional is calculated:
E I i = C * ( 2 M ) * ( N / L )
Wherein,Representing the election index of the Performer node of serial number i, C represents the CPU of this Performer node Utilization rate, M represents the memory usage of this Performer node, and N represents this Performer node untreated message number, L represents the total length of message queue ML.
Secondly, being defined as new things node Transactional from the Performer node that election index is minimum is T:
T=min (EIi)
D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node, often One security incident of secondary collection, builds the information Message of this security incident, this information include MID and EventEntity field, represents respectively:
The unique serial number of MID: information;
The entity of EventEntity: security incident
This Message is write message queue ML, and the transaction message being simultaneously written things node Transactional maps In table TMM;
E, Performer node, when processing an information, takes out an information from its message queue ML Message process, notifies things node Transactional after being disposed, if things node is online, then and things joint Point transaction message mapping table TMM deletes this information, if things node failure, then re-elects things node.
Preferably, in stepb, transaction message mapping table TMM (the Transactional Message of things node Map), its data structure is as follows: the mode that TMM uses multilamellar Hash mapping list data structure HashMap nested realizes,
HashMap<k_ip, Hashmap<k_message, v_event>>
Wherein,
K_ip is the IP address of certain Performer in cluster;
K_message is the unique serial number MID of information Message;
V_event is the event data of this message.
Preferably, in stepb, the algorithm that realizes of the unique serial number MID of information Message is:
MID=ip_performer+event_ssid
Wherein,
Ip_performer is the IP address of security incident transmission promoter Performer;
Event_ssid is the unique serial number of event data.
Preferably, in step D, event handling cluster can periodically elect things node Transactional, this election week Phase is 1 day, and election time point is 3:00, it is considered that this time point is the security incident the most sluggish time.
Preferably, in step E, the security incident content information that the present invention processes is including but not limited to event title, thing Part summary, event classification, grab type, grade, procotol, network application agreement.
Embodiments of the present invention are not limited to this, under the present invention above-mentioned basic fundamental thought premise, according to this area Present invention is made the amendment of other various ways, is replaced or change by ordinary technical knowledge and customary means, all falls within Within the scope of rights protection of the present invention.

Claims (4)

1. the implementation method of the distributed security event data transmission agreement of a fault tolerant, it is characterised in that include walking as follows Rapid:
A, security incident for the whole network use the mode of event handling distributed type assemblies to carry out: described distributed type assemblies each Individual node is referred to as Performer, each Performer node be suitable, the independent property server of calculated performance or Virtual machine, each Performer node sets up message queue ML, and this message queue ML is a FIFO array;
B, described event handling distributed type assemblies can periodically elect things node Transactional, described things node Transcational is responsible for carrying out the fault-tolerant processing of cluster, and things node Transactional is general except possessing Outside the function of Performer node, also can build transaction message mapping table TMM, this transaction message mapping table is backed up in realtime each Untreated message in Performer node;If certain Performer one malfunctions, things node Untreated for Performer node message distribution can be given other Performer nodes by Transcational;
The evaluation factor of C, things node Transactional election includes: cpu busy percentage, memory usage and message queue Untreated message number in ML, when things node Transactional breaks down, described cluster can select new thing immediately Thing node;
D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node, adopt every time Collecting a security incident, build the information Message of this security incident, this information includes MID and EventEntity Field, represents respectively:
The unique serial number of MID: information;
The entity of EventEntity: security incident
This information Message is write message queue ML, is simultaneously written the transaction message of things node Transactional In mapping table TMM;
E, Performer node, when processing an information, is taken out from an information carries out from its message queue ML Reason, notifies things node Transactional after being disposed, if things node is online, then things node transaction message reflects Firing table TMM deletes this information, if things node failure, then re-elects things node;
The transaction message mapping table TMM data structure of the things node of described step B is as follows: TMM uses multilamellar Hash mapping The mode of list data structure HashMap nesting realizes,
HashMap<k_ip, Hashmap<k_message, v_event>>
Wherein,
K_ip is the IP address of certain Performer in cluster;
K_message is the unique serial number MID of information Message;
V_event is the event data of this message;
In described step B, the scoring algorithm of described things node election is:
First the election index of each Performer node in addition to current things node Transactional is calculated:
EIi=C* (2M) * (N/L)
Wherein, EIiRepresenting the election index of the Performer node of serial number i, C represents that the CPU of this Performer node utilizes Rate, M represents the memory usage of this Performer node, and N represents this Performer node untreated message number, L table Show the total length of message queue ML;
Secondly, being defined as new things node Transactional from the Performer node that election index is minimum is T:
T=min (EIi)。
Method the most according to claim 1, it is characterised in that: in stepb, the unique serial number MID's of information Message Realizing algorithm is:
MID=ip_performer+event_ssid
Wherein,
Ip_performer is the IP address of security incident transmission promoter Performer;
Event_ssid is the unique serial number of event data.
Method the most according to claim 1, it is characterised in that: in step D, event handling cluster can periodically elect things node Transactional, this election cycle is 1 day, and election time point is 3:00.
Method the most according to claim 1, it is characterised in that: in step E, the security incident content information bag that the present invention processes Contain but be not limited to: event title, event summary, event classification, grab type, grade, procotol, network application agreement.
CN201510884097.1A 2015-12-03 2015-12-03 A kind of implementation method of the distributed security event data transmission agreement of fault tolerant Expired - Fee Related CN105471880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510884097.1A CN105471880B (en) 2015-12-03 2015-12-03 A kind of implementation method of the distributed security event data transmission agreement of fault tolerant

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510884097.1A CN105471880B (en) 2015-12-03 2015-12-03 A kind of implementation method of the distributed security event data transmission agreement of fault tolerant

Publications (2)

Publication Number Publication Date
CN105471880A CN105471880A (en) 2016-04-06
CN105471880B true CN105471880B (en) 2016-11-16

Family

ID=55609150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510884097.1A Expired - Fee Related CN105471880B (en) 2015-12-03 2015-12-03 A kind of implementation method of the distributed security event data transmission agreement of fault tolerant

Country Status (1)

Country Link
CN (1) CN105471880B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7496663B2 (en) * 2005-08-29 2009-02-24 International Business Machines Corporation System and method for detecting status changes in a network using virtual coordinate mapping
CN101834828B (en) * 2009-03-13 2013-04-03 北京启明星辰信息技术股份有限公司 Management control end system and transmission method for security events therein
CN103294479A (en) * 2013-06-19 2013-09-11 成都市欧冠信息技术有限责任公司 Distribution type transaction processing method and system

Also Published As

Publication number Publication date
CN105471880A (en) 2016-04-06

Similar Documents

Publication Publication Date Title
Sharma et al. SoftEdgeNet: SDN based energy-efficient distributed network architecture for edge computing
US10002011B2 (en) Centralized networking configuration in distributed systems
CN101719842B (en) Cloud computing environment-based distributed network security pre-warning method
CN107690776A (en) For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection
Xuan et al. Detecting application denial-of-service attacks: A group-testing-based approach
CN102724063A (en) Log collection server, data packet delivering and log clustering methods and network
CN104580222A (en) DDoS attack distributed detection and response system and method based on information entropy
Karimi et al. Distributed network traffic feature extraction for a real-time IDS
Varalakshmi et al. Thwarting DDoS attacks in grid using information divergence
CN105282169A (en) DDoS attack warning method and system based on SDN controller threshold
Wang et al. A centralized HIDS framework for private cloud
CN106203164B (en) Information security big data resource management system based on trust computing and cloud computing
Wu et al. A Distributed Intrusion Detection Model via Nondestructive Partitioning and Balanced Allocation for Big Data.
Maheshwari et al. Faster detection and prediction of DDoS attacks using MapReduce and time series analysis
CN110247899A (en) The system and method for ARP attack is detected and alleviated based on SDN cloud environment
Zhang et al. A hadoop based analysis and detection model for ip spoofing typed ddos attack
Xu et al. CloudSEC: A cloud architecture for composing collaborative security services
CN109102296A (en) A kind of node common recognition method and system
CN110061854A (en) A kind of non-boundary network intelligence operation management method and system
CN107276857A (en) A kind of method and device for monitoring flow
Dong et al. Integration of edge computing and blockchain for provision of data fusion and secure big data analysis for Internet of Things
Paudel et al. Detecting the onset of a network layer dos attack with a graph-based approach
Lin et al. Security function virtualization based moving target defense of SDN-enabled smart grid
Rashid et al. Edgestore: Towards an edge-based distributed storage system for emergency response
CN105471880B (en) A kind of implementation method of the distributed security event data transmission agreement of fault tolerant

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20161116

Termination date: 20171203

CF01 Termination of patent right due to non-payment of annual fee