CN105471880B - A kind of implementation method of the distributed security event data transmission agreement of fault tolerant - Google Patents
A kind of implementation method of the distributed security event data transmission agreement of fault tolerant Download PDFInfo
- Publication number
- CN105471880B CN105471880B CN201510884097.1A CN201510884097A CN105471880B CN 105471880 B CN105471880 B CN 105471880B CN 201510884097 A CN201510884097 A CN 201510884097A CN 105471880 B CN105471880 B CN 105471880B
- Authority
- CN
- China
- Prior art keywords
- node
- performer
- message
- transactional
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
It is an object of the invention to provide the implementation method of the distributed security event data transmission agreement of a kind of fault tolerant.The present invention uses distributed type assemblies mode to process security incident, uses regular election mechanism to determine the things node in cluster, it is ensured that the transactional of message data;In cluster, each node uses message queue mechanism, it is ensured that Security incident handling parallel with expansible;It is achieved thereby that the security incident transmission mechanism of fault tolerant.This method comprise the steps: A, for the whole network security incident use event handling distributed type assemblies mode carry out;B, described event handling cluster can periodically elect things node to be referred to as Transactional;The evaluation factor of C, things node Transactional election;D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node;E, Performer node processing information.
Description
Technical field
The present invention relates to information security field, concrete magnanimity security incident distributed treatment and data transmission.
Background technology
The Internet+theory be rooted in the hearts of the people, in industry-by-industry information network dispose application system and various equipment
Quantity sharply increase, under complex environment IT operation audit analysis effective, timely the most urgent.The data base of security audit
Plinth is Anti-Virus, fire wall, intruding detection system, vulnerability scanning system, UTM, operation main frame, switch, router, number
According to log event, state event and network data package informatins such as storehouse system, middlewares.In current network environment, various set
Standby security incident has become as mass data, and syslog is as main Log Types, by various operating systems, the network equipment
Extensively support with safety equipment, become the major criterion of daily record, for other kinds of daily record, it is also possible to be converted to syslog day
Will form, it is simple to unified Analysis.
By big data security analysis technology, people can preferably solve the collection of staggering amount security factor information, storage
Problem, by machine learning based on big data analysis technique and data mining algorithm, it is possible to know information more intelligently clearly
With the situation of network security, more actively, flexibly tackle the threat of New Complex and the risk that the unknown is changeable.
The aggressive behavior of assailant is hidden in the security incident of magnanimity, by Packet capturing, also can take comprising of staggering amount
The data of attack traffic.It is exactly the big data of safety that all these staggering amount convergences get up.Entered by data big to these safety
Row is analyzed and historical analysis in real time, sets up behavior profile, and carries out behavior modeling and data mining, just can help safety analysis teacher
Identify assailant and aggressive behavior thereof and process, and extracting attack feature, feed back to Prevention-Security facility and block.
The main thought of network security is active defense, actively resists.The ultimate aim of this thought is not ask prevention to appoint
What is attacked, but delays as much as possible to attack, and delays the time of assailant, in order to for finding countermeasure to race against time.Network-combination yarn
Being exactly many times a fight capturing the time, the time who obtains is the most, and who gets over the initiative likely grasping antagonism,
And have the initiative in hands and mean that more likely obtaining the triumph of antagonism means more likely to obtain the triumph of antagonism.
Under the guidance of this thought, process and transmission to the core number security incident of security audit must be efficiently
And it is fault-tolerant.The mainstream technology of industry is still using two-node cluster hot backup as main fault-tolerant networks at present, and this scheme autgmentability is poor, it is difficult to
Use the requirement of big data age.
Summary of the invention
The invention aims to overcome the shortcoming of prior art, propose the distributed security event number of a kind of fault tolerant
Implementation method according to host-host protocol.The present invention uses distributed type assemblies mode to process security incident, uses regular election mechanism true
Determine the things node in cluster, and set up message things mapping table, it is ensured that the transactional of message data;In cluster, each node is adopted
By message queue mechanism, it is ensured that Security incident handling parallel with expansible;It is achieved thereby that the security incident transmission of fault tolerant
Mechanism.
It is an object of the invention to be achieved through the following technical solutions:
The implementation method of the distributed security event data transmission agreement of a kind of fault tolerant, comprises the steps:
A, for the whole network security incident use event handling distributed type assemblies mode carry out: described distributed type assemblies
Each node is referred to as Performer, and each Performer node is the entity services that calculated performance is suitable, independent
Device or virtual machine, each Performer node sets up message queue ML (Message List), and this message queue ML is one
Individual FIFO array;
B, described event handling distributed type assemblies can periodically elect things node to be referred to as Transactional, described things
Node Transcational is responsible for carrying out the fault-tolerant processing of cluster, and things node Transactional is general except possessing
Outside the function of Performer node, also can build transaction message mapping table TMM (Transactional Message Map), should
Mapping table is backed up in realtime untreated message in each Performer node;If certain Performer one malfunctions,
Untreated for Performer node message distribution can be given other Performer nodes by things node Transcational;
The evaluation factor of C, things node Transactional election includes: cpu busy percentage, memory usage and message
Untreated message number in queue ML, when things node Transactional breaks down, described cluster can select newly immediately
Things node;The scoring algorithm of things node election is:
First the election index of each Performer node in addition to current things node Transactional is calculated:
Wherein,Representing the election index of the Performer node of serial number i, C represents the CPU of this Performer node
Utilization rate, M represents the memory usage of this Performer node, and N represents this Performer node untreated message number,
L represents the total length of message queue ML.
Secondly, being defined as new things node Transactional from the Performer node that election index is minimum is T:
T=min (EIi)
D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node, often
One security incident of secondary collection, builds the information Message of this security incident, this information include MID and
EventEntity field, represents respectively:
The unique serial number of MID: information;
The entity of EventEntity: security incident
This Message is write message queue ML, and the transaction message being simultaneously written things node Transactional maps
In table TMM;
E, Performer node, when processing an information, takes out an information from its message queue ML
Message process, notifies things node Transactional after being disposed, if things node is online, then and things joint
Point transaction message mapping table TMM deletes this information, if things node failure, then re-elects things node.
Preferably, in stepb, transaction message mapping table TMM (the Transactional Message of things node
Map), its data structure is as follows: the mode that TMM uses multilamellar Hash mapping list data structure HashMap nested realizes,
HashMap<k_ip, Hashmap<k_message, v_event>>
Wherein,
K_ip is the IP address of certain Performer in cluster;
K_message is the unique serial number MID of information Message;
V_event is the event data of this message.
Preferably, in stepb, the algorithm that realizes of the unique serial number MID of information Message is:
MID=ip_performer+event_ssid
Wherein,
Ip_performer is the IP address of security incident transmission promoter Performer;
Event_ssid is the unique serial number of event data.
Preferably, in step D, event handling cluster can periodically elect things node Transactional, this election week
Phase is 1 day, and election time point is 3:00, it is considered that this time point is the security incident the most sluggish time.
Preferably, in step E, the security incident content information that the present invention processes is including but not limited to event title, thing
Part summary, event classification, grab type, grade, procotol, network application agreement.
Detailed description of the invention
The present invention provides the implementation method of the distributed security event data transmission agreement of a kind of fault tolerant, including walking as follows
Rapid:
A, for the whole network security incident use event handling distributed type assemblies mode carry out: described distributed type assemblies
Each node is referred to as Performer, and each Performer node is the entity services that calculated performance is suitable, independent
Device or virtual machine, each Performer node sets up message queue ML (Message List), and this message queue ML is one
Individual FIFO array;
B, described event handling cluster can periodically elect things node to be referred to as Transactional, described things node
Transcational is responsible for carrying out the fault-tolerant processing of cluster, and things node Transactional is general except possessing
Outside the function of Performer node, also can build transaction message mapping table TMM (Transactional Message Map), should
Mapping table is backed up in realtime untreated message in each Performer node;If certain Performer one malfunctions,
This untreated message distribution of Performer node can be given other Performer nodes by things node Transcational;
The evaluation factor of C, things node Transactional election includes: cpu busy percentage, memory usage and message
Untreated message number in queue ML, when things node Transactional breaks down, described cluster can select newly immediately
Things node;The scoring algorithm of things node election is:
First the election index of each Performer node in addition to current things node Transactional is calculated:
Wherein,Representing the election index of the Performer node of serial number i, C represents the CPU of this Performer node
Utilization rate, M represents the memory usage of this Performer node, and N represents this Performer node untreated message number,
L represents the total length of message queue ML.
Secondly, being defined as new things node Transactional from the Performer node that election index is minimum is T:
T=min (EIi)
D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node, often
One security incident of secondary collection, builds the information Message of this security incident, this information include MID and
EventEntity field, represents respectively:
The unique serial number of MID: information;
The entity of EventEntity: security incident
This Message is write message queue ML, and the transaction message being simultaneously written things node Transactional maps
In table TMM;
E, Performer node, when processing an information, takes out an information from its message queue ML
Message process, notifies things node Transactional after being disposed, if things node is online, then and things joint
Point transaction message mapping table TMM deletes this information, if things node failure, then re-elects things node.
Preferably, in stepb, transaction message mapping table TMM (the Transactional Message of things node
Map), its data structure is as follows: the mode that TMM uses multilamellar Hash mapping list data structure HashMap nested realizes,
HashMap<k_ip, Hashmap<k_message, v_event>>
Wherein,
K_ip is the IP address of certain Performer in cluster;
K_message is the unique serial number MID of information Message;
V_event is the event data of this message.
Preferably, in stepb, the algorithm that realizes of the unique serial number MID of information Message is:
MID=ip_performer+event_ssid
Wherein,
Ip_performer is the IP address of security incident transmission promoter Performer;
Event_ssid is the unique serial number of event data.
Preferably, in step D, event handling cluster can periodically elect things node Transactional, this election week
Phase is 1 day, and election time point is 3:00, it is considered that this time point is the security incident the most sluggish time.
Preferably, in step E, the security incident content information that the present invention processes is including but not limited to event title, thing
Part summary, event classification, grab type, grade, procotol, network application agreement.
Embodiments of the present invention are not limited to this, under the present invention above-mentioned basic fundamental thought premise, according to this area
Present invention is made the amendment of other various ways, is replaced or change by ordinary technical knowledge and customary means, all falls within
Within the scope of rights protection of the present invention.
Claims (4)
1. the implementation method of the distributed security event data transmission agreement of a fault tolerant, it is characterised in that include walking as follows
Rapid:
A, security incident for the whole network use the mode of event handling distributed type assemblies to carry out: described distributed type assemblies each
Individual node is referred to as Performer, each Performer node be suitable, the independent property server of calculated performance or
Virtual machine, each Performer node sets up message queue ML, and this message queue ML is a FIFO array;
B, described event handling distributed type assemblies can periodically elect things node Transactional, described things node
Transcational is responsible for carrying out the fault-tolerant processing of cluster, and things node Transactional is general except possessing
Outside the function of Performer node, also can build transaction message mapping table TMM, this transaction message mapping table is backed up in realtime each
Untreated message in Performer node;If certain Performer one malfunctions, things node
Untreated for Performer node message distribution can be given other Performer nodes by Transcational;
The evaluation factor of C, things node Transactional election includes: cpu busy percentage, memory usage and message queue
Untreated message number in ML, when things node Transactional breaks down, described cluster can select new thing immediately
Thing node;
D, a Performer node can transmit request with the security incident of parallel processing multiple Performer node, adopt every time
Collecting a security incident, build the information Message of this security incident, this information includes MID and EventEntity
Field, represents respectively:
The unique serial number of MID: information;
The entity of EventEntity: security incident
This information Message is write message queue ML, is simultaneously written the transaction message of things node Transactional
In mapping table TMM;
E, Performer node, when processing an information, is taken out from an information carries out from its message queue ML
Reason, notifies things node Transactional after being disposed, if things node is online, then things node transaction message reflects
Firing table TMM deletes this information, if things node failure, then re-elects things node;
The transaction message mapping table TMM data structure of the things node of described step B is as follows: TMM uses multilamellar Hash mapping
The mode of list data structure HashMap nesting realizes,
HashMap<k_ip, Hashmap<k_message, v_event>>
Wherein,
K_ip is the IP address of certain Performer in cluster;
K_message is the unique serial number MID of information Message;
V_event is the event data of this message;
In described step B, the scoring algorithm of described things node election is:
First the election index of each Performer node in addition to current things node Transactional is calculated:
EIi=C* (2M) * (N/L)
Wherein, EIiRepresenting the election index of the Performer node of serial number i, C represents that the CPU of this Performer node utilizes
Rate, M represents the memory usage of this Performer node, and N represents this Performer node untreated message number, L table
Show the total length of message queue ML;
Secondly, being defined as new things node Transactional from the Performer node that election index is minimum is T:
T=min (EIi)。
Method the most according to claim 1, it is characterised in that: in stepb, the unique serial number MID's of information Message
Realizing algorithm is:
MID=ip_performer+event_ssid
Wherein,
Ip_performer is the IP address of security incident transmission promoter Performer;
Event_ssid is the unique serial number of event data.
Method the most according to claim 1, it is characterised in that: in step D, event handling cluster can periodically elect things node
Transactional, this election cycle is 1 day, and election time point is 3:00.
Method the most according to claim 1, it is characterised in that: in step E, the security incident content information bag that the present invention processes
Contain but be not limited to: event title, event summary, event classification, grab type, grade, procotol, network application agreement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510884097.1A CN105471880B (en) | 2015-12-03 | 2015-12-03 | A kind of implementation method of the distributed security event data transmission agreement of fault tolerant |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510884097.1A CN105471880B (en) | 2015-12-03 | 2015-12-03 | A kind of implementation method of the distributed security event data transmission agreement of fault tolerant |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105471880A CN105471880A (en) | 2016-04-06 |
CN105471880B true CN105471880B (en) | 2016-11-16 |
Family
ID=55609150
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510884097.1A Expired - Fee Related CN105471880B (en) | 2015-12-03 | 2015-12-03 | A kind of implementation method of the distributed security event data transmission agreement of fault tolerant |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105471880B (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7496663B2 (en) * | 2005-08-29 | 2009-02-24 | International Business Machines Corporation | System and method for detecting status changes in a network using virtual coordinate mapping |
CN101834828B (en) * | 2009-03-13 | 2013-04-03 | 北京启明星辰信息技术股份有限公司 | Management control end system and transmission method for security events therein |
CN103294479A (en) * | 2013-06-19 | 2013-09-11 | 成都市欧冠信息技术有限责任公司 | Distribution type transaction processing method and system |
-
2015
- 2015-12-03 CN CN201510884097.1A patent/CN105471880B/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN105471880A (en) | 2016-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Sharma et al. | SoftEdgeNet: SDN based energy-efficient distributed network architecture for edge computing | |
US10002011B2 (en) | Centralized networking configuration in distributed systems | |
CN101719842B (en) | Cloud computing environment-based distributed network security pre-warning method | |
CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
CN102724063A (en) | Log collection server, data packet delivering and log clustering methods and network | |
CN104580222A (en) | DDoS attack distributed detection and response system and method based on information entropy | |
Karimi et al. | Distributed network traffic feature extraction for a real-time IDS | |
Varalakshmi et al. | Thwarting DDoS attacks in grid using information divergence | |
CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
Wang et al. | A centralized HIDS framework for private cloud | |
CN106203164B (en) | Information security big data resource management system based on trust computing and cloud computing | |
Wu et al. | A Distributed Intrusion Detection Model via Nondestructive Partitioning and Balanced Allocation for Big Data. | |
Maheshwari et al. | Faster detection and prediction of DDoS attacks using MapReduce and time series analysis | |
CN110247899A (en) | The system and method for ARP attack is detected and alleviated based on SDN cloud environment | |
Zhang et al. | A hadoop based analysis and detection model for ip spoofing typed ddos attack | |
Xu et al. | CloudSEC: A cloud architecture for composing collaborative security services | |
CN109102296A (en) | A kind of node common recognition method and system | |
CN110061854A (en) | A kind of non-boundary network intelligence operation management method and system | |
CN107276857A (en) | A kind of method and device for monitoring flow | |
Dong et al. | Integration of edge computing and blockchain for provision of data fusion and secure big data analysis for Internet of Things | |
Paudel et al. | Detecting the onset of a network layer dos attack with a graph-based approach | |
Lin et al. | Security function virtualization based moving target defense of SDN-enabled smart grid | |
Rashid et al. | Edgestore: Towards an edge-based distributed storage system for emergency response | |
CN105471880B (en) | A kind of implementation method of the distributed security event data transmission agreement of fault tolerant |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20161116 Termination date: 20171203 |
|
CF01 | Termination of patent right due to non-payment of annual fee |