CN105591833A - Flow-acquiring method based on rule engine - Google Patents
Flow-acquiring method based on rule engine Download PDFInfo
- Publication number
- CN105591833A CN105591833A CN201410688661.8A CN201410688661A CN105591833A CN 105591833 A CN105591833 A CN 105591833A CN 201410688661 A CN201410688661 A CN 201410688661A CN 105591833 A CN105591833 A CN 105591833A
- Authority
- CN
- China
- Prior art keywords
- flow
- rule
- regulation engine
- engine
- custom rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a flow-acquiring method based on a rule engine. The method comprises steps of: setting a flow-acquiring proxy at network equipment, enabling the flow-acquiring proxy to copy the flow to the rule engine in an image way, and enabling the rule engine to analyze the flow according to a self-defined rule and acquire the corresponding flow.
Description
Technical field
The present invention relates to the flow collection method of rule-based engine.
Background technology
Traditional flow collection is based on source IP, Target IP, source port, target port and a small amount of agreement (five-tuple). Its collection rule is dumb, often causes the flow that gathers too much or not comprehensive.
Therefore, need one flow collection scheme more flexibly.
Summary of the invention
The present invention proposes one flow collection scheme flexibly, and wherein configuration rule engine on flow collection agency, analyzes the flow information passing through, and check according to rule whether corresponding discharge is interested flow, and determines whether to store corresponding discharge.
The present invention is open, the flow collection method of rule-based engine, comprise: flow collection agency is set at network equipment place, and by flow collection, agency copies to regulation engine by the mode of mirror image by flow, regulation engine is analyzed flow and is gathered corresponding discharge according to custom rule.
Regulation engine is analyzed following one or more traffic characteristics that flow comprises that analysis is relevant to custom rule: the size of access frequency, agreement, request port, operational order, HTTP header information, GET or POST request, download or upload file.
Regulation engine gathers corresponding discharge and comprises the flow that gathers the condition that meets custom rule.
Described custom rule is by User Defined.
Analyze custom rule generator operational order by regulation engine, and analyze flow and gather corresponding discharge according to first operational order.
Advantage of the present invention is the more refinement of control granularity of flow collection, is not limited only to traditional five-tuple. Flow collection content is more targeted, reduces the flows that gather more, reduces the interference while analysis. The present invention can arrange collection duration, from main control acquisition time, and the expansion of rule base capable of dynamic, be convenient to following upgrading expansion. In addition, acquisition scheme of the present invention can be isolated with original system, can not affect original system. More neatly, flow collection of the present invention can be selected applying portion rule, and regulation engine functional module is easy to expansion. The present invention can also judge start-up performance module in the time comprising corresponding function in rule, and disable function mould while not comprising so can effectively reduce the resource consumption of analysis engine, promotes analysis efficiency.
Brief description of the drawings
After having read the specific embodiment of the present invention with reference to accompanying drawing, those skilled in the art will become apparent the present invention. One skilled in the art will appreciate that accompanying drawing is only for coordinating detailed description of the invention that technical scheme of the present invention is described, and be not intended to protection scope of the present invention to be construed as limiting.
Fig. 1 is according to the schematic diagram of the flow collection method of the rule-based engine of the embodiment of the present invention.
Fig. 2 is according to the example of the flow collection method of the rule-based engine of the embodiment of the present invention.
Detailed description of the invention
With reference to the accompanying drawings, the specific embodiment of the present invention is described in further detail. Should be understood that, can carry out structure and amendment function to described embodiment. In addition, can be for any given or specifically apply desiredly and favourable, one or more features of an embodiment can be combined with one or more features of another embodiment.
Fig. 1 is according to the schematic diagram of the flow collection method of the rule-based engine of the embodiment of the present invention. As shown in Figure 1, the method comprises: flow collection agency is set at network equipment place, and by flow collection, agency copies to regulation engine by the mode of mirror image by flow, and regulation engine is analyzed flow and gathered corresponding discharge according to custom rule. Regulation engine can will carry out association before and after flow. Regulation engine is analyzed following one or more traffic characteristics that flow comprises that analysis is relevant to custom rule: the size of access frequency, agreement, request port, operational order, HTTP header information, GET or POST request, download or upload file. Regulation engine gathers corresponding discharge and comprises the flow that gathers the condition that meets custom rule. Custom rule is by User Defined.
Fig. 2 is according to the example of the flow collection method of the rule-based engine of the embodiment of the present invention. As shown in the figure, when network traffics are acted on behalf of by flow collection, copied by it. Traffic mirroring is sent to regulation engine. Regulation engine is in conjunction with custom rule analysis and gather corresponding flow. Here, custom rule can be inputted by rule editing interface by user. Regulation engine can be configured to carry out the operations such as the analysis, protocal analysis statistics, HTTP header analysis coupling, sensitive document analysis of frequency statistics, port statistics, HTTP request type, C section statistics, operational order, the file download/upload size of flow. Be appreciated that regulation engine can also carry out other and analyze the operation of flow. Regulation engine is carried out corresponding operation by analyzing custom rule, and gathers the flow that meets custom rule specified requirements. Regulation engine can be arranged in flow collection agency.
Custom rule can be one or more associated particular flow rate feature and the rule of specifying corresponding conditions. As example, custom rule can be configured to: in the time carrying out GET order by TELNET, record its flow; In the time of the file including PNG that uploads/download or jpeg file, record its flow; In the time that certain C section IP access exceedes certain frequency, record its flow three hours; In the time that accumulation exceedes 10 in the port of certain C section IP access 24 hours, record its flow; The HTTPPOST flow of designated recorder IP; The all flows of certain IP are ignored in appointment. These rules can formation rule storehouse. Regulation engine can application rule for example " in the time carrying out GET order by TELNET, record its flow " while receiving traffic mirroring, judges that whether present flow rate is to carry out GET order by TELNET, if it is gathers this flow, otherwise abandons this flow. Regulation engine is executing after current rule, can continue to apply another rule.
As mentioned above, custom rule can be one or more associated particular flow rate feature and the rule of specifying corresponding conditions. In one embodiment, flow collection duration is set in custom rule, controls acquisition time. In one embodiment, regulation engine is applied each rule in the rule base being made up of many rules according to the order of sequence. In one embodiment, new rule is inputted and is added in rule base by user.
In one embodiment, analyze custom rule generator operational order by regulation engine, and analyze flow and gather corresponding discharge according to first operational order. Can be for example, from custom rule, extract key instruction and carry out generator operational order. In the time analyzing flow, regulation engine can call corresponding functional module and add up, analyzes the corresponding index in flow, such as port, agreement, HTTP head etc. As mentioned above, regulation engine can be applied each in custom rule in turn. In one embodiment, regulation engine can also judge start-up performance module in the time comprising corresponding function in rule, and disable function mould while not comprising so can effectively reduce the resource consumption of analysis engine, promotes analysis efficiency. For example, current rule does not relate to statistical items, does not add up, and can forbid respective modules. For example, current regular no-protocol related request, can forbid protocol-analysis model. In the time that regulation engine judges that flow meets custom rule, record this flow, and this flow can be stored into the target location of appointment.
By the description of above embodiment, those skilled in the art can understand, and without departing from the spirit and scope of the present invention in the situation that, can also do various changes and replacement to the specific embodiment of the present invention. These changes and replacement all drop in the claims in the present invention book limited range.
Claims (5)
1. a flow collection method for rule-based engine, is characterized in that, comprising:
Flow collection agency is set at network equipment place,
By flow collection, agency copies to regulation engine by the mode of mirror image by flow,
Regulation engine is analyzed flow and is gathered corresponding discharge according to custom rule.
2. the method for claim 1, is characterized in that,
Regulation engine is analyzed following one or more traffic characteristics that flow comprises that analysis is relevant to custom rule: the size of access frequency, agreement, request port, operational order, HTTP header information, GET or POST request, download or upload file.
3. method as claimed in claim 2, is characterized in that,
Regulation engine gathers corresponding discharge and comprises the flow that gathers the condition that meets custom rule.
4. method as claimed in claim 3, is characterized in that,
Described custom rule is by User Defined.
5. method as claimed in claim 4, is characterized in that,
Analyze custom rule generator operational order by regulation engine, and analyze flow and gather corresponding discharge according to first operational order.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410688661.8A CN105591833A (en) | 2014-11-26 | 2014-11-26 | Flow-acquiring method based on rule engine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410688661.8A CN105591833A (en) | 2014-11-26 | 2014-11-26 | Flow-acquiring method based on rule engine |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105591833A true CN105591833A (en) | 2016-05-18 |
Family
ID=55931090
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410688661.8A Pending CN105591833A (en) | 2014-11-26 | 2014-11-26 | Flow-acquiring method based on rule engine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105591833A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241283A (en) * | 2017-05-23 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | A kind of East and West direction network traffics mirror image acquisition method across main frame tenant |
| CN111726329A (en) * | 2019-03-22 | 2020-09-29 | 北京东晨联创科技股份有限公司 | Method for cloud management of gas station system |
| CN111917730A (en) * | 2020-07-10 | 2020-11-10 | 浙江邦盛科技有限公司 | HTTP bypass flow-based machine behavior analysis method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1684430A (en) * | 2004-04-16 | 2005-10-19 | 华为技术有限公司 | Configurating data collecting system and its method in network management |
| CN101286895A (en) * | 2008-05-22 | 2008-10-15 | 上海交通大学 | Dynamic configurable data monitoring system and method for distributed network |
| CN101655868A (en) * | 2009-09-03 | 2010-02-24 | 中国人民解放军信息工程大学 | Network data mining method, network data transmitting method and equipment |
-
2014
- 2014-11-26 CN CN201410688661.8A patent/CN105591833A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1684430A (en) * | 2004-04-16 | 2005-10-19 | 华为技术有限公司 | Configurating data collecting system and its method in network management |
| CN101286895A (en) * | 2008-05-22 | 2008-10-15 | 上海交通大学 | Dynamic configurable data monitoring system and method for distributed network |
| CN101655868A (en) * | 2009-09-03 | 2010-02-24 | 中国人民解放军信息工程大学 | Network data mining method, network data transmitting method and equipment |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107241283A (en) * | 2017-05-23 | 2017-10-10 | 国家计算机网络与信息安全管理中心 | A kind of East and West direction network traffics mirror image acquisition method across main frame tenant |
| CN111726329A (en) * | 2019-03-22 | 2020-09-29 | 北京东晨联创科技股份有限公司 | Method for cloud management of gas station system |
| CN111726329B (en) * | 2019-03-22 | 2022-10-14 | 北京东晨联创科技股份有限公司 | Method for cloud management of gas station system |
| CN111917730A (en) * | 2020-07-10 | 2020-11-10 | 浙江邦盛科技有限公司 | HTTP bypass flow-based machine behavior analysis method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111131379B (en) | Distributed flow acquisition system and edge calculation method | |
| US20210176268A1 (en) | Mechanism for identifying differences between network snapshots | |
| CN103023693B (en) | A kind of user behaviors log data management system and method | |
| US10917438B2 (en) | Secure publishing for policy updates | |
| CN103617287A (en) | Log management method and device in distributed environment | |
| US10826803B2 (en) | Mechanism for facilitating efficient policy updates | |
| EP3574611B1 (en) | System and method for analyzing network performance data | |
| CN103475714A (en) | System and method for operation log recording and uploading on basis of Active X technique | |
| CN105591833A (en) | Flow-acquiring method based on rule engine | |
| CN103414793A (en) | Picture downloading and uploading device and method | |
| CN105162622A (en) | Storage method and system | |
| CN104933077A (en) | Rule-based multi-file information analysis method | |
| CN109635022B (en) | Visual elastic search data acquisition method and device | |
| CN104901897A (en) | Determination method and device of application type | |
| CN107483238A (en) | A kind of blog management method, cluster management node and system | |
| CN115576973B (en) | Service deployment method, device, computer equipment and readable storage medium | |
| CN102316443A (en) | Storage system for use information of mobile terminal and method | |
| CN103530297A (en) | Method and device capable of automatically carrying out website analysis | |
| CN103095529B (en) | The method of detecting and alarm device, fire wall, detection network transmission file and device | |
| WO2022001480A1 (en) | Popular application identification method, network system, network device and storage medium | |
| CN105262975A (en) | Method for controlling video conference and video conference system | |
| CN109491787A (en) | The book keeping operation statistical method and system of computing resource under a kind of cluster computing environment | |
| CN103944862A (en) | Advertisement supervision method and advertisement supervision device | |
| CN109660455B (en) | Machine patrol data storage method, device, system, gateway equipment and storage medium | |
| Zeng et al. | Towards secure and network state aware bitrate adaptation at IoT edge |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160518 |
|
| RJ01 | Rejection of invention patent application after publication |