CN105812324A

CN105812324A - Method, device and system for IDC information safety management

Info

Publication number: CN105812324A
Application number: CN201410843504.XA
Authority: CN
Inventors: 吕玉奇; 应超奇; 韩侨
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2014-12-30
Filing date: 2014-12-30
Publication date: 2016-07-27
Anticipated expiration: 2034-12-30
Also published as: CN105812324B

Abstract

The invention discloses an IDC information safety management method, a device and a system. The IDC information safety management method comprises that: a log synthesis server identifies an access log to be compensated and performs caching on the access log to be compensated, wherein information safety log produced by access of the user corresponding to the access log to be compensated is needed to be performed by URL compensation, the log synthesis server identifies the information safety log missing the URL and performs caching on the information safety log missing the URL, furthermore, the log synthesis server performs compensation on the information safety log missing the URL according to the access log to be compensated so as to realize the compensation on the information safety log missing the URL under the homologous and homoclinic scene.

Description

The method of IDC information security management, Apparatus and system

Technical field

The present embodiments relate to communication technology, particularly relate to a kind of method of IDC information security management, Apparatus and system.

Background technology

nullThe network topology of homology chummage is typically complex，As comprised asymmetric routing device and there is multiple stage deep-packet detection (DeepPacketInspection，It is called for short DPI) equipment，Now same Internet data center (InternetDataCenter，It being called for short IDC) meshed network equipment and same backbone network equipment room have a plurality of physical link to connect，And the routing device of described link has identical priority，The routing device at two ends would generally adopt the mode of load balancing to carry out flow equalization process on a plurality of described physical link，Thus causing that the uplink traffic of same session and downlink traffic can pass through different physical link and reach opposite end routing device，Namely the uplink traffic of same session and downlink traffic are through different information security detection equipment，Cause the information security daily record disappearance URLs (UniformResourceLocator that the information security detection equipment of described downlink traffic process reports，It is called for short URL)，And the regulation (namely information security daily record should comprise URL) to information security daily record cannot be met in IDC information security management related specifications.

Therefore, how to compensate to realize IDC information security management to be the technical problem to be solved to the information security daily record lacking URL under homology chummage scene.

Summary of the invention

The embodiment of the present invention provides a kind of method of IDC information security management, Apparatus and system, it is achieved that compensated for the information security daily record lacking URL under homology chummage scene.

First aspect, the embodiment of the present invention provides the method for a kind of Internet data center IDC information security management, including:

The access log that daily record synthesis server identification is to be compensated, and described access log to be compensated is carried out buffer memory, wherein, described access log to be compensated is the access log that deep-packet detection DPI equipment reports, and the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do uniform resource position mark URL compensation；

The information security daily record of described daily record synthesis server identification disappearance URL, and the information security daily record of described disappearance URL is carried out buffer memory, wherein, the information security daily record of described disappearance URL is the information security daily record that information security detection equipment reports；

The information security daily record of described disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated.

In conjunction with first aspect, in the first possible implementation of first aspect, the access log that described daily record synthesis server identification is to be compensated, including:

Described daily record synthesis server is according to the mark to be compensated in described access log to be compensated, identify described access log to be compensated, wherein, described mark to be compensated needs to do URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record.

In conjunction with the first possible implementation of first aspect or first aspect, in the implementation that the second of first aspect is possible, the information security daily record of described daily record synthesis server identification disappearance URL, including:

Described daily record synthesis server, according to the exception mark in the information security daily record of described disappearance URL, identifies the information security daily record of described disappearance URL, and wherein, described abnormal mark is used for indicating described information security daily record to need to be URL and compensates.

In conjunction with the implementation that the second of first aspect is possible, in the third possible implementation of first aspect, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

The first implementation that any one is possible to the third in conjunction with first aspect, first aspect, in the 4th kind of possible implementation of first aspect, the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated, including:

Described daily record synthesis server determines the key mark field of the information security daily record of arbitrary described disappearance URL；

The described daily record synthesis server all described access log to be compensated according to described key mark field traversal queries buffer memory, until determining the access log to be compensated with described key mark fields match；

Described daily record synthesis server obtains the URL of the described access log to be compensated with described key mark fields match, and is compensated by described URL to the information security daily record of described arbitrary disappearance URL.

In conjunction with the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation of first aspect, described key mark field includes: the protocol IP of interconnection, purpose IP, source port, destination interface and device transaction mark ID between source network.

In conjunction with the third of first aspect to the 5th kind of any one possible implementation, in the 6th kind of possible implementation of first aspect, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described daily record synthesis server according to described access log to be compensated to described disappearance URL information security daily record compensate after, also include:

Described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then and strategy hit；Wherein, the policy information that the information security daily record of described disappearance URL is corresponding includes strategy domain name and/or strategy URL, and described policy information is in the information security daily record that information security detection equipment increases to described disappearance URL.

The 6th kind of possible implementation in conjunction with first aspect, in the 7th kind of possible implementation of first aspect, if described policy information includes strategy domain name, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

Described daily record synthesis server obtains, according to the URL corresponding to information security daily record of described disappearance URL, the domain name that the information security daily record of described disappearance URL is corresponding；

Described daily record synthesis server, by the domain name corresponding to information security daily record of described disappearance URL, mates with described strategy domain name, if domain name corresponding to the information security daily record of described disappearance URL is identical with described strategy domain name, then strategy hits.

The 6th kind of possible implementation in conjunction with first aspect, in the 8th kind of possible implementation of first aspect, if described policy information includes strategy URL, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

Described daily record synthesis server, by the URL corresponding to information security daily record of described disappearance URL, mates with described strategy URL, if URL corresponding to the information security daily record of described disappearance URL is identical with described strategy URL, then strategy hits.

The 6th kind of possible implementation in conjunction with first aspect, in the 9th kind of possible implementation of first aspect, if described policy information includes strategy domain name and strategy URL, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

Described daily record synthesis server is by URL corresponding for the information security daily record of described disappearance URL and domain name, mate with described strategy URL and described strategy domain name respectively, if the URL corresponding to information security daily record of described disappearance URL is identical with described tactful URL, and the domain name corresponding to information security daily record of described disappearance URL is identical with described strategy domain name, then strategy hits.

Second aspect, the embodiment of the present invention provides the method for a kind of Internet data center IDC information security management, including:

Information security detection equipment increases abnormal mark to detecting in the information security daily record lacking uniform resource position mark URL, wherein, comprising the information security daily record that information security daily record is disappearance URL of described abnormal mark, described abnormal mark compensates for indicating the information security daily record of described disappearance URL to need to be URL；

The information security daily record of described disappearance URL is reported daily record synthesis server by described information security detection equipment, so that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to the access log to be compensated reported by deep-packet detection DPI equipment.

In conjunction with second aspect, in the first possible implementation of second aspect, described method, also include:

Described information security detection equipment guarantees the information security daily record of same user accesses is reported same daily record synthesis server by hash algorithm.

In conjunction with the first possible implementation of second aspect or second aspect, in the implementation that the second of second aspect is possible, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

In conjunction with the implementation that the second of second aspect is possible, in the third possible implementation of second aspect, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described information security detection equipment also includes after the information security daily record of described disappearance URL is reported daily record synthesis server:

The information security daily record of described disappearance URL is carried out keyword search by described information security detection equipment, and know, according to the keyword of information security daily record of described disappearance URL, the policy information that the information security daily record of described disappearance URL is corresponding, wherein, described policy information includes strategy domain name and/or strategy URL；

Described policy information is increased in the information security daily record of described disappearance URL by described information security detection equipment, and the information security daily record of the disappearance URL comprising described policy information is reported daily record synthesis server.

The third aspect, the embodiment of the present invention provides the method for a kind of Internet data center IDC information security management, including:

Deep-packet detection DPI equipment judges whether the up-downgoing that user accesses both passes through described DPI equipment, if not, then described user is accessed in the access log of correspondence and increase mark to be compensated, wherein, the access log comprising described mark to be compensated is daily record to be compensated, and described mark to be compensated needs to do uniform resource position mark URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record；

Described access log to be compensated is reported daily record synthesis server by described DPI equipment, so that the information security daily record of disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated.

In conjunction with the third aspect, in the first possible implementation of the third aspect, described method, also include:

Described DPI equipment guarantees to report the access log of same user accesses same daily record synthesis server by hash algorithm.

Fourth aspect, the embodiment of the present invention provides a kind of daily record synthesis server, including:

First identification module, for identifying access log to be compensated, and described access log to be compensated is carried out buffer memory, wherein, described access log to be compensated is the access log that deep-packet detection DPI equipment reports, and the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do uniform resource position mark URL compensation；

Second identification module, for identifying the information security daily record of disappearance URL, and carries out buffer memory by the information security daily record of described disappearance URL, and wherein, the information security daily record of described disappearance URL is the information security daily record that information security detection equipment reports；

Compensating module, for compensating the information security daily record of described disappearance URL according to described access log to be compensated.

In conjunction with fourth aspect, in the first possible implementation of fourth aspect, described first identification module specifically for:

According to the mark to be compensated in described access log to be compensated, identifying described access log to be compensated, wherein, described mark to be compensated needs to do URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record.

In conjunction with the first possible implementation of fourth aspect or fourth aspect, in the implementation that the second of fourth aspect is possible, described second identification module specifically for:

The exception mark in information security daily record according to described disappearance URL, identifies the information security daily record of described disappearance URL, and wherein, described abnormal mark is used for indicating described information security daily record to need to be URL and compensates.

In conjunction with the implementation that the second of fourth aspect is possible, in the third possible implementation of fourth aspect, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

In conjunction with the first implementation that any one is possible to the third of fourth aspect, fourth aspect, in the 4th kind of possible implementation of fourth aspect, described compensating module, including:

First determines unit, for determining the key mark field of the information security daily record of arbitrary described disappearance URL；

Second determines unit, for all described access log to be compensated according to described key mark field traversal queries buffer memory, until determining the access log to be compensated with described key mark fields match；

Compensating unit, for obtaining the URL of the described access log to be compensated with described key mark fields match, and compensates described URL to the information security daily record of described arbitrary disappearance URL.

In conjunction with the 4th kind of possible implementation of fourth aspect, in the 5th kind of possible implementation of fourth aspect, described key mark field includes: the protocol IP of interconnection, purpose IP, source port, destination interface and device transaction mark ID between source network.

In conjunction with the third of fourth aspect to the 5th kind of any one possible implementation, in the 6th kind of possible implementation of fourth aspect, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described daily record synthesis server, also include:

Matching module, the policy information corresponding for the information security daily record of URL corresponding to information security daily record and described disappearance URL according to described disappearance URL mates, if the match is successful, then strategy hit；Wherein, the policy information that the information security daily record of described disappearance URL is corresponding includes strategy domain name and/or strategy URL, and described policy information is in the information security daily record that information security detection equipment increases to described disappearance URL.

In conjunction with the 6th kind of possible implementation of fourth aspect, in the 7th kind of possible implementation of fourth aspect, if described policy information include strategy domain name, described matching module specifically for:

URL corresponding to information security daily record according to described disappearance URL obtains the domain name that the information security daily record of described disappearance URL is corresponding；

By the domain name corresponding to information security daily record of described disappearance URL, mating with described strategy domain name, if domain name corresponding to the information security daily record of described disappearance URL is identical with described strategy domain name, then strategy hits.

In conjunction with the 6th kind of possible implementation of fourth aspect, in the 8th kind of possible implementation of fourth aspect, if described policy information include strategy URL, described matching module specifically for:

By the URL corresponding to information security daily record of described disappearance URL, mating with described strategy URL, if URL corresponding to the information security daily record of described disappearance URL is identical with described strategy URL, then strategy hits.

In conjunction with the 6th kind of possible implementation of fourth aspect, in the 9th kind of possible implementation of fourth aspect, if described policy information include strategy domain name and strategy URL, described matching module specifically for:

By URL corresponding for the information security daily record of described disappearance URL and domain name, mate with described strategy URL and described strategy domain name respectively, if the URL corresponding to information security daily record of described disappearance URL is identical with described tactful URL, and the domain name corresponding to information security daily record of described disappearance URL is identical with described strategy domain name, then strategy hits.

5th aspect, the embodiment of the present invention provides a kind of information security detection equipment, including:

Mark module, for the information security daily record lacking uniform resource position mark URL increasing abnormal mark to detecting, wherein, comprising the information security daily record that information security daily record is disappearance URL of described abnormal mark, described abnormal mark compensates for indicating the information security daily record of described disappearance URL to need to be URL；

First reporting module, for the information security daily record of described disappearance URL is reported daily record synthesis server, so that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to the access log to be compensated reported by deep-packet detection DPI equipment.

In conjunction with the 5th aspect, in the first the possible implementation in the 5th, described first reporting module also particularly useful for: guarantee the information security daily record of same user accesses is reported same daily record synthesis server by hash algorithm.

In conjunction with the first possible implementation of the 5th aspect or the 5th aspect, in the implementation that the second in the 5th is possible, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

In conjunction with the implementation that the second of the 5th aspect is possible, in the third the possible implementation in the 5th, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described information security detection equipment also includes:

Detection module, for the information security daily record of described disappearance URL is carried out keyword search, and know, according to the keyword of information security daily record of described disappearance URL, the policy information that the information security daily record of described disappearance URL is corresponding, wherein, described policy information includes strategy domain name and/or strategy URL；

Second reporting module, for being increased to by described policy information in the described information security daily record lacking URL, and reports daily record synthesis server by the information security daily record of the disappearance URL comprising described policy information.

6th aspect, the embodiment of the present invention provides a kind of deep-packet detection DPI equipment, including:

Judge module, for judging whether the up-downgoing that user accesses both passes through described DPI equipment, if not, then described user is accessed in the access log of correspondence and increase mark to be compensated, wherein, the access log comprising described mark to be compensated is daily record to be compensated, and described mark to be compensated needs to do uniform resource position mark URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record；

Reporting module, for reporting daily record synthesis server by described access log to be compensated, so that the information security daily record of disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated.

In conjunction with the 6th aspect, in the first the possible implementation in the 6th, described reporting module also particularly useful for: guarantee to report the access log of same user accesses same daily record synthesis server by hash algorithm.

7th aspect, the embodiment of the present invention provides a kind of Internet data center IDC Information Security Management System, including:

In above-mentioned fourth aspect daily record synthesis server as described in arbitrary implementation, in the above-mentioned 5th in information security detection equipment as described in arbitrary implementation, in the above-mentioned 6th in deep-packet detection DPI equipment as described in arbitrary implementation and routing device.

In the present invention, the access log that daily record synthesis server identification is to be compensated, and described access log to be compensated is carried out buffer memory, wherein, the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do uniform resource position mark URL compensation；Further, the information security daily record of described daily record synthesis server identification disappearance URL, and the information security daily record of described disappearance URL is carried out buffer memory；Further, the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated, namely achieves the information security daily record to lacking URL under homology chummage scene and compensated.

Accompanying drawing explanation

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the application scenarios schematic diagram of IDC information security management method of the present invention；

Fig. 2 is the schematic flow sheet of the embodiment of the method one of IDC information security management of the present invention；

Fig. 3 is the schematic flow sheet of the embodiment of the method two of IDC information security management of the present invention；

Fig. 4 is the schematic flow sheet of the embodiment of the method three of IDC information security management of the present invention；

Fig. 5 is the schematic flow sheet of the embodiment of the method four of IDC information security management of the present invention；

Fig. 6 is the structural representation of daily record synthesis server embodiment one of the present invention；

Fig. 7 is the structural representation of daily record synthesis server embodiment two of the present invention；

Fig. 8 is the structural representation of information security of the present invention detection apparatus embodiments one；

Fig. 9 is the structural representation of information security of the present invention detection apparatus embodiments two；

Figure 10 is the structural representation of deep-packet detection DPI apparatus embodiments one of the present invention；

Figure 11 is the structural representation of deep-packet detection DPI apparatus embodiments two of the present invention；

Figure 12 is the structural representation of Internet data center IDC Information Security Management System embodiment of the present invention.

Detailed description of the invention

For making the purpose of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.

2012 the end of the year Chinese industrial issued 2 related specifications about IDC Information Security Management System-" requirement of IDCISP Information Security Management System technology " and " IDCISP Information Security Management System interface specification " with informationization portion, it is achieved the information monitoring to IDC.In above-mentioned specification, it is distinctly claimed: security setup control message (InformationSecurityManagementSystem, it is called for short ISMS) tackle IDC/ ISP (InternetServiceProvider, be called for short ISP) bidirectional traffics data be monitored, the illegal information found is recorded and disposes, to realize monitoring and filtering log.According to specification, one meet require system should at least possess following condition: 1), can according between network interconnection agreement (InternetProtocol, be called for short IP), domain name, the combination condition such as URL and keyword, session is detected or filters；2), when hit strategy, source/destination IP can be comprised in reporting daily record, the command identification of source/destination port, illegal information, acquisition time and triggering, wherein, HTML (Hypertext Markup Language) (HyperTextTransferProtocol is called for short HTTP) is also needed to record URL.

In prior art, when network topology is fairly simple, the up-downgoing flow of same session through same DPI equipment, therefore, can both detect, generate and report access log can meet above-mentioned two requirement.But it is more complicated for network structure, during as comprised asymmetric routing device and there is multiple stage DPI equipment, the up-downgoing flow of same session can pass through different information security detection equipment, the information security detection equipment causing downlink traffic process cannot report the information security daily record (such as disappearance URL) meeting IDC information security management related specifications, therefore, it is be badly in need of solving the technical problem that for how compensating the information security daily record of disappearance URL under homology chummage scene to realize IDC information security management.

In prior art, although the mode of shunting can be carried out converging by increasing preposition switch/shunting device, the up-downgoing flow same user accessed all is mirrored to same information security detection equipment, to ensure that the up-downgoing flow that same user accesses detects equipment through same information security and detects, but prior art need to configure extra shunting device, improving user cost, described shunting device physical distance requires higher simultaneously.Therefore, the embodiment of the present invention provides a kind of for the technical scheme that compensates of information security daily record to disappearance URL under homology chummage scene.

Fig. 1 is the application scenarios schematic diagram of IDC information security management method of the present invention, as it is shown in figure 1, the network structure in the embodiment of the present invention includes: router 1, router 2, DPI equipment 1, DPI equipment 2, information security detection equipment 1, information security detection equipment 2, daily record synthesis server 1 and application server.Alternatively, idiographic flow is as follows: the uplink traffic (i.e. solicited message) that (1), user access is diverted to DPI equipment 1 by router 1；(2), described DPI equipment 1 carry out full dose detection for the public information data on service link, generate access log and also described access log reported described daily record synthesis server 1；(3), the downlink traffic (i.e. response message) that described user accesses is diverted to DPI equipment 2 by router 2；(4), described DPI equipment 2 described downlink traffic is mirrored to information security detection equipment 2, wherein, owing to uplink traffic is without described DPI equipment 2, described security detection equipment 2 obtains the URL accessed less than described user；(5), described information security detection equipment 2 realize keyword search, generate the information security daily record of disappearance URL and described information security daily record reported daily record synthesis server 1；(6), described daily record synthesis server 1 according to described access log and described information security daily record, synthesize complete information security daily record.

Fig. 2 is the schematic flow sheet of the embodiment of the method one of IDC information security management of the present invention, as in figure 2 it is shown, the method for the present embodiment may include that

The access log that S201, daily record synthesis server identification are to be compensated, and described access log to be compensated is carried out buffer memory.

In the embodiment of the present invention, daily record synthesis server receives all access logs reported by DPI equipment, and the up-downgoing flow accessed due to certain customers all passes through same DPI equipment, therefore, it is complete that described certain customers access produced information security daily record, compensates without being URL.Alternatively, in the embodiment of the present invention, access log to be compensated in all access logs described in described daily record synthesis server identification, and only described access log to be compensated is carried out buffer memory, so that the information security daily record of disappearance URL is compensated by described daily record synthesis server according to the access log described to be compensated of buffer memory, thus decreasing the access log amount of described daily record synthesis server buffer memory, improve matching efficiency；Wherein, the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do URL compensation.

Alternatively, described S201, including:

In the embodiment of the present invention, described daily record synthesis server can need to do the URL mark to be compensated compensated according to what comprise in described access log to be compensated, identify described access log to be compensated for indicating the user that described access log to be compensated is corresponding to access produced information security daily record.Alternatively, when described daily record synthesis server receives an access log, described daily record synthesis server can first judge whether described access log comprises mark to be compensated, if comprising, then determine that described access log is access log to be compensated, further, described access log to be compensated is carried out buffer memory；Otherwise, it is determined that it is complete daily record that the user that described access log is corresponding accesses produced information security daily record, it is not necessary to carries out URL compensation, further, directly reports described access log without carrying out buffer memory.

S202, described daily record synthesis server identification disappearance URL information security daily record, and by described disappearance URL information security daily record carry out buffer memory.

In the embodiment of the present invention, daily record synthesis server receives and is detected, by information security, all information security daily records that equipment reports, alternatively, the information security daily record that described information security detection equipment reports includes two large divisions, wherein, really for information security daily record, (this Part I includes complete information security daily record to Part I, and the information security daily record of disappearance URL), whether Part II is detection equipment this daily record uncertain of described information security is that (this Part II is disappearance URL and Log Types daily record undetermined in information security daily record, namely detection equipment this daily record uncertain of described information security is information security daily record or other legal daily record).Wherein, the up-downgoing flow of user's access that complete information security daily record is corresponding all passes through same DPI equipment, and therefore, it is complete that described user accesses produced information security daily record.Alternatively, in the embodiment of the present invention, the information security daily record of the disappearance URL in all information security daily records described in described daily record synthesis server identification (includes the information security daily record of described information security detection equipment confirmable disappearance URL, and the information security daily record of described information security detection equipment uncertain disappearance URL), and only the information security daily record of described disappearance URL is carried out buffer memory, so that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to the access log described to be compensated of buffer memory, not only reduce the daily record amount of described daily record synthesis server buffer memory, decrease the daily record amount needing to compensate simultaneously, thus improving matching efficiency.

Alternatively, described S202, including:

In the embodiment of the present invention, described daily record synthesis server can according to the exception mark doing URL compensation for indicating described information security daily record to need comprised in the information security daily record of described disappearance URL, identify the information security daily record of described disappearance URL, alternatively, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined, wherein, the information security daily record being extremely designated disappearance URL daily record mark is that described information security detection equipment may determine that this daily record is information security daily record；Extremely the information security daily record being designated result daily record mark undetermined not only lacks URL, and Log Types is undetermined, namely detection equipment this daily record uncertain of described information security is information security daily record or other legal daily record, identify this daily record be result daily record undetermined in order that be easy to allow described daily record synthesis server that this Log Types to be judged further, to determine that this daily record is information security daily record or other legal daily record on earth.Alternatively, being designated, as abnormal, the information security daily record that this information security daily record of 1 expression is disappearance URL, being extremely designated this information security daily record of 2 expressions is result information security daily record undetermined.

Namely the information security daily record of described disappearance URL includes abnormal information security daily record corresponding to disappearance URL daily record mark (described information security detection equipment may determine that this daily record is information security daily record) that be designated, and abnormal it is designated information security daily record corresponding to result daily record undetermined mark (detection equipment this daily record uncertain of described information security is information security daily record or other legal daily record).Alternatively, when described daily record synthesis server receives an information security daily record, described daily record synthesis server can first judge whether described information security daily record comprises abnormal mark, if comprising, then determine the information security daily record that described information security daily record is disappearance URL, further, the information security daily record of described disappearance URL is carried out buffer memory；Otherwise, it is determined that described information security daily record is complete daily record, it is not necessary to carry out URL compensation.

The information security daily record of described disappearance URL is compensated by S203, described daily record synthesis server according to described access log to be compensated.

In the embodiment of the present invention, DPI equipment and information security detection equipment ensure the corresponding daily record of same user accesses is sent to same daily record synthesis server by Hash (Hash) algorithm,: according to earlier figures 1, user is accessed the access log of 1 and reports described daily record synthesis server 1 by described DPI equipment 1, accordingly, the information security daily record of the disappearance URL that described user is accessed 1 correspondence by described information security detection equipment 2 reports described daily record synthesis server 1.Owing to described access log to be compensated comprising the URL that described user accesses, therefore, alternatively, first described daily record synthesis server can determine the to be compensated access log corresponding with the information security daily record of a certain disappearance URL, secondly, obtain the URL comprised in the access log to be compensated corresponding with the information security daily record of described disappearance URL, finally, according to the described URL obtained, the information security daily record of described disappearance URL is compensated.

Alternatively, described S203, including:

In the embodiment of the present invention, described daily record synthesis server first passes through keyword search mode, to determine the key mark field of the information security daily record of arbitrary described disappearance URL；nullFurther，Described daily record synthesis server is according to described key mark field，The all described access log to be compensated of traversal queries buffer memory，Until determining the access log to be compensated with described key mark fields match，Alternatively，Owing to five key mark fields can uniquely determine arbitrary access，Described daily record synthesis server determines the access log to be compensated with described key mark fields match by five-tuple matching way，Specifically，Described daily record synthesis server is according to five key mark fields，The all described access log to be compensated of traversal queries buffer memory，Until determining the access log to be compensated with described five key mark fields match，Alternatively，Described key mark field includes: the protocol IP of interconnection between source network、Purpose IP、Source port、Destination interface and device transaction mark (Identity，It is called for short ID)；Further, described daily record synthesis server obtains the URL of the described access log to be compensated with described key mark fields match, and is compensated by described URL to the information security daily record of described arbitrary disappearance URL, thus obtaining complete information security daily record.

Alternatively, in the embodiment of the present invention, not limit S201 and S202 tandem, alternatively, S201 can before S202, after S202 or S201 and S202 perform simultaneously.Alternatively, in the embodiment of the present invention, described daily record synthesis server also can adopt other preserving type that the information security daily record of described access log to be compensated and/or described disappearance URL is preserved, to this and be not limited as in the embodiment of the present invention.

In the embodiment of the present invention, the access log that daily record synthesis server identification is to be compensated, and described access log to be compensated is carried out buffer memory, wherein, the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do uniform resource position mark URL compensation；Further, the information security daily record of described daily record synthesis server identification disappearance URL, and the information security daily record of described disappearance URL is carried out buffer memory；Further, the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated, namely achieves the information security daily record to lacking URL under homology chummage scene and compensated.

In prior art under homology chummage scene, the up-downgoing flow accessed due to same user detects equipment without same information security, the daily record that information security daily record is disappearance URL that described information security detection equipment reports, cause that described daily record synthesis server cannot be associated detection namely not met IDC information security management related specifications according to multiple combination condition.

Further, in the embodiment of the present invention, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, namely detection equipment this daily record uncertain of described information security is information security daily record or other legal daily record, therefore, need described daily record synthesis server that this Log Types is judged further, to determine that this daily record is information security daily record or other legal daily record on earth.Further, described daily record synthesis server according to described access log to be compensated to described disappearance URL information security daily record compensate after, also include:

Described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then and strategy hit.

In the embodiment of the present invention, described daily record synthesis server is if it is determined that the exception of information security daily record of described disappearance URL is designated result daily record mark undetermined (this daily record disappearance URL, and Log Types is undetermined), further, the policy information that URL corresponding for the information security daily record of the described disappearance URL got is corresponding with the information security daily record of described disappearance URL is mated by institute's daily record synthesis server, if the match is successful, then think that strategy hits, namely the association detection of combination condition is achieved, so that it is determined that this daily record is information security daily record really；Otherwise, it determines this daily record is legal daily record, namely access corresponding to this daily record is not directed to information security.Wherein, the policy information that the information security daily record of described disappearance URL is corresponding includes strategy domain name and/or strategy URL, and described policy information is in the information security daily record that information security detection equipment increases to described disappearance URL.Alternatively, described daily record synthesis server also includes before mating according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding: described daily record synthesis server receives the information security daily record being detected the described disappearance URL comprising described policy information that equipment reports by described information security.

Alternatively, if described policy information includes strategy domain name, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

In the embodiment of the present invention, if described policy information include strategy domain name (or, described policy information is strategy domain name+keyword), first described daily record synthesis server according to the URL that the information security daily record of described disappearance URL is corresponding, obtains the domain name that the information security daily record of described disappearance URL is corresponding；Secondly, described daily record synthesis server is by domain name corresponding for the information security daily record of described disappearance URL, mate with described strategy domain name, if the domain name corresponding to information security daily record of described disappearance URL is identical with described tactful domain name, namely the match is successful, then think and strategy hit namely achieve the association detection of domain name and keyword, so that it is determined that the information security daily record of described disappearance URL is information security daily record really；Otherwise, it determines the information security daily record of described disappearance URL is legal daily record.

Alternatively, if described policy information includes strategy URL, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

In the embodiment of the present invention, if described policy information include strategy URL (or, described policy information is strategy URL+ keyword), described daily record synthesis server is by URL corresponding for the information security daily record of described disappearance URL, mate with described strategy URL, if the URL corresponding to information security daily record of described disappearance URL is identical with described tactful URL, namely the match is successful, then think that strategy hits, namely the association detection of URL and keyword is achieved, so that it is determined that the information security daily record of described disappearance URL is information security daily record really；Otherwise, it determines the information security daily record of described disappearance URL is legal daily record.

Alternatively, if described policy information includes strategy domain name and strategy URL, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

In the embodiment of the present invention, if described policy information include strategy domain name and strategy URL (or, described policy information is strategy URL+ strategy domain name+keyword), first described daily record synthesis server according to the URL that the information security daily record of described disappearance URL is corresponding, obtains the domain name that the information security daily record of described disappearance URL is corresponding；Secondly, described daily record synthesis server is by URL corresponding for the information security daily record of described disappearance URL and domain name, mate with described strategy URL and described strategy domain name respectively, if the URL corresponding to information security daily record of described disappearance URL is identical with described tactful URL, and the domain name corresponding to information security daily record of described disappearance URL is identical with described tactful domain name, namely the match is successful, then think that strategy hits, namely the association detection of domain name, URL and keyword is achieved, so that it is determined that the information security daily record of described disappearance URL is information security daily record really；Otherwise, it determines the information security daily record of described disappearance URL is legal daily record.

Alternatively, described daily record synthesis server also includes before mating according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding: described daily record synthesis server determines that the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined.

In the embodiment of the present invention, the access log that daily record synthesis server identification is to be compensated, and described access log to be compensated is carried out buffer memory, wherein, the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do uniform resource position mark URL compensation；Further, the information security daily record of described daily record synthesis server identification disappearance URL, and the information security daily record of described disappearance URL is carried out buffer memory；Further, the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated, namely achieves the information security daily record to lacking URL under homology chummage scene and compensated；Further, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, achieve the association detection of combination condition, and determine that the abnormal information security daily record being designated result daily record mark correspondence undetermined is information security daily record really；Otherwise, it determines described daily record is legal daily record.

Fig. 3 is the schematic flow sheet of the embodiment of the method two of IDC information security management of the present invention, as it is shown on figure 3, the method for the present embodiment may include that

S301, information security detection equipment increases abnormal mark to detecting in the information security daily record lacking uniform resource position mark URL.

nullIn the embodiment of the present invention，The information security daily record of disappearance URL can be quickly identified for the ease of daily record synthesis server，Alternatively，Described information security detection equipment increases abnormal mark to detecting in the information security daily record lacking uniform resource position mark URL，Wherein，The information security daily record that information security daily record is disappearance URL comprising described abnormal mark (includes the information security daily record of described information security detection equipment confirmable disappearance URL，And the information security daily record of described information security detection equipment uncertain disappearance URL)，Described abnormal mark compensates for indicating the information security daily record of described disappearance URL to need to be URL，So that when described daily record synthesis server is when receiving a certain information security daily record，Can quickly determine whether described information security daily record is the information security daily record lacking URL by judging whether described information security daily record comprises described abnormal mark.Alternatively, described abnormal mark includes: disappearance URL daily record mark (described information security detection equipment may determine that this daily record is information security daily record) and result daily record undetermined identify (wherein, result daily record mark undetermined represents this daily record disappearance URL, and Log Types is undetermined, namely detection equipment this daily record uncertain of described information security is information security daily record or other legal daily record).Namely, the information security daily record of described disappearance URL includes two large divisions, wherein, Part I is information security daily record (namely being extremely designated information security daily record that disappearance URL daily record mark is corresponding) really, and another part is that described information security detects whether equipment this daily record uncertain is information security daily record (namely being extremely designated information security daily record that result daily record undetermined mark is corresponding)；Wherein, identify this daily record be result daily record undetermined in order that be easy to allow described daily record synthesis server that this Log Types to be judged further, to determine that this daily record is information security daily record or other legal daily record on earth.Alternatively, being designated, as abnormal, the information security daily record that this information security daily record of 1 expression is disappearance URL, being extremely designated this information security daily record of 2 expressions is result information security daily record undetermined.

The information security daily record of described disappearance URL is reported daily record synthesis server by S302, described information security detection equipment, so that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to the access log to be compensated reported by deep-packet detection DPI equipment.

In the embodiment of the present invention, the information security daily record of the disappearance URL comprising described abnormal mark is reported daily record synthesis server by described information security monitoring equipment, so that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to the access log to be compensated reported by deep-packet detection DPI equipment.Alternatively, described information security detection equipment guarantees the information security daily record of same user accesses is reported same daily record synthesis server by Hash (Hash) algorithm, in order to described daily record synthesis server realizes URL and compensates function.

In the embodiment of the present invention, information security detection equipment increases abnormal mark to detecting in the information security daily record lacking uniform resource position mark URL, wherein, comprising the information security daily record that information security daily record is disappearance URL of described abnormal mark, described abnormal mark compensates for indicating the information security daily record of described disappearance URL to need to be URL；Further, the information security daily record of described disappearance URL is reported daily record synthesis server by described information security detection equipment, so that the information security daily record of described disappearance URL is compensated according to the access log to be compensated reported by deep-packet detection DPI equipment by described daily record synthesis server, namely achieve the information security daily record to lacking URL under homology chummage scene and compensated.

Further, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described information security detection equipment also includes after the information security daily record of described disappearance URL is reported daily record synthesis server:

In the embodiment of the present invention, described information security detection equipment is when the exception of information security daily record determining described disappearance URL is designated result daily record mark undetermined, namely detection equipment this daily record uncertain of described information security is information security daily record or other legal daily record, therefore, need described daily record synthesis server that this Log Types is judged further, to determine that this daily record is information security daily record or other legal daily record on earth；Alternatively, described information security detection equipment is by carrying out keyword search to the information security daily record of described disappearance URL, and know, according to the keyword of information security daily record of described disappearance URL, the policy information that the information security daily record of described disappearance URL is corresponding, wherein, described policy information includes strategy domain name and/or strategy URL, (if described policy information is strategy domain name+keyword, strategy URL+ keyword or strategy URL+ strategy domain name+keyword)；Further, described policy information is increased in the information security daily record of described disappearance URL by described information security detection equipment, and the information security daily record of the disappearance URL comprising described policy information is reported daily record synthesis server, so that described daily record synthesis server mates according to the policy information corresponding with the information security daily record of described disappearance URL for URL that the information security daily record of the disappearance URL obtained according to above-mentioned steps S201-S203 of the present invention is corresponding, it is achieved thereby that association detection.

Fig. 4 is the schematic flow sheet of the embodiment of the method three of IDC information security management of the present invention, and as shown in Figure 4, the method for the present embodiment may include that

S401, deep-packet detection DPI equipment judge whether the up-downgoing that user accesses both passes through described DPI equipment, increase mark to be compensated if it is not, then described user accessed in the access log of correspondence.

In the embodiment of the present invention, access log to be compensated can be quickly identified for the ease of daily record synthesis server, alternatively, described DPI equipment is by judging whether the up-downgoing that user accesses both passes through described DPI equipment, if not, then described user is accessed in the access log of correspondence and increase mark to be compensated, wherein, the access log comprising described mark to be compensated is daily record to be compensated, described mark to be compensated needs to do uniform resource position mark URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record, so that when described daily record synthesis server is when receiving a certain access log, can quickly determine by judging whether described access log comprises described mark to be compensated that whether described access log is access log to be compensated.

Described access log to be compensated is reported daily record synthesis server by S402, described DPI equipment, so that the information security daily record of disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated.

In the embodiment of the present invention, the access log comprising described mark to be compensated is reported described daily record synthesis server by described DPI equipment, so that the information security daily record of disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated.Alternatively, described DPI equipment guarantees to report the access log of same user accesses same daily record synthesis server by hash algorithm, in order to described daily record synthesis server realizes URL and compensates function.

In the embodiment of the present invention, deep-packet detection DPI equipment judges whether the up-downgoing that user accesses both passes through described DPI equipment, if not, then described user is accessed in the access log of correspondence and increase mark to be compensated, wherein, the access log comprising described mark to be compensated is daily record to be compensated, and described mark to be compensated needs to do uniform resource position mark URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record；Further, described access log to be compensated is reported daily record synthesis server by described DPI equipment, so that the information security daily record of disappearance URL is compensated according to described access log to be compensated by described daily record synthesis server, namely achieve the information security daily record to lacking URL under homology chummage scene and compensated.

Fig. 5 is the schematic flow sheet of the embodiment of the method four of IDC information security management of the present invention, as it is shown in figure 5, the method for the present embodiment may include that

S501, DPI equipment reports all access logs.

In the invention process, described DPI equipment identification up-downgoing accesses without the user of same DPI equipment, and described user accessed in the access log of correspondence and increase mark to be compensated, wherein, the access log comprising described mark to be compensated is daily record to be compensated, namely the access log that described DPI equipment reports is divided into two kinds: complete access log and access log to be compensated.

S502, daily record synthesis server, after receiving described all access logs, synthesize satisfactory access log and report.

The access log that S503, described daily record synthesis server identification are to be compensated, and described access log to be compensated is carried out buffer memory.

S504, information security monitoring equipment reports all information securities detection equipment.

In the embodiment of the present invention, described information security monitoring equipment increases abnormal mark to detecting in the information security daily record lacking URL, wherein, comprise the information security daily record that information security daily record is disappearance URL of described abnormal mark, described abnormal mark compensates for indicating the information security daily record of described disappearance URL to need to be URL, alternatively, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined, namely the information security daily record that described information security detection equipment reports is divided into three kinds: complete information security daily record, the information security daily record of disappearance URL and result information security daily record undetermined, wherein, result information security daily record undetermined not only lacks URL, and Log Types is undetermined.

S505, daily record synthesis server, after receiving described all information security daily records, synthesize satisfactory information security daily record and report.

S506, described daily record synthesis server identification disappearance URL information security daily record, and by described disappearance URL information security daily record carry out buffer memory.

The information security daily record of described disappearance URL is compensated by S507, described daily record synthesis server according to described access log to be compensated, to obtain complete information security daily record.

Concrete implementation process, please refer to the above embodiment of the present invention, and the present embodiment does not repeat them here.

Fig. 6 is the structural representation of daily record synthesis server embodiment one of the present invention, and as shown in Figure 6, the daily record synthesis server 60 that the present embodiment provides may include that the first identification module the 601, second identification module 602 and compensating module 603.

Wherein, first identification module 601 is for identifying access log to be compensated, and described access log to be compensated is carried out buffer memory, wherein, described access log to be compensated is the access log that deep-packet detection DPI equipment reports, and the user that described access log to be compensated is corresponding accesses produced information security daily record to be needed to do uniform resource position mark URL compensation；

Second identification module 602 is for identifying the information security daily record of disappearance URL, and the information security daily record of described disappearance URL is carried out buffer memory, and wherein, the information security daily record of described disappearance URL is the information security daily record that information security detection equipment reports；

Compensating module 603 is for compensating the information security daily record of described disappearance URL according to described access log to be compensated.

Alternatively, described first identification module 601 specifically for:

Alternatively, described second identification module 602 specifically for:

Alternatively, described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

Alternatively, described compensating module 603 includes:

Alternatively, described key mark field includes: the protocol IP of interconnection, purpose IP, source port, destination interface and device transaction mark ID between source network.

Alternatively, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described daily record synthesis server, also include:

Alternatively, if described policy information include strategy domain name, described matching module specifically for:

Alternatively, if described policy information include strategy URL, described matching module specifically for:

Alternatively, if described policy information include strategy domain name and strategy URL, described matching module specifically for:

The daily record synthesis server of the present embodiment, it is possible to being used for the technical scheme performing in the embodiment of the method one and four of the above-mentioned IDC information security management of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.

Fig. 7 is the structural representation of daily record synthesis server embodiment two of the present invention, as it is shown in fig. 7, the daily record synthesis server 70 that the present embodiment provides can include processor 701 and memorizer 702.Daily record synthesis server 70 can also include data interface unit 703, and this data interface unit 703 can be connected with processor 701.Wherein, data interface unit 703 is used for receiving/sending data, and memorizer 702 is used for storing execution instruction.When daily record synthesis server 70 runs, communicating between processor 701 with memorizer 702, processor 701 calls the execution instruction in memorizer 702, in order to perform the operation in the embodiment of the method one and four of above-mentioned IDC information security management.

Fig. 8 is the structural representation of information security of the present invention detection apparatus embodiments one, and as shown in Figure 8, the information security detection equipment 80 that the present embodiment provides may include that mark module 801 and the first reporting module 802.

Wherein, mark module 801 is for increasing abnormal mark to detecting in the information security daily record lacking uniform resource position mark URL, wherein, comprising the information security daily record that information security daily record is disappearance URL of described abnormal mark, described abnormal mark compensates for indicating the information security daily record of described disappearance URL to need to be URL；

First reporting module 802 is for reporting daily record synthesis server by the information security daily record of described disappearance URL, so that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to the access log to be compensated reported by deep-packet detection DPI equipment.

Alternatively, described first reporting module 802 also particularly useful for: guarantee the information security daily record of same user accesses is reported same daily record synthesis server by hash algorithm.

Alternatively, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described information security detection equipment also includes:

The information security detection equipment of the present embodiment, it is possible to being used for the technical scheme performing in the embodiment of the method two and four of the above-mentioned IDC information security management of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.

Fig. 9 is the structural representation of information security of the present invention detection apparatus embodiments two, as it is shown in figure 9, the information security detection equipment 90 that the present embodiment provides can include processor 901 and memorizer 902.Information security detection equipment 90 can also include data interface unit 903, and this data interface unit 903 can be connected with processor 901.Wherein, data interface unit 903 is used for receiving/sending data, and memorizer 902 is used for storing execution instruction.When information security detect equipment 90 run time, communicate between processor 901 with memorizer 902, processor 901 calls the execution instruction in memorizer 902, in order to perform the operation in the embodiment of the method two and four of above-mentioned IDC information security management.

Figure 10 is the structural representation of deep-packet detection DPI apparatus embodiments one of the present invention, and as shown in Figure 10, the deep-packet detection DPI equipment 100 that the present embodiment provides may include that judge module 1001 and reporting module 1002.

Judge module 1001 is for judging whether the up-downgoing that user accesses both passes through described DPI equipment, if not, then described user is accessed in the access log of correspondence and increase mark to be compensated, wherein, the access log comprising described mark to be compensated is daily record to be compensated, and described mark to be compensated needs to do uniform resource position mark URL compensation for indicating the user that described access log to be compensated is corresponding to access produced information security daily record；

Reporting module 1002 is for reporting daily record synthesis server by described access log to be compensated, so that the information security daily record of disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated.

Alternatively, described reporting module also particularly useful for: guarantee to report the access log of same user accesses same daily record synthesis server by hash algorithm.

The deep-packet detection DPI equipment of the present embodiment, it is possible to being used for the technical scheme performing in the embodiment of the method three and four of the above-mentioned IDC information security management of the present invention, it is similar with technique effect that it realizes principle, repeats no more herein.

Figure 11 is the structural representation of deep-packet detection DPI apparatus embodiments two of the present invention, and as shown in figure 11, the deep-packet detection DPI equipment 110 that the present embodiment provides can include processor 1101 and memorizer 1102.Deep-packet detection DPI equipment 110 can also include data interface unit 1103, and this data interface unit 1103 can be connected with processor 1101.Wherein, data interface unit 1103 is used for receiving/sending data, and memorizer 1102 is used for storing execution instruction.When deep-packet detection DPI equipment 110 runs, communicating between processor 1101 with memorizer 1102, processor 1101 calls the execution instruction in memorizer 1102, in order to perform the operation in the embodiment of the method three and four of above-mentioned IDC information security management.

Figure 12 is the structural representation of Internet data center IDC Information Security Management System embodiment of the present invention, as shown in figure 12, the IDC Information Security Management System of the present embodiment includes: daily record synthesis server 1201, information security detection equipment 1202, deep-packet detection DPI equipment 1203 and routing device 1204；Wherein, daily record synthesis server 1201 can adopt the structure of above-mentioned daily record synthesis server embodiment one and embodiment two, and it is accordingly, it is possible to performs the embodiment of the method one of above-mentioned IDC information security management and the technical scheme of embodiment four；Information security detection equipment 1202 can adopt the structure of above-mentioned information security detection apparatus embodiments one and embodiment two, and it is accordingly, it is possible to perform the embodiment of the method two of above-mentioned IDC information security management and the technical scheme of embodiment four；Deep-packet detection DPI equipment 1203 can adopt the structure of above-mentioned deep-packet detection DPI apparatus embodiments one and embodiment two, it is accordingly, the embodiment of the method three of above-mentioned IDC information security management and the technical scheme of embodiment four can be performed, it is similar with technique effect that it realizes principle, repeats no more herein.

One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can be completed by the hardware that programmed instruction is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program upon execution, performs to include the step of above-mentioned each embodiment of the method；And aforesaid storage medium includes: the various media that can store program code such as ROM, RAM, magnetic disc or CDs.

Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit；Although the present invention being described in detail with reference to foregoing embodiments, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein some or all of technical characteristic is carried out equivalent replacement；And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims

1. the method for Internet data center's IDC information security management, it is characterised in that including:

2. method according to claim 1, it is characterised in that the access log that described daily record synthesis server identification is to be compensated, including:

3. method according to claim 1 and 2, it is characterised in that the information security daily record of described daily record synthesis server identification disappearance URL, including:

4. method according to claim 3, it is characterised in that described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

5. the method according to any one of claim 1-4, it is characterised in that the information security daily record of described disappearance URL is compensated by described daily record synthesis server according to described access log to be compensated, including:

6. method according to claim 5, it is characterised in that described key mark field includes: the protocol IP of interconnection, purpose IP, source port, destination interface and device transaction mark ID between source network.

7. the method according to any one of claim 4-6, it is characterized in that, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described daily record synthesis server according to described access log to be compensated to described disappearance URL information security daily record compensate after, also include:

8. method according to claim 7, it is characterized in that, if described policy information includes strategy domain name, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

9. method according to claim 7, it is characterized in that, if described policy information includes strategy URL, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

10. method according to claim 7, it is characterized in that, if described policy information includes strategy domain name and strategy URL, described daily record synthesis server mates according to the policy information that the information security daily record of the URL corresponding to information security daily record and described disappearance URL of described disappearance URL is corresponding, if the match is successful, then strategy hit, including:

11. the method for Internet data center's IDC information security management, it is characterised in that including:

12. method according to claim 11, it is characterised in that also include:

13. the method according to claim 11 or 12, it is characterised in that described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

14. method according to claim 13, it is characterized in that, if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described information security detection equipment also includes after the information security daily record of described disappearance URL is reported daily record synthesis server:

15. the method for Internet data center's IDC information security management, it is characterised in that including:

16. method according to claim 15, it is characterised in that also include:

17. a daily record synthesis server, it is characterised in that including:

18. daily record synthesis server according to claim 17, it is characterised in that described first identification module specifically for:

19. the daily record synthesis server according to claim 17 or 18, it is characterised in that described second identification module specifically for:

20. daily record synthesis server according to claim 19, it is characterised in that described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

21. the daily record synthesis server according to any one of claim 17-20, it is characterised in that described compensating module, including:

22. daily record synthesis server according to claim 21, it is characterised in that described key mark field includes: the protocol IP of interconnection, purpose IP, source port, destination interface and device transaction mark ID between source network.

23. the daily record synthesis server according to any one of claim 20-22, it is characterised in that if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described daily record synthesis server, also include:

24. daily record synthesis server according to claim 23, it is characterised in that if described policy information include strategy domain name, described matching module specifically for:

25. daily record synthesis server according to claim 23, it is characterised in that if described policy information include strategy URL, described matching module specifically for:

26. daily record synthesis server according to claim 23, it is characterised in that if described policy information include strategy domain name and strategy URL, described matching module specifically for:

27. an information security detection equipment, it is characterised in that including:

28. information security according to claim 27 detection equipment, it is characterised in that described first reporting module also particularly useful for: guarantee the information security daily record of same user accesses is reported same daily record synthesis server by hash algorithm.

29. the information security detection equipment according to claim 27 or 28, it is characterised in that described abnormal mark includes: disappearance URL daily record mark and result daily record mark undetermined.

30. information security according to claim 29 detection equipment, it is characterised in that if the exception of the information security daily record of described disappearance URL is designated result daily record mark undetermined, described information security detection equipment also includes:

31. a deep-packet detection DPI equipment, it is characterised in that including:

32. deep-packet detection DPI equipment according to claim 31, it is characterised in that described reporting module also particularly useful for: guarantee to report the access log of same user accesses same daily record synthesis server by hash algorithm.

33. Internet data center's IDC Information Security Management System, it is characterised in that including:

Daily record synthesis server as described in any one of claim 17～26, the information security as described in any one of claim 27～30 detection equipment, deep-packet detection DPI equipment as described in claim 31 or 32 and routing device.