CN109150610A - The network event acquisition method of rule-based adaptation - Google Patents
The network event acquisition method of rule-based adaptation Download PDFInfo
- Publication number
- CN109150610A CN109150610A CN201810991813.XA CN201810991813A CN109150610A CN 109150610 A CN109150610 A CN 109150610A CN 201810991813 A CN201810991813 A CN 201810991813A CN 109150610 A CN109150610 A CN 109150610A
- Authority
- CN
- China
- Prior art keywords
- rule
- acquisition
- interface
- collected
- target object
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
Abstract
The embodiment of the invention discloses a kind of network event acquisition methods of rule-based adaptation, comprising: determines target object to be collected;Select interface communications protocol;Load corresponding interface communication parameter;Fill in corresponding parameter value;Call corresponding interface communication module;It is preset to realize preset interface communications protocol logic;It is associated with target object to be collected, parsing authentication rule loads underlying parameter;Fill in relevant parameter value;Test is initiated the connection, whether verification collection rule configuration information is correct;If connection is correct, corresponding acquisition tasks scheduling strategy is loaded, execute data acquisition and gained initial data is stored in raw data base.The embodiment of the present invention is by configuring collection rule, strategy, automatic adaptation acquires communication interface modules, acquires storage to the raw information of target object, passes through configuration standard event mapping ruler, collected initial data is formatted processing, provides unified formatted data to analyze, managing.
Description
Technical field
The present invention relates to a kind of acquisitions of the network event of technical field of network information safety more particularly to rule-based adaptation
Method.
Background technique
With the fast development of network technology and mobile Internet, the extensive use of cloud computing and big data technology is all kinds of
The construction speeds such as computer server, the network equipment, safety equipment, monitoring device are increasingly accelerated, and scale constantly expands, right therewith
What is answered is that network security threats are increasingly severe, and serious accident constantly occurs, and to respond actively network security threats, is hindered in time
Disconnected attack or post-audit evidence obtaining, usually using each network element device, information system in network event acquisition system collection network environment
The business diaries such as system, network behavior and message event carry out normalization processing and Centralizing inspection audit.Under prior art
After acquisition system mostly uses analysis target device, the log of system, security incident format, transport protocol, corresponding information is write
Acquisition process program and routine interface acquire raw information, are monitored analysis and audit after treatment.
Since the number of devices of computer room, IDC, cloud computing center is huge, operation system is various, network environment is complicated etc. because
Element, in addition the manufacturer of equipment and information system is numerous, network protocol, log, the information format multiplicity of use, one-to-one information
Acquisition needs the customized development larger workload put into, inefficiency and the multi-vendor coordination of needs, realizes information format standardization
Processing is more difficult, is not suitable for large-scale equipment and system message logging and security incident acquisition monitoring.
Summary of the invention
The technical problem to be solved by the embodiment of the invention is that providing a kind of network event acquisition of rule-based adaptation
Method, so as to which large-scale equipment and system message logging and security incident acquisition monitoring can be suitable for.
In order to solve the above-mentioned technical problem, the embodiment of the present invention proposes a kind of network event acquisition of rule-based adaptation
Method, comprising:
Step 1: determining target object to be collected, configure the authentication rule of goal systems;
Step 2: selecting the interface communications protocol of target object to be collected;
Step 3: corresponding interface communication parameter is loaded according to selected interface communication protocol;
Step 4: corresponding parameter value is filled according to the interface communication parameter;
Step 5: corresponding interface communication module is called according to the interface communications protocol and the parameter value;
Step 6: it is preset to realize preset interface communications protocol logic, form independent assembly module;
Step 7: being associated according to the interface communication module of calling and target object to be collected, parse the body of goal systems
Part certification rule, load need the underlying parameter filled in;
Step 8: the relevant parameter value of the goal systems authentication interface is filled in, to parameter automatic Verification must be filled out, if not writing from memory
Recognize setting, then according to the information supplement collection rule of target object to be collected come pad parameter value;
Step 9: after completing interface parameters filling, initiating the connection test, whether verification collection rule configuration information is correct;
Step 10: if malunion is true, prompting error message and reason;If connection is correct, 11 are entered step;
Step 11: loading corresponding acquisition tasks scheduling strategy, execute data acquisition and be stored in gained initial data former
Beginning database.
Further, after the step 11 further include:
Step 12: the data format of target object to be collected being analyzed, configuration format mapping ruler, by diversification
It is raw data formatting at unified standardization event;
Step 13: loading the data for needing to analyze mapping from raw data base, queue to be analyzed is written;
Step 14: according to configured mapping ruler, analysis mapping being carried out to initial data, according to rule by initial data
The unified format that thaumatropy is defined at system;
Step 15: generating standard Event, be stored in standard Event library.
Further, the interface communications protocol of the target object to be collected includes: http-get/http-post/
https/webservice/ftp/sftp/syslog/jdbc/odbc/ssh/telnet/smp/smtp/nfs/udp/tcp/
file/flow。
Further, the acquisition tasks scheduling strategy includes acquisition immediately, timing acquiring, period acquisition, single acquisition
One of or it is a variety of.
The embodiment of the present invention is by proposing the network event acquisition method of rule-based adaptation a kind of, by configuring acquisition rule
Then, tactful, automatic adaptation acquires communication interface modules, acquires storage to the raw information of target object, passes through configuration standard
Collected initial data is formatted processing by event mapping ruler, provides unified formatted data to analyze, managing.
Detailed description of the invention
Fig. 1 is the flow chart of the network event acquisition method of the rule-based adaptation of the embodiment of the present invention.
Specific embodiment
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase
It mutually combines, invention is further described in detail in the following with reference to the drawings and specific embodiments.
If directional instruction (such as up, down, left, right, before and after ...) is only used for explaining at certain in the embodiment of the present invention
Relative positional relationship, motion conditions etc. under one particular pose (as shown in the picture) between each component, if the particular pose is sent out
When raw change, then directionality instruction also correspondingly changes correspondingly.
If in addition, the description for being related to " first ", " second " etc. in the present invention is used for description purposes only, and should not be understood as
Its relative importance of indication or suggestion or the quantity for implicitly indicating indicated technical characteristic.Define as a result, " first ",
The feature of " second " can explicitly or implicitly include at least one of the features.
Fig. 1 is please referred to, the network event acquisition method of the rule-based adaptation of the embodiment of the present invention includes step 1~step
11。
Step 1: determine target object to be collected, configure goal systems authentication rule, as password account, token,
CA certificate etc..The target object to be collected of the embodiment of the present invention include systematic name, IP address, system type (including database,
Middleware, server, interchanger, firewall, safety equipment, information system etc.).
Step 2: selecting the interface communications protocol of target object to be collected.
Step 3: corresponding interface communication parameter is loaded according to selected interface communication protocol.After selecting interface communications protocol,
Automatically load that the interface communications protocol is corresponding must to fill out parameter, such as: target object IP address, port, checking parameter.
Step 4: corresponding parameter value is filled according to the interface communication parameter.
Step 5: corresponding interface communication module is called according to the interface communications protocol and the parameter value.
Step 6: it is preset to realize preset interface communications protocol logic, independent assembly module is formed, institute in step 2 is included
State interface communications protocol (http-get/http-post/https/webservice/ftp/sftp/syslog/jdbc/
odbc/ssh/telnet/smp/smtp/n fs/udp/tcp/file/flow)。
Step 7: being associated according to the interface communication module of calling and target object to be collected, parse the body of goal systems
Part certification rule, load need the underlying parameter filled in, such as: user name, password, token, then to the data filled in
Default load, supports secondary modification;To the parameter for not filling in value, then whether automatic Verification may not fill out parameter.
Step 8: the relevant parameter value of the goal systems authentication interface is filled in, to parameter automatic Verification must be filled out, if not writing from memory
Recognize setting, then according to the information supplement collection rule of target object to be collected come pad parameter value.
Step 9: after completing interface parameters filling, initiating the connection test, whether verification collection rule configuration information is correct.
Step 10: if malunion is true, prompting error message and reason, collection rule can be corrected according to prompt information;
If connection is correct, 11 are entered step.
Step 11: loading corresponding acquisition tasks scheduling strategy, execute data acquisition and be stored in gained initial data former
Beginning database.The embodiment of the present invention realizes the customized formula rule configuration of acquisition strategies, solves hard coded mode and is unfavorable for tieing up
Alteration problems are protected, collecting efficiency is promoted;The embodiment of the present invention can customize acquisition strategies rule, such as: destination address, certification ginseng
Number, interface parameters, response parameter etc., automatic load and combination acquisition strategies rule are simultaneously filled into corresponding interface scheduler task
In, it avoids parameter hard coded, convenient, flexible extension and maintenance under traditional approach, improves acquisition mating operation efficiency.
The embodiment of the present invention is preset to realize common network communication protocol interface, uses the Communication processing mould based on modularization
Block carries out customized path combination, using task-driven scheduling mode, realizes the rapid abutting joint with target object, solves tradition
Mode needs one-to-one customization or overlapping development;
It as an implementation, further include step 12~step 15 after step 11.
Step 12: the data format of target object to be collected being analyzed, configuration format mapping ruler, by diversification
It is raw data formatting at unified standardization event.The formatting mapping ruler of the embodiment of the present invention is supported to be based on standard
The customized extension of XML language.
Step 13: being loaded according to operation system number, IP address, data characteristics etc. from raw data base and need to analyze mapping
Data, queue to be analyzed is written.
Step 14: according to configured mapping ruler, analysis mapping being carried out to initial data, according to rule by initial data
The unified format that thaumatropy is defined at system.
Step 15: generating standard Event, be stored in standard Event library.
The embodiment of the present invention realizes a set of automatic mapping rule based on standardization event format, can be by same equipment, letter
Breath system, network event etc. carry out automatic mapping and conversion by the rule of setting, provide standard for united analysis and centralized management
Change data;The rule-based adaptation technique of the embodiment of the present invention, to commonly used equipment, information system, network environment interface protocol into
The communication functions such as authentication, message request, data receiver, connection closed are simultaneously carried out Groupware encapsulation and matched by the preset realization of row
It sets, is configured by rule and generate acquisition strategies, realize that the initial data of different data sources quickly standardizes mapping processing, promoted
Acquisition docking efficiency and extension flexibility.
As an implementation, the interface communications protocol of target object to be collected includes: http-get/http-post/
https/webservice/ftp/sftp/syslog/jdbc/odbc/ssh/telnet/smp/smtp/nfs/udp/tcp/
file/flow。
As an implementation, acquisition tasks scheduling strategy include immediately acquisition, timing acquiring (yyyy-mm-dd hh:
Mm:ss starting), period acquisition (daily, week, the moon, season etc.), one of single acquisition or a variety of.
The embodiment of the present invention first defines and realizes the acquisition interface of the common network transmission protocol, such as: http-get/http-
post/https/webservice/ftp/sftp/syslog/jdbc/odbc/ssh/telnet/smp/smtp/nfs/udp/
Tcp/file/flow etc.;For carrying out data communication interaction with target network element equipment, information system, secondly by all kinds of agreement sides
The authentications such as certification, request, response, closing, reception, transmission, heartbeat under formula and data-transformation facility are abstracted into independent
Assembly module can carry out flexible combination configuration according to the operation flow situation of target object;The embodiment of the present invention defines a set of
Rule parsing template based on Drools regulation engine realizes the custom rule configuration based on regular expression, Yong Huke
Goal systems communications protocol to be collected, data acquisition flow, data resolution rules are selected by graphic interface, filling is necessary
Parameter such as: generate acquisition tasks after the address ip, port, certification password acquisition parameter, network event acquisition system backstage from
Dynamic resolution rules simultaneously dispatch acquisition tasks, realize configuration and the automation collection of target object, and to the data after acquisition into
Professional etiquette formats processing, significant increase applicability of the system in complicated IT environment.
It although an embodiment of the present invention has been shown and described, for the ordinary skill in the art, can be with
A variety of variations, modification, replacement can be carried out to these embodiments without departing from the principles and spirit of the present invention by understanding
And modification, the scope of the present invention are defined by the appended claims and their equivalents.
Claims (4)
1. a kind of network event acquisition method of rule-based adaptation characterized by comprising
Step 1: determining target object to be collected, configure the authentication rule of goal systems;
Step 2: selecting the interface communications protocol of target object to be collected;
Step 3: corresponding interface communication parameter is loaded according to selected interface communication protocol;
Step 4: corresponding parameter value is filled according to the interface communication parameter;
Step 5: corresponding interface communication module is called according to the interface communications protocol and the parameter value;
Step 6: it is preset to realize preset interface communications protocol logic, form independent assembly module;
Step 7: being associated according to the interface communication module of calling and target object to be collected, the identity for parsing goal systems is recognized
Card rule, load need the underlying parameter filled in;
Step 8: filling in the relevant parameter value of the goal systems authentication interface and set to parameter automatic Verification must be filled out if not defaulting
It sets, then according to the information supplement collection rule of target object to be collected come pad parameter value;
Step 9: after completing interface parameters filling, initiating the connection test, whether verification collection rule configuration information is correct;
Step 10: if malunion is true, prompting error message and reason;If connection is correct, 11 are entered step;
Step 11: loading corresponding acquisition tasks scheduling strategy, execute data acquisition and gained initial data is stored in original number
According to library.
2. the network event acquisition method of rule-based adaptation as described in claim 1, which is characterized in that after the step 11
Further include:
Step 12: the data format of target object to be collected being analyzed, configuration format mapping ruler, by the original of diversification
Beginning data format is melted into unified standardization event;
Step 13: loading the data for needing to analyze mapping from raw data base, queue to be analyzed is written;
Step 14: according to configured mapping ruler, analysis mapping being carried out to initial data, according to rule by initial data structure
The unified format that the system of being converted to defines;
Step 15: generating standard Event, be stored in standard Event library.
3. the network event acquisition method of rule-based adaptation as described in claim 1, which is characterized in that the mesh to be collected
The interface communications protocol for marking object includes: http-get/http-post/https/webservice/ftp/sftp/syslog/
jdbc/odbc/ssh/telnet/smp/smtp/nfs/udp/tcp/file/flow。
4. the network event acquisition method of rule-based adaptation as described in claim 1, which is characterized in that the acquisition tasks
Scheduling strategy includes one of acquisition immediately, timing acquiring, period acquisition, single acquisition or a variety of.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810991813.XA CN109150610B (en) | 2018-08-29 | 2018-08-29 | Network event acquisition method based on rule adaptation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810991813.XA CN109150610B (en) | 2018-08-29 | 2018-08-29 | Network event acquisition method based on rule adaptation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109150610A true CN109150610A (en) | 2019-01-04 |
| CN109150610B CN109150610B (en) | 2021-05-04 |
Family
ID=64828984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810991813.XA Active CN109150610B (en) | 2018-08-29 | 2018-08-29 | Network event acquisition method based on rule adaptation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109150610B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111026732A (en) * | 2019-12-03 | 2020-04-17 | 深圳中科保泰科技有限公司 | Dynamic patrolling method and system |
| CN111415286A (en) * | 2020-03-04 | 2020-07-14 | 青岛海信网络科技股份有限公司 | Auxiliary study and judgment method and device for emergency events of traffic hub |
| CN111447170A (en) * | 2019-01-17 | 2020-07-24 | 北京京东尚科信息技术有限公司 | Data processing method and system, computer system and computer readable medium |
| CN111770203A (en) * | 2020-09-01 | 2020-10-13 | 成都无糖信息技术有限公司 | Automatic evidence obtaining method and system based on GoIP equipment |
| CN112506927A (en) * | 2020-12-04 | 2021-03-16 | 浪潮云信息技术股份公司 | Performance data storage method under cloud environment |
| CN112988875A (en) * | 2021-04-08 | 2021-06-18 | 北京澎思科技有限公司 | Multi-dimensional data acquisition device, system and method |
| CN113190540A (en) * | 2021-04-29 | 2021-07-30 | 广州嘉为科技有限公司 | CMDB level discovery method, system, device and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859196A (en) * | 2006-04-13 | 2006-11-08 | 吉林大学 | Telecommunication field network data acquisition processing system based on rule and realizing method |
| EP1915015A2 (en) * | 2006-10-20 | 2008-04-23 | Samsung Electronics Co., Ltd. | Apparatus and method for vertical handover in broadband wireless communication system |
| CN105578488A (en) * | 2014-10-10 | 2016-05-11 | 中兴通讯股份有限公司 | Network data acquisition system and network data acquisition method |
| CN106843908A (en) * | 2017-03-07 | 2017-06-13 | 北京中交创新投资发展有限公司 | Data integrated collection method and system |
| CN107844378A (en) * | 2016-09-21 | 2018-03-27 | 北京航天长峰科技工业集团有限公司 | A kind of Distributed Heterogeneous Data resources integration and management system |
-
2018
- 2018-08-29 CN CN201810991813.XA patent/CN109150610B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859196A (en) * | 2006-04-13 | 2006-11-08 | 吉林大学 | Telecommunication field network data acquisition processing system based on rule and realizing method |
| EP1915015A2 (en) * | 2006-10-20 | 2008-04-23 | Samsung Electronics Co., Ltd. | Apparatus and method for vertical handover in broadband wireless communication system |
| CN105578488A (en) * | 2014-10-10 | 2016-05-11 | 中兴通讯股份有限公司 | Network data acquisition system and network data acquisition method |
| CN107844378A (en) * | 2016-09-21 | 2018-03-27 | 北京航天长峰科技工业集团有限公司 | A kind of Distributed Heterogeneous Data resources integration and management system |
| CN106843908A (en) * | 2017-03-07 | 2017-06-13 | 北京中交创新投资发展有限公司 | Data integrated collection method and system |
Non-Patent Citations (2)
| Title |
|---|
| 包铁: "网络数据采集处理方法及形式化研究", 《中国博士学位论文全文数据库信息科技辑》 * |
| 包铁; 刘淑芬: "基于规则的网络数据采集处理方法", 《计算机工程》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111447170A (en) * | 2019-01-17 | 2020-07-24 | 北京京东尚科信息技术有限公司 | Data processing method and system, computer system and computer readable medium |
| CN111026732A (en) * | 2019-12-03 | 2020-04-17 | 深圳中科保泰科技有限公司 | Dynamic patrolling method and system |
| CN111026732B (en) * | 2019-12-03 | 2023-11-17 | 深圳块织类脑智能科技有限公司 | Dynamic inspection tour method and system |
| CN111415286A (en) * | 2020-03-04 | 2020-07-14 | 青岛海信网络科技股份有限公司 | Auxiliary study and judgment method and device for emergency events of traffic hub |
| CN111770203A (en) * | 2020-09-01 | 2020-10-13 | 成都无糖信息技术有限公司 | Automatic evidence obtaining method and system based on GoIP equipment |
| CN111770203B (en) * | 2020-09-01 | 2020-12-22 | 成都无糖信息技术有限公司 | Automatic evidence obtaining method and system based on GoIP equipment |
| CN112506927A (en) * | 2020-12-04 | 2021-03-16 | 浪潮云信息技术股份公司 | Performance data storage method under cloud environment |
| CN112988875A (en) * | 2021-04-08 | 2021-06-18 | 北京澎思科技有限公司 | Multi-dimensional data acquisition device, system and method |
| CN113190540A (en) * | 2021-04-29 | 2021-07-30 | 广州嘉为科技有限公司 | CMDB level discovery method, system, device and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109150610B (en) | 2021-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109150610A (en) | The network event acquisition method of rule-based adaptation | |
| US9746352B2 (en) | Method and apparatus for underground equipment monitoring | |
| CN107766132A (en) | Multi-task scheduling method, application server and computer-readable recording medium | |
| JP2023525393A (en) | Method and apparatus for updating gateway resources and IOT control platform | |
| CN112511218B (en) | Satellite ground station monitoring system based on microservice | |
| CN110995859A (en) | Intelligent transformer substation supporting platform system based on ubiquitous Internet of things | |
| CN107689982A (en) | Multi-data source method of data synchronization, application server and computer-readable recording medium | |
| CN112988485A (en) | Simulation test method and device for power Internet of things equipment | |
| CN110932918B (en) | Log data acquisition method and device and storage medium | |
| CN102752770B (en) | Method and device for polling service system | |
| CN114189274A (en) | Satellite ground station monitoring system based on microservice | |
| CN110851252A (en) | Protocol conversion equipment and protocol conversion method based on TSN (traffic service network) architecture | |
| CN102984258A (en) | Internet of things data transmission method and adapter | |
| CN111723019A (en) | Interface debugging method and system | |
| CN113766026B (en) | Data processing method and system applied to energy industrial network | |
| CN109445384B (en) | Multi-device control system | |
| US11736504B2 (en) | Method and system to detect abnormal message transactions on a network | |
| CN113141301A (en) | Working state parameter processing method and device | |
| EP3015984A1 (en) | Providing data from data sources | |
| CN117472423A (en) | Visual workflow layout system, method, equipment and medium for decoupling reference resource and flow design | |
| Palattella et al. | F-interop platform and tools: Validating IoT implementations faster | |
| CN115085794A (en) | Block chain credible evidence storing method and system for Beidou short message | |
| CN106452815A (en) | Informatization management method, device and system | |
| Ferrari et al. | Experimental characterization of an IoV framework leveraging mobile wireless technologies | |
| CN113032054A (en) | Service execution method, device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |