CN101442449A - Method for completely auditing user behaviors under centralization access mode - Google Patents
Method for completely auditing user behaviors under centralization access mode Download PDFInfo
- Publication number
- CN101442449A CN101442449A CNA2008101633913A CN200810163391A CN101442449A CN 101442449 A CN101442449 A CN 101442449A CN A2008101633913 A CNA2008101633913 A CN A2008101633913A CN 200810163391 A CN200810163391 A CN 200810163391A CN 101442449 A CN101442449 A CN 101442449A
- Authority
- CN
- China
- Prior art keywords
- network
- user
- audit
- application software
- auditing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a method for overall auditing behavior of a customer under an integrated access pattern, wherein an integrated issuing platform consisting of a plurality of issuing machines is provided, each issuing machine is provided with application software and a network monitoring program; and an auditing server is linked to the network in a bypass mode, and a network acquisition module of the method acquires a network behavior log operated by a user to an auditing server which matches the network access information of the user transmitted by the monitoring program with the network operation log to form complete auditing information for search and analysis, thereby realizing complete auditing data based on the operator. The invention achieves complementarity of advantages of the monitoring program and network behavior auditing methods through the combination of two technological means, thereby ensuring the completeness of the auditing data and improving the auditing efficiency.
Description
Technical field
The invention belongs to field of information security technology, particularly relate in network environment, user behavior is carried out the method for complete audit.
Background technology
Constantly perfect along with business system and supporting network, business event server zone and data are concentrated in a large number, and data security becomes clear day by day; Safeguard protection to the enterprise key data also becomes the emphasis that each enterprise information security is built.
Resist technology at business data safety mainly is by enterprises user's operation behavior being audited, promptly monitoring at present.The method of audit mainly contains following several:
A kind of audit of intercepting that is based on network level is deployed in the user data convergence-level with snooping equipment, by network traffics monitoring, analysis, agreement reorganization etc. are represented user's operation behavior.This method is used and is concentrated distribution platform issue application program, application client is presented in user's desktop by proprietary protocol, the mutual of user and client finished on user's desktop, but finishes in the program that in fact response of application client moves on concentrating distribution platform.Application client moves in the mode of process on the backstage of concentrating distribution platform, the process of these operations all is that ip address with the server at its place is as source ip when initiating access to netwoks, and destination address all is the server address that will visit, when a plurality of users were connected to same concentrated publisher server and use identical client operation, the information that network behavior is audited was exactly the Audit data that a plurality of users carry out access to netwoks simultaneously like this.Like this, the network behavior audit can't be distinguished the Audit data that obtains according to the user who uses, and makes the information of original auditing system audit lose due effectiveness.
Another kind is based on the audit of the application of Bastion Host, and promptly all users realize that by unified inlet registering service system host, database the user operates audit on Bastion Host.This method causes taking of system's ample resources because the concentrated access of a large number of users is very huge for the expense of system resource, reduces the efficient of system.And the audit module of application layer may clash the phenomenon that loss of data occurs with other application.
Summary of the invention
The objective of the invention is at the problems referred to above, the method for the complete audit that a kind of application combines with network behavior be provided, realize audit accurately and full and accurate.
For this reason, the technical solution used in the present invention is as follows.
The method of user behavior complete audit under a kind of central access pattern is characterized in that: the concentrated distribution platform of being made up of some issue machines is set, issue machine deploy application software and network monitoring program; Audit server adopts the mode of bypass to link network, its network collection module with user's network operating behavior log collection to audit server; The subscriber network access information that audit server sends oracle listener and the network operation daily record complete audit information of composition that is complementary is used for query analysis, thereby realizes the complete Audit data based on the operator.
The present invention specifically comprises the steps:
1) the concentrated distribution platform of being made up of some issue machines is set, issue machine deploy application software and network monitoring program;
2) user is by concentrating the web interface request access software application of distribution platform;
3) concentrate distribution platform according to the application software on the load-balancing mechanism designated user visit particular delivery machine;
4) user uses me to connect the issue machine by the client of concentrating distribution platform by primary account number, starts this application software on the issue machine;
5) concentrate the client of distribution platform that the application software on the issue machine is pushed reuse family terminal with image mode;
6) user imports me from number of the account, cryptographic acess specific transactions system in application software;
7) the network monitoring program on the issue machine is intercepted and captured the access to netwoks of application software;
8) network access information of network monitoring program record application software sends to audit server;
9) audit server adopts the mode of bypass to link network, and its network collection module is gathered user's network operating behavior daily record;
10) audit server information that oracle listener on the issue machine is sent and network behavior daily record are complementary and form complete audit information, are used for query analysis, thereby realize the complete Audit data based on the operator.
Application program on certain the issue machine of user in the concentrated distribution platform of client-access, during the application access network, the access to netwoks meeting is via the network monitoring program that is installed on the issue machine, it is which application program is initiated that oracle listener can obtain this access to netwoks, what the system's account number that starts application program is, and these information are sent to auditing system.
Because before concentrating on the distribution platform application start on every issue machine, need the login of complete operation system, and application program to be identity by the account number of register system start, the oracle listener that is deployed on the issue machine can be intercepted and captured the host program of access to netwoks, and obtain its session information, thereby obtain to start the operating system account number of this program by session information according to the process handle of this program in operating system.
The network monitoring program that is deployed in the issue machine can obtain the source ip of access to netwoks, source port, purpose ip, destination interface, timestamp, operating system of user number of the account network access informations such as (primary account numbers), source ip, purpose ip, the destination interface of using each access to netwoks session for each all are identical, but source port is at random, even start two identical programs simultaneously, its source port also is different, can distinguish on the issue machine same program to the different sessions between background server by source port like this.
Oracle listener on the issue machine with the identity of access to netwoks with the corresponding differentiation of system's account number user, is distinguished source port on the one hand on the other hand, can distinguish different BlueDramas like this.The audit of network level is carried out record according to BlueDrama, information such as the source ip that wherein also comprises, source port, purpose ip, destination interface, timestamp, oracle listener on the issue machine is obtained network access information to be associated with information that network layer is audited and just to have obtained complete behavior audit information, comprise user's identity, the application program of use, the information of application access network, the operation information that the user carries out, time of operation or the like content can intactly show.
As seen, the present invention resolves application program and session by the oracle listener that is deployed on the issue machine, realizes using principal and subordinate's account number corresponding relation of operating with behavior; By combining of oracle listener and network behavior audit measure, realize the mutual supplement with each other's advantages of two kinds of technological means, guarantee the integrality of Audit data and improve audit efficient.The present invention is the organic combination of two kinds of prior aries, has solved the problem and the auditing system performance issue of Data Audit integrality.
Description of drawings
Fig. 1 is a schematic diagram of the present invention.
Fig. 2 is a sequential chart of the present invention.
Embodiment
Referring to accompanying drawing.The present invention is provided with concentrated distribution platform between client and background server, be made up of some issue machines, and the network monitoring program is installed on the issue machine.
Concrete steps of the present invention are as follows:
Step 1 is provided with the concentrated distribution platform of being made up of some issue machines, issue machine deploy application software and network monitoring program;
Step 2, the user is by concentrating the web interface request access software application of distribution platform;
Step 3 concentrates distribution platform according to the application software on the load-balancing mechanism designated user visit particular delivery machine;
Step 4, the user uses me number of the account (primary account number) to connect the issue machine by the client of concentrating distribution platform, starts this application software on the issue machine;
Step 5 concentrates the client of distribution platform that the application software on the issue machine is pushed reuse family terminal with image mode;
Step 6, the user imports account number (from number of the account), cryptographic acess specific transactions system in application software;
Step 7, the network monitoring program on the issue machine is intercepted and captured the access to netwoks of application software;
Step 8, the network access information of network monitoring program record application software (as user's primary account number, source order IP, source eye end mouth, access time stamp etc.) sends to audit server;
Step 9, audit server adopt the mode of bypass to link network, network collection module wherein gather user's network operating behavior daily record (as source order IP, source eye end mouth, access time stab, from account number, operand, content of operation etc.);
Information that step 10, audit server send oracle listener on the issue machine and network behavior daily record are complementary and form complete audit information, are used for query analysis, thereby realize the complete Audit data based on the operator.
The data integrity of present embodiment audit, the efficient height can be finished goal of the invention.
Claims (2)
1. the method for user behavior complete audit under the central access pattern is characterized in that: the concentrated distribution platform of being made up of some issue machines is set, issues machine deploy application software and network monitoring program; Audit server adopts the mode of bypass to link network, its network collection module with user's network operating behavior log collection to audit server; Audit server is complementary into complete audit information with the subscriber network access information that oracle listener sends with the network operation daily record, is used for query analysis, thereby realizes the complete Audit data based on the operator.
2. the method for claim 1 is characterized in that comprising the steps:
1) the concentrated distribution platform of being made up of some issue machines is set, issue machine deploy application software and network monitoring program;
2) user is by concentrating the web interface request access software application of distribution platform;
3) concentrate distribution platform according to the application software on the load-balancing mechanism designated user visit particular delivery machine;
4) user uses me to connect the issue machine by the client of concentrating distribution platform by primary account number, starts this application software on the issue machine;
5) concentrate the client of distribution platform that the application software on the issue machine is pushed reuse family terminal with image mode;
6) user imports me from number of the account, cryptographic acess specific transactions system in application software;
7) the network monitoring program on the issue machine is intercepted and captured the access to netwoks of application software;
8) network access information of network monitoring program record application software sends to audit server;
9) audit server adopts the mode of bypass to link network, and its network collection module is gathered user's network operating behavior daily record;
10) audit server information that oracle listener on the issue machine is sent and network behavior daily record are complementary and form complete audit information, are used for query analysis, thereby realize the complete Audit data based on the operator.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101633913A CN101442449A (en) | 2008-12-18 | 2008-12-18 | Method for completely auditing user behaviors under centralization access mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008101633913A CN101442449A (en) | 2008-12-18 | 2008-12-18 | Method for completely auditing user behaviors under centralization access mode |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101442449A true CN101442449A (en) | 2009-05-27 |
Family
ID=40726701
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008101633913A Pending CN101442449A (en) | 2008-12-18 | 2008-12-18 | Method for completely auditing user behaviors under centralization access mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101442449A (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065147A (en) * | 2011-01-07 | 2011-05-18 | 深圳市易聆科信息技术有限公司 | Method and device for obtaining user login information based on enterprise application system |
| CN102857388A (en) * | 2012-07-12 | 2013-01-02 | 上海云辰信息科技有限公司 | Cloud detection safety management auditing system |
| CN102868738A (en) * | 2012-08-30 | 2013-01-09 | 福建富士通信息软件有限公司 | Hyper text transfer protocol (HTTP)/hypertext transfer protocol secure (HTTPS) behavior management and control auditing method based on Web proxy |
| CN104092746A (en) * | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Operation and maintenance auditing system and network load balancing method used for system |
| CN104125304A (en) * | 2014-08-13 | 2014-10-29 | 北京华夏威科软件技术有限公司 | Session-level application auditing method and system |
| CN104378228A (en) * | 2014-09-30 | 2015-02-25 | 上海宾捷信息科技有限公司 | Network data security management system and method |
| CN104468537A (en) * | 2014-11-25 | 2015-03-25 | 公安部第三研究所 | System and method for achieving safety audit |
| CN104506519A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Web site access security audit method for MIPS (Million Instructions Per Second) platform |
| CN104572398A (en) * | 2015-01-27 | 2015-04-29 | 成都千牛信息技术有限公司 | Method for user monitoring encrypted disks |
| CN104869155A (en) * | 2015-04-27 | 2015-08-26 | 腾讯科技(深圳)有限公司 | Data auditing method and device |
| CN104993952A (en) * | 2015-06-19 | 2015-10-21 | 成都艾尔普科技有限责任公司 | Network user behavior audit and responsibility management system |
| CN105049232A (en) * | 2015-06-19 | 2015-11-11 | 成都艾尔普科技有限责任公司 | Network information log audit system |
| CN105162614A (en) * | 2015-06-19 | 2015-12-16 | 成都艾尔普科技有限责任公司 | Network user behavior auditing and responsibility management method |
| CN105791308A (en) * | 2016-04-11 | 2016-07-20 | 北京网康科技有限公司 | Active identification domain user registration event information method, device and system |
| CN107370761A (en) * | 2017-08-31 | 2017-11-21 | 中国航空工业集团公司沈阳飞机设计研究所 | A kind of safe and secret management method of LCA systems |
| CN108616415A (en) * | 2018-03-16 | 2018-10-02 | 新华三大数据技术有限公司 | data correlation method and device |
| CN110417736A (en) * | 2019-06-25 | 2019-11-05 | 平安银行股份有限公司 | Across the isolated area software distribution method of bank, device and computer readable storage medium |
| CN110457627A (en) * | 2019-07-04 | 2019-11-15 | 杭州安恒信息技术股份有限公司 | It is audited using web and optimizes the method for website |
-
2008
- 2008-12-18 CN CNA2008101633913A patent/CN101442449A/en active Pending
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065147A (en) * | 2011-01-07 | 2011-05-18 | 深圳市易聆科信息技术有限公司 | Method and device for obtaining user login information based on enterprise application system |
| CN102857388A (en) * | 2012-07-12 | 2013-01-02 | 上海云辰信息科技有限公司 | Cloud detection safety management auditing system |
| CN102868738A (en) * | 2012-08-30 | 2013-01-09 | 福建富士通信息软件有限公司 | Hyper text transfer protocol (HTTP)/hypertext transfer protocol secure (HTTPS) behavior management and control auditing method based on Web proxy |
| CN104092746A (en) * | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Operation and maintenance auditing system and network load balancing method used for system |
| CN104092746B (en) * | 2014-06-30 | 2018-04-13 | 北京华电天益信息科技有限公司 | A kind of O&M auditing system and the network load balancing method in its system |
| CN104125304B (en) * | 2014-08-13 | 2017-09-19 | 北京华夏威科软件技术有限公司 | A kind of session level application auditing method and system |
| CN104125304A (en) * | 2014-08-13 | 2014-10-29 | 北京华夏威科软件技术有限公司 | Session-level application auditing method and system |
| CN104378228A (en) * | 2014-09-30 | 2015-02-25 | 上海宾捷信息科技有限公司 | Network data security management system and method |
| CN104468537A (en) * | 2014-11-25 | 2015-03-25 | 公安部第三研究所 | System and method for achieving safety audit |
| CN104506519A (en) * | 2014-12-22 | 2015-04-08 | 中软信息系统工程有限公司 | Web site access security audit method for MIPS (Million Instructions Per Second) platform |
| CN104572398A (en) * | 2015-01-27 | 2015-04-29 | 成都千牛信息技术有限公司 | Method for user monitoring encrypted disks |
| CN104572398B (en) * | 2015-01-27 | 2018-04-17 | 成都千牛信息技术有限公司 | A kind of method of User space monitoring encryption disk |
| CN104869155B (en) * | 2015-04-27 | 2018-09-18 | 腾讯科技(深圳)有限公司 | Data Audit method and device |
| CN104869155A (en) * | 2015-04-27 | 2015-08-26 | 腾讯科技(深圳)有限公司 | Data auditing method and device |
| CN105162614A (en) * | 2015-06-19 | 2015-12-16 | 成都艾尔普科技有限责任公司 | Network user behavior auditing and responsibility management method |
| CN105049232A (en) * | 2015-06-19 | 2015-11-11 | 成都艾尔普科技有限责任公司 | Network information log audit system |
| CN104993952A (en) * | 2015-06-19 | 2015-10-21 | 成都艾尔普科技有限责任公司 | Network user behavior audit and responsibility management system |
| CN105049232B (en) * | 2015-06-19 | 2019-06-21 | 成都艾尔普科技有限责任公司 | Network information Log Audit System |
| CN105791308B (en) * | 2016-04-11 | 2019-12-31 | 北京网康科技有限公司 | Method, device and system for actively identifying domain user login event information |
| CN105791308A (en) * | 2016-04-11 | 2016-07-20 | 北京网康科技有限公司 | Active identification domain user registration event information method, device and system |
| CN107370761A (en) * | 2017-08-31 | 2017-11-21 | 中国航空工业集团公司沈阳飞机设计研究所 | A kind of safe and secret management method of LCA systems |
| CN108616415A (en) * | 2018-03-16 | 2018-10-02 | 新华三大数据技术有限公司 | data correlation method and device |
| CN108616415B (en) * | 2018-03-16 | 2020-11-27 | 新华三大数据技术有限公司 | Data association method and device |
| CN110417736A (en) * | 2019-06-25 | 2019-11-05 | 平安银行股份有限公司 | Across the isolated area software distribution method of bank, device and computer readable storage medium |
| CN110417736B (en) * | 2019-06-25 | 2022-10-14 | 平安银行股份有限公司 | Method and device for issuing bank cross-isolated area software and computer readable storage medium |
| CN110457627A (en) * | 2019-07-04 | 2019-11-15 | 杭州安恒信息技术股份有限公司 | It is audited using web and optimizes the method for website |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101442449A (en) | Method for completely auditing user behaviors under centralization access mode | |
| CN112615849B (en) | Micro-service access method, device, equipment and storage medium | |
| CN108712426B (en) | Crawler identification method and system based on user behavior buried points | |
| CN106341429B (en) | A kind of authentication method for protecting server data safety | |
| CN103546343B (en) | The network traffics methods of exhibiting of network traffic analysis system and system | |
| CN101447064B (en) | Auditing management system and auditing management method | |
| CN109213790A (en) | A kind of data circulation analysis method and system based on block chain | |
| CN101034983A (en) | System and method for realizing on-Internet true name of the network access user | |
| CN104333556B (en) | Based on resource service management system Security Certificate gateway decentralized configuration management method | |
| CN104065731A (en) | FTP file transfer system and transfer method | |
| CN103701783A (en) | Preprocessing unit, data processing system consisting of same, and processing method | |
| CN102663294A (en) | Automatic analysis of software license usage in a computer network | |
| CN101751712A (en) | Centralized invoice authentification system and authentification method | |
| CN103475727A (en) | Database auditing method based on bridged mode | |
| CN101355427A (en) | Internally-control safety method for information gateway-service support system | |
| CN104951524A (en) | Mobile platform for database operation and maintenance and using method of mobile platform | |
| CN101482826A (en) | Off-line form making system and processing method | |
| CN100366002C (en) | Shared access testing system of internet | |
| CN101968815B (en) | Processing method of concurrent requests | |
| CN107451469A (en) | A kind of process management system and method | |
| CN116668191B (en) | Internet of things application virtual gateway with data encryption convergence function | |
| CN101312396B (en) | Electronic workform management system and resource authority control method thereof | |
| CN106572103A (en) | Hidden port detection method based on SDN network architecture | |
| CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
| CN110110510A (en) | A kind of engineering calculation model management method based on cloud computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090527 |