CN101471926A - Method and system for defining network behavior auditing access rule - Google Patents
Method and system for defining network behavior auditing access rule Download PDFInfo
- Publication number
- CN101471926A CN101471926A CNA2007103039836A CN200710303983A CN101471926A CN 101471926 A CN101471926 A CN 101471926A CN A2007103039836 A CNA2007103039836 A CN A2007103039836A CN 200710303983 A CN200710303983 A CN 200710303983A CN 101471926 A CN101471926 A CN 101471926A
- Authority
- CN
- China
- Prior art keywords
- access rule
- masterplate
- user
- rule
- agreement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention belongs to important application in the field of network safety, and relates to a method for defining a network behavior audit access rule. The method comprises the following steps: defining a part required to be concerned in each protocol into protocol variables through analyzing each application layer protocol; and anticipating a user to possibly operate by means of a network through appointing the values of the protocol variables, so as to further achieve the purpose of defining the user access rule.
Description
Technical field
The invention belongs to an important application---network behavior auditing access rule define method and system in the network safety filed.
Background technology
The network behavior auditing system is by defining the access rule of user to system service, and the audit engine carries out protocol analysis with data packets for transmission in the network, carries out user's operation behavior audit again according to these access rules.Usually this series products is all supported multiple application layer protocol commonly used, can realize the fine granularity audit of service-user by the access to netwoks related service, is the essential scheme that enterprise realizes service security.A formulation that core function unit is exactly the user capture rule of this type systematic, the definition mode that can rule be mated efficiently and accurately to rule has proposed very high requirement, and the protocol type that system supports is many more, difference between the access rule will be big more, and the processing burden of audit engine also can be big more.Therefore, the user capture rule that works up different agreement as unified format how is to make up the matter of utmost importance of network security audit system efficiently.
In traditional rule definition mode, adopt the directly method of definition user content of operation mostly, be to have comprised which keyword in the operational order of designated user or the statement, and in the audit engine, do not resolve using layer protocol, just realize effectiveness of audit by matched and searched keyword in packet simply.
This mode exists following limitation:
1. matching efficiency is low, and the audit engine is in order to mate from the beginning all the elements in the traverses network packet of keyword needs;
2. matching accuracy rate is low, and the audit engine does not carry out application layer protocol resolves, so irrelevant contents is many in the target data, has reduced the accuracy of coupling.
Summary of the invention
The objective of the invention is to design a kind of define method of network behavior auditing access rule, by analyzing various application layer protocols, the part that needs in every kind of agreement to pay close attention to is defined as the agreement variable, comes operation that prospective users may undertake by network and then the purpose that reaches definition user capture rule by the value of specifying these agreement variablees.
Realize that technical scheme of the present invention is such, a kind of define method of network security audit access rule comprises the steps:
(1) definition agreement variable: analyze every kind of auditable application layer protocol and extract the concern part, the form of these parts with the agreement variable embodied;
(2) definition access rule masterplate: the agreement variable of every kind of agreement is combined into regular masterplate by certain format, as the container of carrying user input;
(3) content in the regular masterplate is organized into user interface, imports desired value for the user;
(4) extract the content in the access rule masterplate and organize, send to the audit engine then and carry out rule match by certain format.
A kind of access rule define system of network security audit, this system comprises a main frame, a webserver, a plurality of terminal servers, data storage device, network interface card, and data input device and output device also comprise:
The rale store unit that is used for storing predetermined adopted agreement variable and user definition access rule;
Be used to resolve the access rule masterplate operating unit of access rule masterplate content;
Be used for the displaying interface unit of access rule masterplate content map to user interface;
Be used for the user definition access rule is sent to the access rule transmitting element of audit engine.
More than relation between several Logical processing units be at first to load the access rule template information by the rale store unit, the access rule template information being passed to access rule masterplate operating unit resolves again, content after the parsing (comprising agreement variable, descriptor etc.) is presented on the user interface by the displaying interface unit, by the access rule operating unit user-defined Rule Information is write back the rale store unit again after the intact rule of user definition.The access rule transmitting element directly is organized into file from the rale store unit according to certain format with Rule Information and sends to the audit engine.
The advanced part of this method is:
1. pass through agreement variable-definition rule, matching efficiency height.
2. application layer protocol is resolved, coupling accuracy height.
3. rule definition uniform format, easy to understand and operation.
Description of drawings
Fig. 1 is a process chart of the present invention.
Fig. 2 is a system construction drawing of the present invention.
The present invention is further described below in conjunction with drawings and Examples.
Embodiment
Embodiment 1: as shown in Figure 1,
A kind of define method of network behavior auditing access rule comprises the steps:
(1) definition agreement variable: analyze every kind of auditable application layer protocol and extract the concern part, the form of these parts with the agreement variable embodied;
(2) definition access rule masterplate: the agreement variable of every kind of agreement is combined into regular masterplate by certain format, as the container of carrying user input;
(3) content in the regular masterplate is organized into user interface, imports desired value for the user.
(4) extract the content in the access rule masterplate and organize, send to the audit engine then and carry out rule match by certain format.
Agreement variable in the above-mentioned steps (1), be in various application layer protocols abstract come out remember with gratitude, just the part that needs are audited is defined as variable.As: telnet protocol definition two agreement variable: telnet_input represent " input content "; Telnet_user represents " login username ".
Access rule masterplate in the above-mentioned steps (2) is according to certain form the agreement variable to be organized as the masterplate that provides the user to import.An agreement variable correspondence a masterplate, and its form is as follows: " agreement variable " " interface description " | " agreement variable " | " operator tabulation " } { " returned specification " }
It is made up of three parts, and wherein first " agreement variable " identified the identity of masterplate; " interface description " in the second portion is the descriptor that the user sees when defining on the interface.After the user imported definition value, " agreement variable " and " operator tabulation " was used for the expression formula of combination forming as " agreement variable+operator+value ".On the other hand, operator can represent on the interface for the user to be selected, and may comprise " comprising ", " equaling " or " regular expression " etc.; Last part " returned specification " is the descriptive information that the audit engine should return after the rule match.
In the above-mentioned steps (3) content in the regular masterplate is organized into user interface, be with each relevant in masterplate element reaction with the interface to user interface, accept user's input." interface description " in the masterplate is the description part as the text input frame; " operator tabulation " put into choice box and selected for the user.
Extracting the content in the access rule masterplate in the above-mentioned steps (4) and organize by certain format, is that element in the masterplate and user-defined content are write file by following form: " agreement variable " [,, nocase] " operator " " content ";
Wherein [,, nocase] be option when representing to mate capital and small letter whether responsive.Write and file is sent to the audit engine behind the file and handle.
Based on the access rule define system that a kind of network behavior of said method is audited, this system comprises a main frame, a webserver, a plurality of terminal servers, data storage device, network interface card, and data input device and output device, also comprise an agreement variable storage unit; Access rule masterplate operating unit; The displaying interface unit; The access rule transmitting element.
Embodiment 2:
Be the execution mode that example illustrates this method with the telnet agreement below.
At first define the agreement variable of telnet, as follows:
Telnet_input represents " content of input ";
Telnet_user represents " user name of login ".
All the elements that they can be satisfied the demand substantially and audit.Next need to determine to audit what operation of user.Suppose that the user root that will audit deletes all suffix and is the file operation of " sys ", use agreement variable so like this, just:
Telnet_input comprises rm*.sys;
Telnet_user equals root;
Regular masterplate just can define as follows after these information had been arranged:
Telnet_input{ user's input | telnet_input|^=r}{:Telnet user input=telnet_input};
With
The telnet_user{ login name | telnet_user|^=r}{:Telnet login name=telnet_user};
Wherein ^=r has defined three operators;
' ^ ' expression comprises;
'=' expression equals;
' r ' represents regular expression.
It can be stored in the database table after defining regular masterplate, these information wherein can read parsing for the application program of access rule definition.
The rule definition application program should be separated the each several part in the masterplate earlier, leaves in respectively in the different variablees; Then with " user's input " and " login name " in the masterplate respectively as the description of interface text input frame; Converting three operators to the Chinese description respectively writes in the choice box of interface as options; With rm*.sys as " user's input "; Root writes respectively in the input frame of interface as " login name ";
With expression formula telnet_input[,, nocase] ^rm*.sys and telnet_user[,, nocase]=root writes in the database respectively.User capture rule has so just defined, next " returned specification " that defines in these information and the regular masterplate write file cocurrent deliver to the audit engine carry out rule match.When engine finds that user root deletes any suffix for the file operation of " sys ", will return ": Telnet user input=rm filename.sys " with " Telnet login name=root " such information
Claims (5)
1. the access rule define system of a network behavior audit comprises a main frame, a webserver, and a plurality of terminal servers, data storage device, network interface card, and data input device and output device is characterized in that comprising:
The rale store unit that is used for storing predetermined adopted agreement variable and user definition access rule;
Be used to resolve the access rule masterplate operating unit of access rule masterplate content;
Be used for the displaying interface unit of access rule masterplate content map to user interface;
Be used for the user definition access rule is sent to the access rule transmitting element of audit engine;
Load the access rule template information by the rale store unit, the access rule template information being passed to access rule masterplate operating unit resolves again, content after the parsing comprises agreement variable, descriptor, be presented on the user interface by the displaying interface unit, by the access rule operating unit Rule Information that defines write back the rale store unit again after the intact rule of user definition; The access rule transmitting element directly is organized into file from the rale store unit according to certain format with information and sends to the audit engine.
2. the access rule define system of a kind of network behavior audit according to claim 1 is characterized in that: analyze every kind of auditable application layer protocol, definition agreement variable.
3. the access rule define system of a kind of network behavior audit according to claim 1 is characterized in that: with the form storage protocol variable of masterplate, with the container of masterplate as carrying user input; The masterplate form is as follows:
" agreement variable " { " description " | " agreement variable " | " operator tabulation " } { " returned specification " }.
4. the user capture rule definition system of a kind of network behavior audit according to claim 1 is characterized in that: the information that defines in the regular masterplate is sent to auditable unit with following form mate;
" agreement variable "
" operator " " content ";
Wherein
Be option when representing to mate capital and small letter whether responsive.
5. the access rule define method of a network behavior audit is characterized in that comprising the steps:
(1) definition agreement variable: analyze every kind of auditable application layer protocol and extract the concern part, the form of these parts with the agreement variable embodied;
(2) definition access rule masterplate: the agreement variable of every kind of agreement is combined into regular masterplate by certain format, as the container of carrying user input;
(3) content in the regular masterplate is organized into user interface, imports desired value for the user;
(4) extract the content in the access rule masterplate and organize, send to the audit engine then and carry out rule match by certain format.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007103039836A CN101471926A (en) | 2007-12-24 | 2007-12-24 | Method and system for defining network behavior auditing access rule |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007103039836A CN101471926A (en) | 2007-12-24 | 2007-12-24 | Method and system for defining network behavior auditing access rule |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101471926A true CN101471926A (en) | 2009-07-01 |
Family
ID=40829050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007103039836A Pending CN101471926A (en) | 2007-12-24 | 2007-12-24 | Method and system for defining network behavior auditing access rule |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101471926A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610946A (en) * | 2015-12-30 | 2016-05-25 | 北京奇艺世纪科技有限公司 | Docker technology based cloud jump server system |
-
2007
- 2007-12-24 CN CNA2007103039836A patent/CN101471926A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610946A (en) * | 2015-12-30 | 2016-05-25 | 北京奇艺世纪科技有限公司 | Docker technology based cloud jump server system |
| CN105610946B (en) * | 2015-12-30 | 2018-08-03 | 北京奇艺世纪科技有限公司 | A kind of cloud springboard machine system based on docker technologies |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108847977B (en) | Service data monitoring method, storage medium and server | |
| CN106209506B (en) | A kind of virtualization deep-packet detection flow analysis method and system | |
| CN102098331B (en) | Method and system for reducing WEB type application contents | |
| EP2244418A1 (en) | Database security monitoring method, device and system | |
| CN102750326A (en) | Log management optimization method of cluster system based on downsizing strategy | |
| WO2000039711A1 (en) | System and method for aggregating distributed data | |
| CN110287247A (en) | Date storage method, device, equipment and storage medium based on Unionpay's system | |
| CN103559217A (en) | Heterogeneous database oriented massive multicast data storage implementation method | |
| CN101727502A (en) | Data query method, data query device and data query system | |
| CN102664935A (en) | Method and system for associated output of WEB class user behavior and user information | |
| CN101102259A (en) | Network access control system and its method | |
| KR102033416B1 (en) | Method for generating data extracted from document and apparatus thereof | |
| CN105183916A (en) | Device and method for managing unstructured data | |
| CN103824104A (en) | Two-dimensional code fabrication system and application method thereof | |
| WO2016007178A1 (en) | System and method for providing contextual analytics data | |
| US20120166456A1 (en) | Method and apparatus for creating data table of forensics data | |
| CN109783330B (en) | Log processing method, log display method, and related device and system | |
| CN110020243A (en) | Querying method, device, Internet of Things server and the storage medium of internet of things data | |
| CN113010542A (en) | Service data processing method and device, computer equipment and storage medium | |
| CN117093619A (en) | Rule engine processing method and device, electronic equipment and storage medium | |
| CN101471926A (en) | Method and system for defining network behavior auditing access rule | |
| US8856152B2 (en) | Apparatus and method for visualizing data | |
| CN110881030A (en) | Logstack-based method and device for recording operation logs of web service administrator | |
| KR20210000041A (en) | Method and apparatus for analyzing log data in real time | |
| CN115065945A (en) | Short message link generation method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090701 |