CN101494555A - Screen method and equipment for processing on-line database behaviors of giga-above network - Google Patents
Screen method and equipment for processing on-line database behaviors of giga-above network Download PDFInfo
- Publication number
- CN101494555A CN101494555A CNA2008101632111A CN200810163211A CN101494555A CN 101494555 A CN101494555 A CN 101494555A CN A2008101632111 A CNA2008101632111 A CN A2008101632111A CN 200810163211 A CN200810163211 A CN 200810163211A CN 101494555 A CN101494555 A CN 101494555A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- screening
- database
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000012545 processing Methods 0.000 title claims abstract description 29
- 230000006399 behavior Effects 0.000 title claims description 36
- 238000012216 screening Methods 0.000 claims abstract description 73
- 238000009434 installation Methods 0.000 claims description 22
- 230000003542 behavioural effect Effects 0.000 claims description 7
- 239000000284 extract Substances 0.000 claims description 7
- 241001124569 Lycaenidae Species 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 description 4
- 230000006855 networking Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a screening method for processing online database action of a network with more than kilomega and equipment thereof. The screening method comprises the following steps of: copying a network flow, carrying out shunt processing to the network data, receiving processing data of the network shunt, carrying out identification and screening according to the shunt data, extracting data for operating action of database and discarding data for operating action of non-database; the screening equipment is connected with network equipment in a bypass connection mode and comprises a primary data acquisition device, a data shunt processing device, a secondary data acquisition device and a data identifying and screening device which are connected in sequence. By adopting the method and the equipment, the invention can greatly reduce the package loss rate caused by acquiring large data flow, guarantee timely and effective screening of database action to the data flow, is safe and reliable, does not have any influence on the network, does not need to increase hardware configuration and reduces the cost.
Description
Technical field
The present invention relates to database audit technique field, particularly relate to a kind of screening technique and equipment of handling the behavior of the above network online database of gigabit.
Background technology
Along with the continuous development of information system business, the Database Systems range of application is more and more wider, and the accounting data of enterprise, trade record, project data etc. all need to utilize the lot of data base resource.
Because the role and influence of database are increasing, the security threat that the enterprise database information security faces is day by day obvious.The important sensitive data that constantly takes place is stolen, distorts problem in recent years, has caused the great attention of each side, becomes the problem that presses for solution.
The basic network scale of information system from 100,000,000 networks in past, realized gigabit networking gradually substantially, and 10,000,000,000 networks appears among the information system also in continuous expansion.Some users can realize audit analysis is carried out in the behavior of lot of data storehouse substantially in 100,000,000 networks, if but remain in the information system network of high data volume, the process database operations flow will be technological difficulties efficiently.
Because in present many users' the operation system network, main frame, the network equipment, safety means, application, middleware, database get more and more, effective requirement is more and more higher.So the requirement to the network bandwidth also improves thereupon.When the network environment real data communication amount that will occur future was surpassed certain flow, the screening installation of online database audit requires can be higher.But present screening installation with the audit of conventional online database can not satisfy this present situation.The networking structure schematic diagram of low data flow online database operation behavior screening installation as shown in Figure 1 in existing techniques in realizing 100,000,000 networks, screening installation comprises data acquisition unit 1-D-A and data screening device 1-D-B, the online database operation behavior is finished by network equipment 1-B operating database 1-A by administrative staff 1-C, data acquisition unit 1-D-A sends to data screening device 1-D-B from a mirror image data of network equipment 1-B mirror image (or duplicating), and data screening device 1-D-B receives the next data of data acquisition unit 1-D-A forwarding and carries out Screening Treatment.Owing in the implementation procedure of screening technique or equipment, be now, implement and then have only 600M with down-off at present 100M/1000M theoretical background flow.If the backgroundnetworks flow surpasses gigabit or reaches more than 10,000,000,000, that receives in the mirror image data step at above-mentioned data acquisition unit 1-D-A and just exists certain data flow to lose, and Loss Rate is more than 30%.And data screening device 1-D-B also exists when receiving from data that data acquisition unit 1-D-A sends and handles the risk of overflowing, and data were overflowed with hardware handles and software algorithm and were inversely proportional to this moment.
When realizing the data screening of gigabit flow with present behavior database screening technique or equipment, making does not increase packet loss because of gathering high amount of traffic, the assurance data flow can be carried out the screening of data timely, need to improve hardware configuration in theory, exchange data for resource and just can guarantee integrality, so just significantly increased cost; And under 10,000,000,000 network condition, can't realize with present level of hardware at all.
Summary of the invention
The present invention is directed to above-mentioned the deficiencies in the prior art, provide a kind of and can handle screening technique and the equipment that extracts behavior database in the above network environment of gigabit, adopt this method and apparatus can significantly reduce because of gathering the packet loss that high amount of traffic produces, guarantee data stream is carried out the screening of behavior database timely and effectively, and safe and reliable, to network without any influence, and need not to improve hardware configuration, reduced cost.
Technical scheme of the present invention is achieved in that
A kind of screening technique of handling the behavior of the above network online database of gigabit, it comprises the following steps:
A duplicates a network traffics;
B shunts processing to network data;
C receives the deal with data that network is shunted;
D discerns screening according to streamed data, extracts the data of database manipulation behavior, abandons the data of non-database manipulation behavior.
As preferably, described method specifically may further comprise the steps:
A, the one-level data acquisition unit duplicates a network traffics and issues the data distribution processing unit;
B, data distribution processing unit receive all network traffics that send over, and wait for distribution of flows;
C prepares data flow reason row efficient allocation is inquired simultaneously whether the secondary data harvester is idle;
D judges that successively whether each secondary data harvester is idle, if idle, then sends to distribution of flows idle secondary image data device;
E, secondary image data device carries out buffer memory to the streamed data that sends, and waits for when the data identification screening plant is idle sending;
F, the data identification screening plant carries out application protocol analysis, identification screening to the streamed data that receives, and extracts the database manipulation behavioral data, abandons the data of non-database manipulation behavior.
As preferably, the step of described duplicate network flow is to be finished by the method for Port Mirroring or spectrometer beam split.
As preferably, screening plant is according to the application layer data storehouse protocol characteristic in the described network traffics it to be discerned.
A kind of screening installation of handling the behavior of the above network online database of gigabit, described screening installation are to connect the network equipment with the bypass ways of connecting, and described screening installation comprises:
The one-level data acquisition unit is used for that the network traffics of the network equipment are duplicated portion and issues the data distribution processing unit;
The data distribution processing unit is used to receive the network traffics that the one-level data acquisition unit sends, and according to the actual size of described network traffics, shunts processing, and every component stream data are transmitted to several secondary data harvesters respectively;
The secondary data harvester is used to receive the data flow that the data distribution processing unit is sended over;
The data identification screening plant is used to receive the data flow that described secondary data harvester sends, and the application layer data storehouse agreement according in the network traffics filters out the database manipulation behavioral data in the data flow, abandons the data of non-database manipulation behavior.
As preferably, described one-level, secondary data harvester are the spectrometer or the network equipment with Port Mirroring function.
As preferably, described secondary data harvester is identical with the quantity of data identification screening plant.
The beneficial effect that has adopted the present invention of technique scheme to have is: because the present invention handles the online database behavior screening technique of the above network of gigabit is by being connected to the network equipment with bypass mode with screening installation, need to arrive the live network flow of destination end and without screening installation, therefore can the data traffic forwarding performance in the network not impacted, can not bring delay yet to network.Even this screening installation breaks down, also just the data acquisition of database manipulation behavior in the network is exerted an influence, and can not cause network to interrupt.In addition, the most important thing is that the present invention is in handling the above real network environment of gigabit, use the data distribution processing unit that network traffics are effectively distributed, divide current processing device to be used to handle the work that distributes high amount of traffic, and the data flow of distributing is sent to the secondary data harvesters of a plurality of free time, issued the data identification screening plant of corresponding number again by the secondary data harvester, each data identification screening plant can independently screen streamed data; Thereby by the concentrating of the following screening installation of current gigabit, method of work independently, be converted to multi-level, distributed screening recognition methods, significantly reduced packet loss, guarantee data stream is carried out the screening of behavior database timely and effectively.
Description of drawings
Fig. 1 is the networking structure schematic diagram of screening installation and the network equipment in the prior art;
Fig. 2 is the networking structure schematic diagram of the screening installation of the present invention and the network equipment;
Fig. 3 is the structural representation for database manipulation behavioral data screening installation among the present invention;
Fig. 4 is the overview flow chart of screening installation work of the present invention;
Fig. 5 is the detail flowchart of screening installation work of the present invention.
Embodiment
The specific embodiment of the present invention is as follows:
Embodiment: as Fig. 2, shown in Figure 3, online database operation behavior of the present invention is finished by network equipment 2-B operating database 2-A by administrative staff 2-C, and a kind of screening installation of handling the behavior of the above network online database of gigabit includes:
One-level data acquisition unit 2-D-A is used for that the network traffics of network equipment 2-B are duplicated (or mirror image) portion and issues data distribution processing unit 2-D-B;
Data distribution processing unit 2-D-B is used to receive the network traffics that one-level data acquisition unit 2-D-A sends, and according to the actual size of described network traffics, shunts processing, and every component stream data are transmitted to each secondary data harvester 2-D-C respectively;
3 secondary data harvester 2-D-C are used to receive the data flow that data distribution processing unit 2-D-B is sended over;
3 the data identification screening plant 2-D-Ds identical with secondary data harvester 2-D-C quantity, corresponding respectively each the secondary data harvester 2-D-C that connects of each data identification screening plant 2-D-D, be used to receive the data flow that described secondary data harvester 2-D-C sends, according to the application layer data storehouse agreement in the network traffics, the decryption protocol content, filter out the database manipulation behavioral data in the data flow, abandon the data of non-database manipulation behavior;
Described one-level data acquisition unit 2-D-A, secondary data harvester 2-D-C are the spectrometer or the network equipment with Port Mirroring function, and one-level data acquisition unit 2-D-A duplicate network flow is to be finished by the method for Port Mirroring or spectrometer beam split; Described data distribution processing unit 2-D-B is the data distribution detector, and its model is LogBase-DS1000-2; Described data identification screening plant 2-D-D is the data identification detector, and its model adopts LogBase-DR100-A.
A kind of screening technique of handling the behavior of the above network online database of gigabit, as shown in Figure 4, it totally comprises the following steps:
Step 4-A duplicates a network traffics;
Step 4-B shunts processing to network data;
Step 4-C receives the deal with data that network is shunted;
Step 4-D discerns screening according to streamed data, extracts the data of database manipulation behavior, abandons the data of non-database manipulation behavior.
Concrete steps as shown in Figure 5, detailed process is as follows:
Step 5-A, one-level data acquisition unit 2-D-A duplicates a network traffics and issues data distribution processing unit 2-D-B;
Step 5-B, data distribution processing unit 2-D-B receives the network traffics that all send over, and waits for next step distribution of flows;
Step 5-C prepares data flow reason row efficient allocation is inquired simultaneously whether secondary data harvester 2-D-C is idle;
Step 5-D judges that successively whether each secondary data harvester 2-D-C is idle, if idle, then sends to distribution of flows idle secondary image data device 2-D-C;
Step 5-E, secondary image data device 2-D-C carries out buffer memory to the streamed data that sends, and waits for that data identification screening plant 2-D-D sends when idle;
Step 5-F, data identification screening plant 2-D-D carries out database application protocal analysis, identification screening to the streamed data that receives, and extracts the database manipulation behavioral data, abandons the data of non-database manipulation behavior.
Process finishes.
Claims (7)
1, a kind of screening technique of handling the behavior of the above network online database of gigabit is characterized in that comprising the following steps:
A duplicates a network traffics;
B shunts processing to network data;
C receives the deal with data that network is shunted;
D discerns screening according to streamed data, extracts the data of database manipulation behavior, abandons the data of non-database manipulation behavior.
2, a kind of screening technique of handling the behavior of the above network online database of gigabit according to claim 1 is characterized in that described method specifically may further comprise the steps:
A, the one-level data acquisition unit duplicates a network traffics and issues the data distribution processing unit;
B, data distribution processing unit receive all network traffics that send over, and wait for distribution of flows;
C prepares data flow reason row efficient allocation is inquired simultaneously whether the secondary data harvester is idle;
D judges that successively whether each secondary data harvester is idle, if idle, then sends to distribution of flows idle secondary image data device;
E, secondary image data device carries out buffer memory to the streamed data that sends, and waits for when the data identification screening plant is idle sending;
F, the data identification screening plant carries out application protocol analysis, identification screening to the streamed data that receives, and extracts the database manipulation behavioral data, abandons the data of non-database manipulation behavior.
3, a kind of screening technique of handling the behavior of the above network online database of gigabit according to claim 1 and 2, it is characterized in that: the step of described duplicate network flow is to be finished by the method for Port Mirroring or spectrometer beam split.
4, a kind of screening technique of handling the behavior of the above network online database of gigabit according to claim 2 is characterized in that: screening plant is according to the application layer data storehouse protocol characteristic in the described network traffics it to be discerned.
5, a kind of screening installation of handling the behavior of the above network online database of gigabit is characterized in that described screening installation is to connect the network equipment with the bypass ways of connecting, and described screening installation comprises:
The one-level data acquisition unit is used for that the network traffics of the network equipment are duplicated portion and issues the data distribution processing unit;
The data distribution processing unit is used to receive the network traffics that the one-level data acquisition unit sends, and according to the actual size of described network traffics, shunts processing, and every component stream data are transmitted to several secondary data harvesters respectively;
The secondary data harvester is used to receive the data flow that the data distribution processing unit is sended over;
The data identification screening plant is used to receive the data flow that described secondary data harvester sends, and the application layer data storehouse agreement according in the network traffics filters out the database manipulation behavioral data in the data flow, abandons the data of non-database manipulation behavior.
6, a kind of screening installation of handling the behavior of the above network online database of gigabit according to claim 5 is characterized in that: described one-level, secondary data harvester are the spectrometer or the network equipment with Port Mirroring function.
7, according to claim 5 or 6 described a kind of screening installations of handling the behavior of the above network online database of gigabit, it is characterized in that: described secondary data harvester is identical with the quantity of data identification screening plant.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810163211.1A CN101494555B (en) | 2008-12-15 | 2008-12-15 | Screen method and equipment for processing on-line database behaviors of giga-above network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810163211.1A CN101494555B (en) | 2008-12-15 | 2008-12-15 | Screen method and equipment for processing on-line database behaviors of giga-above network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101494555A true CN101494555A (en) | 2009-07-29 |
| CN101494555B CN101494555B (en) | 2014-03-26 |
Family
ID=40924974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810163211.1A Active CN101494555B (en) | 2008-12-15 | 2008-12-15 | Screen method and equipment for processing on-line database behaviors of giga-above network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101494555B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110798402A (en) * | 2019-10-30 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
| CN113835877A (en) * | 2021-08-19 | 2021-12-24 | 重庆恩谷信息科技有限公司 | Remote data information storage system based on big data |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1964322A (en) * | 2006-11-24 | 2007-05-16 | 南京大学 | A method for kilomega NIDS parallel processing based on NP and BS |
-
2008
- 2008-12-15 CN CN200810163211.1A patent/CN101494555B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1964322A (en) * | 2006-11-24 | 2007-05-16 | 南京大学 | A method for kilomega NIDS parallel processing based on NP and BS |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110798402A (en) * | 2019-10-30 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
| CN113835877A (en) * | 2021-08-19 | 2021-12-24 | 重庆恩谷信息科技有限公司 | Remote data information storage system based on big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101494555B (en) | 2014-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bet | Congestion Control | |
| CN102668467A (en) | Computer system and monitoring method for computer system | |
| CN101175078B (en) | Identification of potential network threats using a distributed threshold random walk | |
| CN106130796B (en) | SDN network topology traffic visualization monitoring method and control terminal | |
| CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
| CN105790990B (en) | A kind of method and its system for supervising adapted telecommunication business | |
| CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
| WO2016107210A1 (en) | Redundant industrial ethernet system with multistage packet filtering and service classification control | |
| CN1677940A (en) | High-speed traffic measurement and analysis methodologies and protocols | |
| CN104320358A (en) | QoS (Quality of Service) business control method in power telecommunication net | |
| CN1875585A (en) | Dynamic unknown L2 flooding control with MAC limits | |
| CN106254379B (en) | The processing system and processing method of network security policy | |
| CN104301244B (en) | A kind of cluster communication system and method for large size distribution network system | |
| CN106533791A (en) | End-to-end business quality optimization apparatus and method based on big data platform | |
| CN106331184A (en) | Big data distribution method and distribution platform based on internet | |
| CN105656964B (en) | The implementation method and device of data-pushing | |
| Van Hook et al. | An approach to DIS scalability | |
| CN104092588A (en) | Network anomaly traffic flow detection method based on combination of SNMP and NetFlow | |
| CN101494555B (en) | Screen method and equipment for processing on-line database behaviors of giga-above network | |
| KR101408032B1 (en) | Distribution System for analysing massive traffic in real time and method thereof | |
| CN102480471B (en) | Method for realizing QoS (quality of service) processing in monitoring RRPP (rapid ring protection protocol) ring and network node | |
| CN101183994A (en) | Network communication data flow information statistic system and method | |
| CN104065520A (en) | Two-channel network management implementation method | |
| CN111756642A (en) | Network traffic scheduling system and method based on DPI and machine learning | |
| CN104270319A (en) | Traffic distributing system and method for automatic switchover of multiport traffic collection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: LISHUI POWER SUPPLY COMPANY OF STATE GRID ZHEJIANG Free format text: FORMER OWNER: LISHUI POWER BUREAU Effective date: 20140227 Owner name: LISHUI ZHENGHAO ELECTRIC POWER TECHNOLOGY CO., LTD Effective date: 20140227 |
|
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Hanbing Inventor after: Qian Jiang Inventor after: Lu Wu Inventor after: Song Yan Inventor before: Zhang Hanbing Inventor before: Qian Jiang Inventor before: Lu Wu |
|
| CB03 | Change of inventor or designer information | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: ZHANG HANBING QIAN JIANG LU WU TO: ZHANG HANBING QIAN JIANG LU WU SONG YAN |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20140227 Address after: 310012 No. 19 lighthouse street, Zhejiang, Lishui Applicant after: Lishui Power Supply Company of State Grid Zhejiang Power Supply Company Applicant after: LISHUI ZHENGHAO ELECTRIC TECHNOLOGY COMPANY Applicant after: State Grid Corporation of China Address before: 310012 No. 699 Middle East Road, Liandu District, Zhejiang, Lishui Applicant before: Lishui Power Bureau |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |