CN101494555B - Screen method and equipment for processing on-line database behaviors of giga-above network - Google Patents
Screen method and equipment for processing on-line database behaviors of giga-above network Download PDFInfo
- Publication number
- CN101494555B CN101494555B CN200810163211.1A CN200810163211A CN101494555B CN 101494555 B CN101494555 B CN 101494555B CN 200810163211 A CN200810163211 A CN 200810163211A CN 101494555 B CN101494555 B CN 101494555B
- Authority
- CN
- China
- Prior art keywords
- data
- network
- screening
- equipment
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012545 processing Methods 0.000 title claims abstract description 41
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000006399 behavior Effects 0.000 title description 23
- 238000012216 screening Methods 0.000 claims abstract description 62
- 238000009434 installation Methods 0.000 claims description 16
- 230000003542 behavioural effect Effects 0.000 claims description 7
- 241001124569 Lycaenidae Species 0.000 claims description 3
- 238000012550 audit Methods 0.000 description 4
- 230000006855 networking Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a screening method for processing online database action of a network with more than kilomega and equipment thereof. The screening method comprises the following steps of: copying a network flow, carrying out shunt processing to the network data, receiving processing data of the network shunt, carrying out identification and screening according to the shunt data, extracting data for operating action of database and discarding data for operating action of non-database; the screening equipment is connected with network equipment in a bypass connection mode and comprises a primary data acquisition device, a data shunt processing device, a secondary data acquisition device and a data identifying and screening device which are connected in sequence. By adopting the method and the equipment, the invention can greatly reduce the package loss rate caused by acquiring large data flow, guarantee timely and effective screening of database action to the data flow, is safe and reliable, does not have any influence on the network, does not need to increase hardware configuration and reduces the cost.
Description
Technical field
The present invention relates to database audit technical field, particularly relate to a kind of screening technique and equipment of processing the behavior of the above network online database of gigabit.
Background technology
Along with the development of information system business, Database Systems range of application is more and more wider, and the accounting data of enterprise, trade record, project data etc. all need to utilize a large amount of database resources.
Because the role and influence of database are increasing, the security threat that enterprise database information security faces is day by day obvious.The important sensitive data constantly occurring is in recent years stolen, distorts problem, has caused the great attention of each side, becomes problem in the urgent need to address.
The basic network scale of information system, also in continuous expansion, from 100,000,000 networks in past, substantially realized gradually gigabit networking, and 10,000,000,000 networks appears among information system.In 100,000,000 networks, some users substantially can realize a large amount of behavior databases is carried out to audit analysis, if but remain in the information system network of high data volume, process database operations flow will be technological difficulties efficiently.
In operation system network due to current many users, main frame, the network equipment, safety means, application, middleware, database get more and more, and effective requirement is more and more higher.So the requirement of the network bandwidth is also improved thereupon.When the network environment real data communication amount occurring future is surpassed to certain flow, the screening installation of online database audit requires can be higher.But the current screening installation with existing online database audit can not meet this present situation.In existing techniques in realizing 100,000,000 networks, the networking structure schematic diagram of low data flow online database operation behavior screening installation as shown in Figure 1, screening installation comprises data acquisition unit 1-D-A and data screening device 1-D-B, online database operation behavior is completed by network equipment 1-B operating database 1-A by administrative staff 1-C, data acquisition unit 1-D-A sends to data screening device 1-D-B from a mirror image data of network equipment 1-B mirror image (or copying), and data screening device 1-D-B receives the next data of data acquisition unit 1-D-A forwarding and carries out Screening Treatment.In implementation procedure due to present screening technique or equipment, be for current 100M/1000M theoretical background flow, implement and only have 600M with down-off.If backgroundnetworks flow surpasses gigabit or reaches more than 10,000,000,000, that receives in mirror image data step and just exists certain data flow to lose at above-mentioned data acquisition unit 1-D-A, and Loss Rate is more than 30%.And data screening device 1-D-B also exists while receiving the data that send from data acquisition unit 1-D-A and processes the risk of overflowing, now data from overflow and hardware handles and software algorithm are inversely proportional to.
While realizing the data screening of gigabit flow with current behavior database screening technique or equipment, making does not increase packet loss because gathering high amount of traffic, assurance data flow can be carried out the screening of data timely, need in theory to improve hardware configuration, with resource, exchange data for and just can guarantee integrality, so just significantly increased cost; And under 10,000,000,000 network condition, with current level of hardware, cannot realize at all.
Summary of the invention
The present invention is directed to above-mentioned the deficiencies in the prior art, provide a kind of and can process screening technique and the equipment that extracts behavior database in the above network environment of gigabit, adopt the method and equipment can greatly reduce the packet loss producing because gathering high amount of traffic, guarantee data stream to carry out the screening of behavior database timely and effectively, and safe and reliable, on network without any impact, and without improving hardware configuration, reduced cost.
Technical scheme of the present invention is achieved in that
A screening installation of processing the behavior of the above network online database of gigabit, this equipment includes:
One-level data acquisition unit, for copying the network traffics of the network equipment or mirror image portion is issued data distribution processing unit;
Data distribution processing unit, the network traffics that send for receiving one-level data acquisition unit, and according to the actual size of described network traffics, shunt processing, every component stream data are transmitted to respectively to each secondary data harvester;
3 secondary data harvesters, the data flow sending over for receiving data distribution processing unit;
3 the data identification screening plants identical with secondary data harvester quantity, each data identification screening plant is corresponding each secondary data harvester that connects respectively, the data flow sending for receiving described secondary data harvester, according to the application layer data storehouse agreement in network traffics, decryption protocol content, filter out the database manipulation behavioral data in data flow, abandon the data of non-database manipulation behavior;
Described one-level data acquisition unit secondary data harvester is spectrometer or the network equipment with Port Mirroring function, and one-level data acquisition unit duplicate network flow is that the method by Port Mirroring or spectrometer light splitting completes; Described data distribution processing unit is data distribution detector; Described data identification screening plant is data identification detector.
Process a screening technique for the above network online database of gigabit behavior, it is realized by the said equipment bypass interconnection network equipment, specifically comprises the following steps:
Step 1: by one-level data acquisition unit, the network traffics in the network equipment are copied or mirror image portion is issued data distribution processing unit, wherein said one-level data acquisition unit duplicate network flow is that the method by Port Mirroring or spectrometer light splitting completes;
Step 2: by data distribution processing unit according to the actual size of described network traffics, shunt processing, every component stream data are transmitted to respectively to each secondary data harvester, wherein said secondary data harvester is 3, wherein, described data distribution processing unit is data distribution detector;
Step 3: receive the data flow that described secondary data harvester sends by data identification screening plant, according to the application layer data storehouse agreement in network traffics, decryption protocol content, filter out the database manipulation behavioral data in data flow, abandon the data of non-database manipulation behavior, corresponding each secondary data harvester that connects respectively of the data identification screening plant described in each wherein, wherein, described data identification screening plant is data identification detector.
Adopted the beneficial effect that the present invention of technique scheme has to be: the online database behavior screening technique of processing the above network of gigabit due to the present invention is by being connected to the network equipment with bypass mode by screening installation, need to arrive the live network flow of destination end and without screening installation, therefore can the data traffic forwarding performance in network not impacted, can not bring delay to network yet.Even if this screening installation breaks down, also just the data acquisition of database manipulation behavior in network is exerted an influence, and can not cause network to interrupt.In addition, the most important thing is that the present invention is in processing the above real network environment of gigabit, usage data divides current processing device effectively to distribute network traffics, divide current processing device for the treatment of the work that distributes high amount of traffic, and the data flow of distribution is sent to the secondary data harvesters of a plurality of free time, by secondary data harvester, issued the data identification screening plant of corresponding number, each data identification screening plant can independently screen streamed data again; Thereby by the concentrating of the following screening installation of current gigabit, method of work independently, be converted to multi-level, distributed screening recognition methods, greatly reduced packet loss, guarantee data stream to carry out the screening of behavior database timely and effectively.
Accompanying drawing explanation
Fig. 1 is the networking structure schematic diagram of screening installation and the network equipment in prior art;
Fig. 2 is the networking structure schematic diagram of screening installation of the present invention and the network equipment;
Fig. 3 is the structural representation for database manipulation behavioral data screening installation in the present invention;
Fig. 4 is the overview flow chart of screening installation work of the present invention;
Fig. 5 is the detail flowchart of screening installation work of the present invention.
Embodiment
The specific embodiment of the present invention is as follows:
Embodiment: as shown in Figure 2 and Figure 3, online database operation behavior of the present invention is completed by network equipment 2-B operating database 2-A by administrative staff 2-C, and a kind of screening installation of processing the behavior of the above network online database of gigabit, includes:
One-level data acquisition unit 2-D-A, issues data distribution processing unit 2-D-B for the network traffics of network equipment 2-B being copied to (or mirror image) portion;
Data distribution processing unit 2-D-B, the network traffics that send for receiving one-level data acquisition unit 2-D-A, and according to the actual size of described network traffics, shunt processing, every component stream data are transmitted to respectively to each secondary data harvester 2-D-C;
3 secondary data harvester 2-D-C, the data flow sending over for receiving data distribution processing unit 2-D-B;
3 the data identification screening plant 2-D-Ds identical with secondary data harvester 2-D-C quantity, each data identification screening plant 2-D-D is corresponding each secondary data harvester 2-D-C that connects respectively, the data flow sending for receiving described secondary data harvester 2-D-C, according to the application layer data storehouse agreement in network traffics, decryption protocol content, filter out the database manipulation behavioral data in data flow, abandon the data of non-database manipulation behavior;
Described one-level data acquisition unit 2-D-A, secondary data harvester 2-D-C are spectrometer or the network equipment with Port Mirroring function, and one-level data acquisition unit 2-D-A duplicate network flow is that the method by Port Mirroring or spectrometer light splitting completes; Described data distribution processing unit 2-D-B is data distribution detector, and its model is LogBase-DS1000-2; Described data identification screening plant 2-D-D is data identification detector, and its model adopts LogBase-DR100-A.
A screening technique of processing the behavior of the above network online database of gigabit, as shown in Figure 4, it totally comprises the following steps:
Step 4-A, copies a network traffics;
Step 4-B, shunts processing to network data;
Step 4-C, receives the deal with data that network is shunted;
Step 4-D, identifies screening according to streamed data, extracts the data of database manipulation behavior, abandons the data of non-database manipulation behavior.
As shown in Figure 5, detailed process is as follows for concrete steps:
Step 5-A, one-level data acquisition unit 2-D-A copies a network traffics and issues data distribution processing unit 2-D-B;
Step 5-B, data distribution processing unit 2-D-B receives all network traffics that send over, and waits for next step distribution of flows;
Step 5-C prepares, to data flow reason row efficient allocation, to inquire that whether secondary data harvester 2-D-C is idle simultaneously;
Step 5-D, judges that whether each secondary data harvester 2-D-C is idle successively, if idle, distribution of flows is sent to idle secondary image data device 2-D-C;
Step 5-E, secondary image data device 2-D-C carries out buffer memory to the streamed data sending, and waits for that data identification screening plant 2-D-D sends when idle;
Step 5-F, data identification screening plant 2-D-D carries out database application protocal analysis, identification screening to the streamed data receiving, and extracts database manipulation behavioral data, abandons the data of non-database manipulation behavior.
Process finishes.
Claims (2)
1. a screening installation of processing the behavior of the above network online database of gigabit, is characterized in that, this equipment includes:
One-level data acquisition unit, for copying the network traffics of the network equipment or mirror image portion is issued data distribution processing unit;
Data distribution processing unit, the network traffics that send for receiving one-level data acquisition unit, and according to the actual size of described network traffics, shunt processing, every component stream data are transmitted to respectively to each secondary data harvester;
3 secondary data harvesters, the data flow sending over for receiving data distribution processing unit;
3 the data identification screening plants identical with secondary data harvester quantity, each data identification screening plant is corresponding each secondary data harvester that connects respectively, the data flow sending for receiving described secondary data harvester, according to the application layer data storehouse agreement in network traffics, decryption protocol content, filter out the database manipulation behavioral data in data flow, abandon the data of non-database manipulation behavior;
Described one-level data acquisition unit, secondary data harvester are spectrometer or the network equipment with Port Mirroring function, and one-level data acquisition unit duplicate network flow is that the method by Port Mirroring or spectrometer light splitting completes; Described data distribution processing unit is data distribution detector; Described data identification screening plant is data identification detector.
2. process a screening technique for the above network online database of gigabit behavior, it is to realize by the equipment bypass interconnection network equipment described in the claims 1, it is characterized in that, specifically comprises the following steps:
Step 1: by one-level data acquisition unit, the network traffics in the network equipment are copied or mirror image portion is issued data distribution processing unit, wherein said one-level data acquisition unit duplicate network flow is that the method by Port Mirroring or spectrometer light splitting completes;
Step 2: by data distribution processing unit according to the actual size of described network traffics, shunt processing, every component stream data are transmitted to respectively to each secondary data harvester, wherein said secondary data harvester is 3, wherein, described data distribution processing unit is data distribution detector;
Step 3: receive the data flow that described secondary data harvester sends by data identification screening plant, according to the application layer data storehouse agreement in network traffics, decryption protocol content, filter out the database manipulation behavioral data in data flow, abandon the data of non-database manipulation behavior, corresponding each secondary data harvester that connects respectively of the data identification screening plant described in each wherein, wherein, described data identification screening plant is data identification detector.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810163211.1A CN101494555B (en) | 2008-12-15 | 2008-12-15 | Screen method and equipment for processing on-line database behaviors of giga-above network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810163211.1A CN101494555B (en) | 2008-12-15 | 2008-12-15 | Screen method and equipment for processing on-line database behaviors of giga-above network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101494555A CN101494555A (en) | 2009-07-29 |
| CN101494555B true CN101494555B (en) | 2014-03-26 |
Family
ID=40924974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810163211.1A Active CN101494555B (en) | 2008-12-15 | 2008-12-15 | Screen method and equipment for processing on-line database behaviors of giga-above network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101494555B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110798402B (en) * | 2019-10-30 | 2023-04-07 | 腾讯科技(深圳)有限公司 | Service message processing method, device, equipment and storage medium |
| CN113835877A (en) * | 2021-08-19 | 2021-12-24 | 重庆恩谷信息科技有限公司 | Remote data information storage system based on big data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100461765C (en) * | 2006-11-24 | 2009-02-11 | 南京大学 | A method for kilomega NIDS parallel processing based on NP and BS |
-
2008
- 2008-12-15 CN CN200810163211.1A patent/CN101494555B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| 杭州思福迪信息技术有限公司.思福迪数据识别探测器白皮书及配置手册.《思福迪数据识别探测器白皮书及配置手册》.2007,第2.2节、图2.1. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101494555A (en) | 2009-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107690776A (en) | For the method and apparatus that feature is grouped into the case for having selectable case border in abnormality detection | |
| CN106130796B (en) | SDN network topology traffic visualization monitoring method and control terminal | |
| CN1677940A (en) | High-speed traffic measurement and analysis methodologies and protocols | |
| CN105791213B (en) | Policy optimization device and method | |
| CN102668467A (en) | Computer system and monitoring method for computer system | |
| WO2016107210A1 (en) | Redundant industrial ethernet system with multistage packet filtering and service classification control | |
| Xuan et al. | Detecting application denial-of-service attacks: A group-testing-based approach | |
| CN104320358A (en) | QoS (Quality of Service) business control method in power telecommunication net | |
| CN1875585A (en) | Dynamic unknown L2 flooding control with MAC limits | |
| CN105790990B (en) | A kind of method and its system for supervising adapted telecommunication business | |
| CN104618377A (en) | NetFlow based botnet network detection system and detection method | |
| CN106533832B (en) | Network flow detection system based on distributed deployment | |
| GB2494350A (en) | A method and system of bandwidth control | |
| CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
| CN104168144A (en) | Method for auditing SDN | |
| CN102739457A (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| CN102801738A (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| CN106254379B (en) | The processing system and processing method of network security policy | |
| CN106533791A (en) | End-to-end business quality optimization apparatus and method based on big data platform | |
| CN106301921A (en) | Elephant flow transmission dispatching method based on tunnel and system | |
| CN101494555B (en) | Screen method and equipment for processing on-line database behaviors of giga-above network | |
| CN1638362A (en) | Parallel data link layer controllers in a network switching device | |
| CN116418700A (en) | Distributed data capturing method based on DPDK | |
| CN104092588A (en) | Network anomaly traffic flow detection method based on combination of SNMP and NetFlow | |
| CN112105056A (en) | Code stream transmission method and device based on 5GSA network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: LISHUI POWER SUPPLY COMPANY OF STATE GRID ZHEJIANG Free format text: FORMER OWNER: LISHUI POWER BUREAU Effective date: 20140227 Owner name: LISHUI ZHENGHAO ELECTRIC POWER TECHNOLOGY CO., LTD Effective date: 20140227 |
|
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Hanbing Inventor after: Qian Jiang Inventor after: Lu Wu Inventor after: Song Yan Inventor before: Zhang Hanbing Inventor before: Qian Jiang Inventor before: Lu Wu |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: ZHANG HANBING QIAN JIANG LU WU TO: ZHANG HANBING QIAN JIANG LU WU SONG YAN |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20140227 Address after: 310012 No. 19 lighthouse street, Zhejiang, Lishui Applicant after: Lishui Power Supply Company of State Grid Zhejiang Power Supply Company Applicant after: LISHUI ZHENGHAO ELECTRIC TECHNOLOGY COMPANY Applicant after: State Grid Corporation of China Address before: 310012 No. 699 Middle East Road, Liandu District, Zhejiang, Lishui Applicant before: Lishui Power Bureau |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |