CN102724068B - Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network - Google Patents
Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network Download PDFInfo
- Publication number
- CN102724068B CN102724068B CN201210193161.8A CN201210193161A CN102724068B CN 102724068 B CN102724068 B CN 102724068B CN 201210193161 A CN201210193161 A CN 201210193161A CN 102724068 B CN102724068 B CN 102724068B
- Authority
- CN
- China
- Prior art keywords
- address
- ipv6
- log
- source
- asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention relates to the technical field of computer application safety management, and aims at providing a method for identifying audit log asset in an internet protocol version 6 (IPv6) mixed network. The method comprises the steps that receiving a log message based on an external IPv6 to IPv4 double-stack protocol stack; acquiring a log source address from the log message, and analyzing a source address and a target address; normalizing the log source address, the source address and the target address, and restoring the variation in the transmission process of each tunnel; and identifying the log resource asset, the source asset and the target asset of corresponding log from the normalized log source address, the source address and the target address. Due to the adoption of the method, the log audit can be performed in the IPv6 and the IPv4 mixed network environment, and simultaneously the asset identification of the IPv6 address and the IPv4 address is supported. The precise address identification is supported. The address normalization processing is supported in different double-stack tunnel schemes, so that different address format information of the asset can be guaranteed and can be associated to the same asset.
Description
Technical field
The present invention relates to computer application safety management technology field, particularly a kind of method of carrying out audit log asset identification in IPv6 hybrid network.
Technical background
Log Audit System, by the daily record of various equipment in network environment in collection organization, reaches the audit to IT assets whole in tissue, to find various security threat, carry out internal control, and conjunction rule is analyzed.
Along with the continuous distribution of the IPv4 network address, the IPv4 address space in the whole world almost exhausts, and whole the Internet starts the very long slow transition process from IPv4 to IPv6.According to relevant research, in order to protect existing IT to invest, transition process may continue a lot of year.
This also just means in various enterprise network, Operation Network, the situation of meeting long-term existence IPv6, IPv4 mixed deployment.The situation of IPv6, IPv4 mixed deployment includes but not limited to following form: in isolated IPv6 site tunnel access IPv4 network, isolated IPv6 site carries out interconnecting through IPv4 network tunnel, IPv4 main frame is by tunnel access IPv6 network, various 6to4 gateway deployment schemes etc.
But existing Log Audit System does not design for this IPv6, IPv4 hybrid network environment, especially in this hybrid network environment, how to carry out asset identification to audit log.
In this IPv6 hybrid network environment, for auditing system, need the audit log receiving various IPv4 equipment, IPv6 equipment or two stack equipment.On the one hand, these audit logs itself may send in IPv6 mode, also may send in IPv4 mode.On the other hand, the address information that may exist in audit log content, is also decided by the protocol version, the topological path that communicate, and there is different statement forms.So for auditing system, address information is very diversified.
In non-mixed network environment, audit log asset identification is generally all directly undertaken by address information coupling.This method, in hybrid network environment, has a lot of problem, as: two stack main frame may be identified as two different assets, equipment cannot carry out asset identification etc. behind the two stack border of leap.The problem of these asset identification, can badly influence further process such as auditing system follow-up various analyses, statistics, association etc. to audit log, the serious effect reducing audit, even has influence on various attack, the reviewing of malicious act.
Summary of the invention
The technical problem to be solved in the present invention is, overcomes deficiency of the prior art, provides a kind of method of carrying out audit log asset identification in IPv6 hybrid network.
For solving this technical problem, solution of the present invention is:
A kind of method of carrying out audit log asset identification in IPv6 hybrid network is provided, comprises the steps:
A, receive the daily record message of the various forms of all Log Source equipment, this receiving action is based on an outside IPv6-IPv4 dual stack stack;
B, from the daily record message received, obtain Log Source address, and from log content, parse source address and destination address; Address, described source or destination address are IPv4 address or IPv6 address;
C, Log Source address, source address, destination address to be normalized, the change that reduction Log Source address, address, source and destination address occur in various tunnel transmission process;
D, carry out daily record identifying processing, from the Log Source address after normalization, address, source and destination address identify the Log Source assets of corresponding daily record, source assets and desired asset.
In the present invention, the agreement that described daily record message uses is any one agreement of Syslog, SNMP, OPSEC or NetFlow.
In the present invention in step B, based on described IPv6-IPv4 dual stack stack, when receiving IPv4 daily record message, its address, source is IPv4 address, and when receiving IPv6 daily record message, its address, source is IPv6 address.
In the present invention, the form of described daily record message is any one in text formatting, 16 system forms, 2 system forms or abbreviation form.
In the present invention in step D, described identification is based on an outside asset addresses storehouse; Comprise the address information of assets in asset addresses storehouse, this address information comprises the IPv4 address of assets, IPv6 address or other any information relevant to asset identification.
Relative to prior art, beneficial effect of the present invention is:
1, can be supported in IPv6, IPv4 hybrid network environment and carry out log audit, support the asset identification of IPv6 address, IPv4 address simultaneously.
2, accurate Address Recognition can be supported.In various pairs of stack tunnel schemes, address normalized can be supported, thus guarantees the various address format information of assets, same assets can be associated with.
Accompanying drawing explanation
Fig. 1 is overall procedure block diagram audit log being carried out to asset identification in IPv6, IPv4 hybrid network environment;
Fig. 2 is operation block diagram audit log being carried out to asset identification in IPv6, IPv4 hybrid network environment.
Embodiment
First it should be noted that, the present invention relates to computer technology, is that computer technology is applied in the one of field of information security technology.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: IPv6-IPv4 dual stack stack, daily record message source address acquisition module, address resolution module, address normalization module, asset identification module, asset addresses library module, assets find module etc. automatically, this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
About IPv6-IPv4 dual stack stack:
In order to support IPv6, IPv4 two kinds of agreements simultaneously, node runs IPv6 protocol stack simultaneously, IPv4 protocol stack two overlaps protocol stack, system can according to the data message IP head version information received, which judge to use protocol stack to process, finally message is delivered to upper level applications process, and corresponding message address information (IPv6 address or IPv4 address) is provided.
For auditing system, dual stack stack must be adopted both could to support to receive the audit log of IPv6 equipment transmission, also support the audit log receiving the transmission of IPv4 equipment.
The process of the address information diverse problems of application, and dual stack stack does not have direct relation, but there is relation closely with various across two stack tunneling technique.
Quote:
RFC?3513:?Internet?Protocol?Version?6?(IPv6)?Addressing?Architecture
RFC?4291:?IP?Version?6?Addressing?Architecture
RFC?3542:?Advanced?Sockets?Application?Program?Interface?(API)?for?IPv6
General principle in the present invention is, after receiving the daily record message in IPv4 and IPv6 hybrid network environment, by daily record message source address acquisition module, gets Log Source address; From the load of daily record message, get daily record, address resolution is carried out to log content, get address, source, destination address; Address normalized is carried out to Log Source address, address, source, destination address, then carries out asset identification process, thus identify Log Source assets, source assets, the desired asset information of daily record.
Describe the present invention below in conjunction with instantiation.
Describe the process of audit log being carried out to asset identification in IPv6, IPv4 hybrid network environment in Fig. 1, concrete process is as follows:
201 receive daily record: receive daily record message 102.
202 obtain Log Source address: according to the message IPv4 in daily record message 102 or IPv6 header information, get Log Source address 104 by daily record message source address acquisition module 103.
203 resolve address, source, destination address: according to the content of daily record 105, by address resolution module 106, parse source address 107, destination address 108.
204 address normalizeds: address normalized is carried out to Log Source address 104, address 107, source, destination address 108.
205 asset identification: go to retrieve asset addresses storehouse 111 according to the address information after normalization, recognize the Log Source assets 114 of daily record, source assets 112, desired asset 113.
206 assets relevant subsequent process: read the daily record after asset identification and carry out follow-up relevant treatment, as the association analysis of assets fragility, the analysis of assets significance level, asset threats impact analysis etc.
Fig. 2 describes an object lesson of address process in the present invention, asset identification, and relevant other entity part, mutual information.
First from various application safety equipment 101, as application safety scanner, database audit system, intruding detection system (IDS) etc., daily record message 102 is received.These daily record message protocols may be Syslog, SNMP, OPSEC, NetFlow etc., also may be other log protocols.
These daily record messages 102 through the process of daily record message source address acquisition module 103, from header acquisition of information to Log Source address 104.Log Source address 104 may be IPv4 address, also may be IPv6 address.
By extracting the load information of daily record message 102, obtaining daily record 105, through the dissection process of address resolution module 106, parsing source address 107, destination address 108.In the RFC standard that address resolution is mainly correlated with according to IPv4, IPv6, the definition of IP address format, by supporting all address formats, can get the address information existed in message.
The Log Source address 104 more than obtained, address 107, source, destination address 108, be normalized by address normalization module 109.Mainly according to various tunneling technique in the relevant RFC standard of IPv4, IPv6 in normalized process, the address be resolved to is normalized.
Here various tunnel to be processed is needed to include but not limited to: IPv4 compatible address automatic tunnel, 6to4 automatic tunnel, ISATAP automatic tunnel, IPv6 over IPv4 gre tunneling, tunnel agent technology, 6over4 tunnel, BGP tunnel etc.
Address after normalization, recognizes source assets 112, desired asset 113, Log Source assets 114 respectively by asset identification module 110.Asset identification module completes asset identification by retrieving an outside asset addresses storehouse 111.In asset addresses storehouse 111, each assets can comprise multiple address information, can be IPv4 forms, also can be IPv6 forms, or other any information relevant to asset identification.
Asset addresses storehouse 111 can be safeguarded by the mode of manual entry, also can automatically find that module 115 obtains by assets.Assets find to adopt the various modes such as network port scanning, network traffics topological analysis to carry out automatically.
Claims (5)
1. in IPv6 hybrid network, carry out a method for audit log asset identification, it is characterized in that, comprise the steps:
A, receive the daily record message of the various forms of all Log Source equipment, this receiving action is based on an outside IPv6-IPv4 dual stack stack;
B, from the daily record message received, obtain Log Source address, and from log content, parse source address and destination address; Address, described source or destination address are IPv4 address or IPv6 address;
C, Log Source address, source address, destination address to be normalized, the change that reduction Log Source address, address, source and destination address occur in various tunnel transmission process; Described normalized refers to, is normalized the address be resolved to according to the tunneling technique in the RFC standard that IPv4 or IPv6 is correlated with;
D, carry out daily record identifying processing, from the Log Source address after normalization, address, source and destination address identify the Log Source assets of corresponding daily record, source assets and desired asset.
2. method according to claim 1, is characterized in that, the agreement that described daily record message uses is any one agreement of Syslog, SNMP, OPSEC or NetFlow.
3. method according to claim 1, is characterized in that, in stepb, based on described IPv6-IPv4 dual stack stack, when receiving IPv4 daily record message, its address, source is IPv4 address, and when receiving IPv6 daily record message, its address, source is IPv6 address.
4. method according to claim 1, is characterized in that, the form of described daily record message is any one in text formatting, 16 system forms, 2 system forms or abbreviation form.
5. method according to claim 1, is characterized in that, in step D, described identification is based on an outside asset addresses storehouse; Comprise the address information of assets in asset addresses storehouse, this address information comprises the IPv4 address of assets, IPv6 address or other any information relevant to asset identification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210193161.8A CN102724068B (en) | 2012-04-05 | 2012-06-08 | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210098303.2 | 2012-04-05 | ||
| CN201210098303 | 2012-04-05 | ||
| CN201210193161.8A CN102724068B (en) | 2012-04-05 | 2012-06-08 | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102724068A CN102724068A (en) | 2012-10-10 |
| CN102724068B true CN102724068B (en) | 2014-12-31 |
Family
ID=46949737
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210193161.8A Active CN102724068B (en) | 2012-04-05 | 2012-06-08 | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102724068B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580546B (en) * | 2014-12-22 | 2017-11-24 | 北京蓝汛通信技术有限责任公司 | The acquisition methods and device of IP address properties information |
| CN110417841B (en) * | 2018-04-28 | 2022-01-18 | 阿里巴巴集团控股有限公司 | Address normalization processing method, device and system and data processing method |
| CN110535727B (en) * | 2019-09-02 | 2021-06-18 | 杭州安恒信息技术股份有限公司 | Asset identification method and device |
| CN114268583B (en) * | 2021-11-26 | 2024-01-23 | 网络通信与安全紫金山实验室 | SDN-based dual-stack backbone management method and device and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101237326A (en) * | 2008-02-29 | 2008-08-06 | 华为技术有限公司 | Method, device and system for real time parsing of device log |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564542A (en) * | 2004-04-20 | 2005-01-12 | 清华大学 | Tunnel set-up method for carrying out internet of IPV4 network on IPV6 network |
| KR100825758B1 (en) * | 2006-06-19 | 2008-04-29 | 한국전자통신연구원 | Apparatus and Method on network-based mobility support for dual stack nodes |
| CN101610174B (en) * | 2009-07-24 | 2011-08-24 | 深圳市永达电子股份有限公司 | Log correlation analysis system and method |
| CN102006338B (en) * | 2010-12-23 | 2013-01-09 | 山东大学 | Concurrent communication method for embedded equipment supporting IPv4/IPv6 protocol |
-
2012
- 2012-06-08 CN CN201210193161.8A patent/CN102724068B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101237326A (en) * | 2008-02-29 | 2008-08-06 | 华为技术有限公司 | Method, device and system for real time parsing of device log |
Non-Patent Citations (1)
| Title |
|---|
| 基于IPv4/IPv6双协议栈的联动防御系统研究与设计;王源;《中国优秀硕士学位论文全文数据库 信息科技辑》;20091015(第10期);第24-34页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102724068A (en) | 2012-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8875296B2 (en) | Methods and systems for providing a framework to test the security of computing system over a network | |
| Beverly et al. | Forensic carving of network packets and associated data structures | |
| Rafique et al. | Firma: Malware clustering and network signature generation with mixed network behaviors | |
| US20090182864A1 (en) | Method and apparatus for fingerprinting systems and operating systems in a network | |
| US9411957B2 (en) | Method and device for optimizing and configuring detection rule | |
| EP3232359B1 (en) | Identification device, identification method, and identification program | |
| CA2534121A1 (en) | Network asset tracker for identifying users of networked computers | |
| CN102724068B (en) | Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network | |
| CN103916294A (en) | Identification method and device for protocol type | |
| CN109347892B (en) | Internet industrial asset scanning processing method and device | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| US10523549B1 (en) | Method and system for detecting and classifying networked devices | |
| US8386409B2 (en) | Syslog message routing systems and methods | |
| US20220182401A1 (en) | Automated identification of false positives in dns tunneling detectors | |
| CN112887289B (en) | Network data processing method, device, computer equipment and storage medium | |
| CN109274551A (en) | A kind of accurate efficient industry control resource location method | |
| US11546356B2 (en) | Threat information extraction apparatus and threat information extraction system | |
| CN108959659B (en) | Log access analysis method and system for big data platform | |
| CN112640392B (en) | Trojan horse detection method, device and equipment | |
| CN105635225A (en) | Method and system of using mobile terminal to access mobile internet-based server and mobile terminal | |
| US20130028262A1 (en) | Method and arrangement for message analysis | |
| CN114363053A (en) | Attack identification method and device and related equipment | |
| KR20060079782A (en) | Security system to improve the interoperability in ipv4 and ipv6 coexistence network | |
| CN113904843A (en) | Method and device for analyzing abnormal DNS (Domain name Server) behaviors of terminal | |
| Doshi et al. | Digital forensics analysis for network related data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Patentee before: Dbappsecurity Co.,ltd. |
|
| CP01 | Change in the name or title of a patent holder |