CN103401711A - Security log-based network state analysis system - Google Patents
Security log-based network state analysis system Download PDFInfo
- Publication number
- CN103401711A CN103401711A CN201310327303XA CN201310327303A CN103401711A CN 103401711 A CN103401711 A CN 103401711A CN 201310327303X A CN201310327303X A CN 201310327303XA CN 201310327303 A CN201310327303 A CN 201310327303A CN 103401711 A CN103401711 A CN 103401711A
- Authority
- CN
- China
- Prior art keywords
- security log
- security
- network
- log
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a security log-based network state analysis system. The system comprises a security log management subsystem, an equipment asset management subsystem and a network performance and fault management subsystem. According to the security log-based network state analysis system, adjustment is performed according to different influences of different security logs on the network situation and with the attribute change of the equipment asset and the change of a network performance fault event. According to the system, analytical processing is performed on each security log to obtain the influence of each security log on the network, wherein the security log with the maximum influence value is an event which has the most serious influence on the network situation; thus a reliable basis is provided for an administrator to solve the network security problem.
Description
Technical field
The present invention relates to belong to areas of information technology, relate in particular to a kind of analytical system for network operation situation in Intranet.
Background technology
At present, monitoring and analysis for the main performance Network Based of the analysis of network operation state and fault, the major technique that adopts is snmp protocol, the network monitoring management system is obtained the operational factor of the network equipment and main frame by SNMP, by the analysis to operational factor, obtain performance and the failure condition of network, thereby realize the monitoring to network operation state.Development and application along with network security technology, increasing safety means in network, have been disposed, these safety means can produce a large amount of security logs or security incident, they have reflected the safe condition of the network operation, security status is the important indicator of network overall operation state, need to the person of being managed enforcement pay close attention to and monitoring.Present network management system only, for the analysis monitoring of network performance and fault, lacks analysis and monitoring to network security, can not reflect network in general ruuning situation.Simultaneously, although a lot of safety management systems are realized the management to security log or security incident, but often only realized the functions such as collection, storage, inquiry, statistics of security log record, lacked security log analysis mining function, can not reflect the impact of security log on network state.
Every security log has reflected security attack, potential safety hazard or the residing safe condition that certain equipment of network is suffered, shows certain local state information in network.It is different that identical security incident simultaneously occurs in the impact that produces on different equipment, need to the Different Effects of equipment availability, confidentiality, three aspects of integrality, analyze according to this event, for example, if the main security incident that confidentiality or the integrality of data are threatened occurs on switch, the harm that it causes is far smaller than the harm that occurs on server.Therefore to the analysis of security incident, not only need to analyze the seriousness of this security log, also need to analyze the main equipment that this security incident occurs, each security incident need to be navigated on the equipment that occurs, according to the attribute of equipment, analyze the impact of this event of ability Obtaining Accurate on network integral body.
Present existing network management system is only analyzed and monitoring for performance and the fault of the network equipment, main frame, and safety management system is only analyzed for security log and security incident, does not realize security log and device attribute are carried out to analysis-by-synthesis.The present invention utilizes security log, bonding apparatus attribute and network performance, failure monitoring, thus realize the analysis monitoring function to the network in general operation situation.
Summary of the invention
In order to solve above-mentioned technical problem, the purpose of this invention is to provide a kind of analytical system of Network Situation based on security log, it not only can carry out analyzing and processing to security log, the impact of the determined property security log of the main body that can also occur according to security log on Network Situation, and then overcome the defect of existing network management and supervisory control system.
In order to realize above-mentioned purpose, the present invention has adopted following technical scheme:
Based on this system of Network Situation analytical system of security log by security log ADMINISTRATION SUBSYSTEM, plant asset management subsystem and network performance and Fault management subsystem, wherein:
The security log ADMINISTRATION SUBSYSTEM comprises security log acquisition module, security log sort module and security log locating module; The security log acquisition module receives the security log that each safety means send over, and be stored in database, while is according to the attribute of security log, by the security log sort module, to the security log that the receives processing of classifying, security log is concluded in availability, confidentiality and integrality three major types; Then according to the IP address in security log, by the security log locating module, every security log is navigated to a concrete equipment;
The plant asset management subsystem comprises asset of equipments information management module and device security attribute management module, and the asset of equipments information management module manages each facility information in network, simultaneously the assets information table of service equipment; The assets information table will offer the security log ADMINISTRATION SUBSYSTEM and carry out the security log location; The device security attribute management module is according to availability, confidentiality and the integrality three aspects: attribute of device type and purposes define equipment, and the security attribute administration module of equipment is associated with the security classification module of security log;
Network performance and Fault management subsystem comprise performance monitoring module and fault alarm module, by the performance monitoring module, regularly obtain the performance data of the network equipment and main frame, according to the performance condition of each equipment of performance data analysis, produce performance event; The fault alarm module is further analyzed performance data, and, according to the failure condition of fault threshold values judgment device, produces event of failure; Performance event and event of failure will be analyzed security log for the security log ADMINISTRATION SUBSYSTEM and provide foundation to the influence value of Network Situation;
Above-mentioned system is carried out the Network Situation analysis by following method:
A: each safety product is set and sends security log to the Network Situation analytical system, automatically send to the Study on Trend system when safety product produces security log;
B: after system acquisition to a security log, this security log is carried out to analyzing and processing;
C: the security log that collects is classified from availability, confidentiality and three aspects of integrality according to its attribute, this security log is concluded to wherein a certain class;
D: this daily record spot main body is navigated on an equipment of a network domains according to the IP address of security log generation main body;
E: whether the classification that judges security log is consistent with the security attribute of daily record generation main equipment;
F: if the security attribute of the classification of security log and daily record generation main equipment is inconsistent, this security log factor of influence A is set to 0.5;
G: if the classification of security log is consistent with the security attribute of daily record generation main equipment, this security log factor of influence A is set to 1;
H: the performance and the event of failure that obtain this equipment according to the main equipment of security log generation;
I: whether judgment device generation performance and event of failure;
J: if equipment does not have generation performance and event of failure, this security log influence value B is set to 0;
K: if performance and event of failure have occurred equipment, this security log influence value B is set to 100;
L: according to security log factor of influence A and influence value B, calculate this security log and to the influence value of Network Situation be: A * B.
The present invention is according to the affect difference of different security logs on Network Situation, and along with the variation of the attribute change of asset of equipments and network performance event of failure and adjust.This system is all carried out analyzing and processing to every security log, draw the impact of every security log on network, wherein, the security log of influence value maximum is exactly that this provides reliable basis for the keeper solves network security problem on the most serious event of Network Situation impact.
The accompanying drawing explanation
Fig. 1 is the structural representation of Network Situation analytical system of the present invention.
Fig. 2 is Study on Trend flow chart of the present invention.
Embodiment
The present invention is Network Situation analytical system and the analytical method of a kind of use in field of network management.Below with specific embodiment, the present invention is made and illustrating.
As shown in Figure 1, Network Situation analytical system 1 of the present invention operates on the Linux server, and at first the security log ADMINISTRATION SUBSYSTEM 2 during security log is sent to analytical system is set in each safety product.Security log acquisition module 3 in security management subsystem receives the security log that each safety means send over, and be stored in database, while is according to the attribute of security log, by the processing of classifying of 4 pairs of security logs that receive of security log sort module, security log is concluded in availability, confidentiality and integrality three major types.Then according to the IP address in security log, by security log locating module 5, every security log is navigated to a concrete equipment.
The responsible network equipment of plant asset management subsystem 6 and the asset of equipments attribute of main frame, the management of device security attribute, by each facility information in 7 pairs of networks of asset of equipments information management module, manage, the function such as increase, deletion, modification, inquiry that comprises equipment, the assets information table of service equipment, comprise device name, type, IP address, purposes, belonging network etc. simultaneously.The assets information table will offer the security log ADMINISTRATION SUBSYSTEM and carry out the security log location.Device security attribute management module 8 is according to availability, confidentiality and the integrality three aspects: attribute of device type and purposes define equipment, and for example: the availability attributes value of switch is high, and confidentiality and integrity properties value are low; The confidentiality of file server and integrity properties value are high, and the availability attributes value is low.The security attribute of equipment is associated with the security classification of security log, if a security log is large to the availability impact of equipment, it occurs in again on switch simultaneously, and this daily record is 1 to the factor of influence of Network Situation; If this daily record occurs on file server, this daily record is 0.5 to the factor of influence of Network Situation.
Performance and the fault of network performance and 9 pairs of networks of Fault management subsystem are carried out monitoring analysis, by performance monitoring module 10, regularly obtain the performance data of the network equipment and main frame, according to the performance condition of each equipment of performance data analysis, produce performance event.By 11 pairs of performance datas of fault alarm module, be further analyzed simultaneously, and, according to the failure condition of fault threshold values judgment device, produce event of failure.Performance event and event of failure will be analyzed security log for the security log ADMINISTRATION SUBSYSTEM and provide foundation to the influence value of Network Situation.
As shown in Figure 2, be the analysis process figure of analytical system of the present invention.
After safety product invasion check system (IDS) produced a security log dos attack, this daily record was sent to the Network Situation analytical system.The journal receiver of Network Situation analytical system will collect this security log, step S1.Analytical system is classified to the attribute of this daily record of dos attack, and it is concluded to the event that affects equipment availability, step S2.System is from security log, extracting IP address ip a, and according to asset of equipments information, this security log navigated to the switch device A that the IP address is IPa, step S3.
The security attribute of the security attribute of checkout facility A and the security log of dos attack, step S4.Both security attributes are all availabilities, so security log factor of influence=1, step S6; Otherwise, security log factor of influence=0.5, step S5.Obtain performance and the event of failure of device A, step S7, check whether performance and event of failure exist, step S8.If device A also has performance and event of failure to occur when security log occurs, this security log is 100 to the influence value of equipment, step S10, otherwise influence value is 0, step S9.Finally, according to factor of influence and the influence value of this security log, calculate the influence value S=1*100=100 of security log to Network Situation, step S11.
The present invention by security log reach the device security attribute that impact on safety, security log occur, whether equipment and the network that security log occurs exists performance and event of failure three aspect factor to carry out the overall operation situation of analysis-by-synthesis network.
Claims (1)
1. based on the Network Situation analytical system of security log, it is characterized in that this system is by security log ADMINISTRATION SUBSYSTEM, plant asset management subsystem and network performance and Fault management subsystem, wherein:
The security log ADMINISTRATION SUBSYSTEM comprises security log acquisition module, security log sort module and security log locating module; The security log acquisition module receives the security log that each safety means send over, and be stored in database, while is according to the attribute of security log, by the security log sort module, to the security log that the receives processing of classifying, security log is concluded in availability, confidentiality and integrality three major types; Then according to the IP address in security log, by the security log locating module, every security log is navigated to a concrete equipment;
The plant asset management subsystem comprises asset of equipments information management module and device security attribute management module, and the asset of equipments information management module manages each facility information in network, simultaneously the assets information table of service equipment; The assets information table will offer the security log ADMINISTRATION SUBSYSTEM and carry out the security log location; The device security attribute management module is according to availability, confidentiality and the integrality three aspects: attribute of device type and purposes define equipment, and the security attribute administration module of equipment is associated with the security classification module of security log;
Network performance and Fault management subsystem comprise performance monitoring module and fault alarm module, by the performance monitoring module, regularly obtain the performance data of the network equipment and main frame, according to the performance condition of each equipment of performance data analysis, produce performance event; The fault alarm module is further analyzed performance data, and, according to the failure condition of fault threshold values judgment device, produces event of failure; Performance event and event of failure will be analyzed security log for the security log ADMINISTRATION SUBSYSTEM and provide foundation to the influence value of Network Situation;
Above-mentioned system is carried out the Network Situation analysis by following method:
A: each safety product is set and sends security log to the Network Situation analytical system, automatically send to the Study on Trend system when safety product produces security log;
B: after system acquisition to a security log, this security log is carried out to analyzing and processing;
C: the security log that collects is classified from availability, confidentiality and three aspects of integrality according to its attribute, this security log is concluded to wherein a certain class;
D: this daily record spot main body is navigated on an equipment of a network domains according to the IP address of security log generation main body;
E: whether the classification that judges security log is consistent with the security attribute of daily record generation main equipment;
F: if the security attribute of the classification of security log and daily record generation main equipment is inconsistent, this security log factor of influence A is set to 0.5;
G: if the classification of security log is consistent with the security attribute of daily record generation main equipment, this security log factor of influence A is set to 1;
H: the performance and the event of failure that obtain this equipment according to the main equipment of security log generation;
I: whether judgment device generation performance and event of failure;
J: if equipment does not have generation performance and event of failure, this security log influence value B is set to 0;
K: if performance and event of failure have occurred equipment, this security log influence value B is set to 100;
L: according to security log factor of influence A and influence value B, calculate this security log and to the influence value of Network Situation be: A * B.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310327303.XA CN103401711B (en) | 2013-07-30 | 2013-07-30 | Network state based on security log analyzes system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310327303.XA CN103401711B (en) | 2013-07-30 | 2013-07-30 | Network state based on security log analyzes system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103401711A true CN103401711A (en) | 2013-11-20 |
| CN103401711B CN103401711B (en) | 2016-11-02 |
Family
ID=49565242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310327303.XA Active CN103401711B (en) | 2013-07-30 | 2013-07-30 | Network state based on security log analyzes system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103401711B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104598369A (en) * | 2014-12-23 | 2015-05-06 | 北京畅游天下网络技术有限公司 | Method and device for monitoring software in mobile device |
| CN112866044A (en) * | 2019-11-27 | 2021-05-28 | 中盈优创资讯科技有限公司 | Network equipment state information acquisition method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN101741595A (en) * | 2008-11-26 | 2010-06-16 | 华为技术有限公司 | Method, device and system for appraisal of network reliability |
| CN103748999B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | A kind of network safety situation integrated estimation system |
| CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
-
2013
- 2013-07-30 CN CN201310327303.XA patent/CN103401711B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741595A (en) * | 2008-11-26 | 2010-06-16 | 华为技术有限公司 | Method, device and system for appraisal of network reliability |
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN103748999B (en) * | 2010-06-09 | 2012-02-08 | 北京理工大学 | A kind of network safety situation integrated estimation system |
| CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
Non-Patent Citations (4)
| Title |
|---|
| D"AMBROSIO B等: "Security situation assessment and response evaluation(SSARE)", 《DARPA INFORMATION SURVIVABILITY CONF.&EXPOSITIONII》, 31 December 2001 (2001-12-31) * |
| 陈秀真等: "网络化系统安全态势评估的研究", 《西安交通大学学报》, vol. 38, no. 4, 30 April 2004 (2004-04-30) * |
| 韦勇: "网络安全态势评估模型研究", 《CNKI博士学位论文全文库》, 28 April 2009 (2009-04-28) * |
| 韦勇;连一峰: "基于日志审计与性能修正算法的网络安全态势评估模型", 《计算机学报》, vol. 32, no. 4, 15 April 2009 (2009-04-15) * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104598369A (en) * | 2014-12-23 | 2015-05-06 | 北京畅游天下网络技术有限公司 | Method and device for monitoring software in mobile device |
| CN112866044A (en) * | 2019-11-27 | 2021-05-28 | 中盈优创资讯科技有限公司 | Network equipment state information acquisition method and device |
| CN112866044B (en) * | 2019-11-27 | 2023-05-12 | 中盈优创资讯科技有限公司 | Network equipment state information acquisition method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103401711B (en) | 2016-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105407103B (en) | A kind of Cyberthreat appraisal procedure based on more granularity abnormality detections | |
| CN208227074U (en) | Electric power monitoring system network security monitors terminal | |
| CN101325520B (en) | Method for locating and analyzing fault of intelligent self-adapting network based on log | |
| CN106371986A (en) | Log treatment operation and maintenance monitoring system | |
| CN110175451A (en) | A kind of method for safety monitoring and system based on electric power cloud | |
| CN107229556A (en) | Log Analysis System based on elastic components | |
| CN104852927A (en) | Safety comprehensive management system based on multi-source heterogeneous information | |
| CN110300100A (en) | The association analysis method and system of log audit | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| CN108270716A (en) | A kind of audit of information security method based on cloud computing | |
| CN105812200A (en) | Abnormal behavior detection method and device | |
| CN108259202A (en) | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems | |
| CN104574557A (en) | Alarm-based site polling method, alarm-based site polling manipulation device and alarm-based site polling system | |
| CN104574219A (en) | System and method for monitoring and early warning of operation conditions of power grid service information system | |
| CN103208049B (en) | Abnormality alarming quick accident analysis method and system | |
| CN107547228A (en) | A kind of safe operation management platform based on big data realizes framework | |
| CN109033813A (en) | The auditing system and method for Linux operation log | |
| CN106254125A (en) | The method and system of security incident correlation analysiss based on big data | |
| CN104219193A (en) | Method and system for correlation analysis of security events | |
| CN110618977B (en) | Login anomaly detection method, device, storage medium and computer equipment | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
| CN108833442A (en) | A kind of distributed network security monitoring device and its method | |
| CN109032904A (en) | Monitored, management server and data acquisition, analysis method and management system | |
| CN105739408A (en) | Business monitoring method used for power scheduling system and business monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |