Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State a kind of O&M operation auditing method and device of problem.
According to one aspect of the present invention, a kind of O&M operation auditing method is provided, this method comprises:
Risk of the first kind rule is pre-stored in the first risk rule database;
The operation log that appointing system generates is obtained in real time, by the operation log obtained in real time and the first risk rule data
Risk of the first kind rule in library is matched, if there is occurrence, it is determined that there are systems to transport by invasion situation or in violation of rules and regulations
The case where dimension operation;
In the operation log deposit log database that will acquire;
Off-line analysis is carried out to the operation log in log database, judges whether there is system by invasion situation and violation
The case where O&M operates.
Optionally, this method further comprises: beta risk rule is pre-stored in the second risk rule database;
The operation log in log database carries out off-line analysis, judge whether there is system by invasion situation and
The case where violation O&M operates includes: the operation log analyzed in log database, is judged whether there is and the second risk rule
It the case where beta risk rule match in database, is that determining there are systems to be operated by invasion situation and violation O&M
Situation.
Optionally, correspondence preserves risk of the first kind rule and risk title in the first risk rule database;Institute
It states correspondence in the second risk rule database and preserves beta risk rule and risk title;
Risk title are as follows: the description title for the various situations that system is invaded or the title of all kinds of violation O&Ms operation.
Optionally, first risk rule includes one or more in following:
Register is carried out in point singularly;
Modify the operation of specified file;
Second risk rule includes one or more in following:
Within the time of preset length, register is carried out in different location;
Within the preset length time, two kinds of mutual exclusion or more is carried out and have operated.
Optionally, this method further comprises:
When judgement there are violation O&M operate the case where when, according to log database determine the violation O&M operation operation
Person, and the O&M operation note of the operator is further recalled according to log database, it carries out further violation operation and sentences
It is disconnected.
Optionally, the O&M operation note that the operator is further recalled according to log database carries out further
Violation operation judgement include:
According to the risk rule in the first risk rule database and/or the second risk rule database, judgement is traced back to
The operator O&M operation note in whether there is violation operation.
Optionally, this method further comprises:
The case where being operated to the system judged by invasion situation and violation O&M is for statistical analysis, learns about system
The rule operated by invasion and violation O&M;
According to the rule learnt, countermeasure is determined.
Optionally, the study includes one of following or more by the rule that invasion and violation O&M operate about system
Kind:
Which system is frequently occurred by invasion situation;
Which violation O&M frequent operation occurs;
System is by the high-incidence period of invasion situation;
The high-incidence period of O&M violation operation.
Optionally, according to the rule learnt, determine that countermeasure includes one of following or a variety of:
Situation is invaded for the system frequently occurred, the interception operation or raising verifying dynamics being pointedly arranged;
For the violation O&M operation frequently occurred, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation;
In system by the high-incidence period of invasion situation, pointedly setting intercepts operation and improves verifying dynamics;
In the high-incidence period of O&M violation operation, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation.
According to another aspect of the invention, a kind of O&M operation audit device is provided, which includes:
Acquiring unit, the operation log suitable for obtaining appointing system generation in real time is sent to real-time auditing unit and storage is single
Member;
The real-time auditing unit, suitable for by first in the operation log obtained in real time and the first risk rule database
Class risk rule is matched, if there is occurrence, it is determined that there are the feelings that system is operated by invasion situation or violation O&M
Condition;
The storage unit is suitable for the first risk rule database of storage, and the first risk rule database is for protecting
Risk of the first kind rule is deposited, and is suitable for storing daily record data library, the log database is for saving operation log;
Offline auditable unit judges whether there is suitable for carrying out off-line analysis to the operation log in log database and is
The case where system is operated by invasion situation and violation O&M.
Optionally, the storage unit is further adapted for the second risk rule database of storage, second risk rule
Database is for saving beta risk rule;
The offline auditable unit judges whether there is and the second wind suitable for analyzing the operation log in log database
The case where beta risk rule match in dangerous rule database, be that determining there are systems by invasion situation and violation O&M
The case where operation.
Optionally, correspondence preserves risk of the first kind rule and risk title in the first risk rule database;Institute
It states correspondence in the second risk rule database and preserves beta risk rule and risk title;
Risk title are as follows: the description title for the various situations that system is invaded or the title of all kinds of violation O&Ms operation.
Optionally, first risk rule includes one or more in following:
Register is carried out in point singularly;
Modify the operation of specified file;
Second risk rule includes one or more in following:
Within the time of preset length, register is carried out in different location;
Within the preset length time, two kinds of mutual exclusion or more is carried out and have operated.
Optionally, which further comprises:
Violation trace unit, suitable for when there are violation O&M operation the case where when, which is determined according to log database
The operator of O&M operation, and the O&M operation note suitable for further recalling the operator according to log database, carry out
Further violation operation judgement.
Optionally, the violation trace unit is suitable for according to the first risk rule database and/or the second risk rule number
According to the risk rule in library, judge in the O&M operation note of the operator traced back to the presence or absence of violation operation.
Optionally, which further comprises:
Unit, suitable for carrying out statistical by the case where invasion situation and the operation of violation O&M to the system judged
Analysis learns the rule operated about system by invasion and violation O&M;
Unit is coped with, suitable for determining countermeasure according to the rule learnt.
Optionally, the unit, suitable for learning about system by the following rule of invasion and the operation of violation O&M
It is one or more:
Which system is frequently occurred by invasion situation;
Which violation O&M frequent operation occurs;
System is by the high-incidence period of invasion situation;
The high-incidence period of O&M violation operation.
Optionally, the countermeasure that the reply unit determines includes one of following or a variety of:
Situation is invaded for the system frequently occurred, the interception operation or raising verifying dynamics being pointedly arranged;
For the violation O&M operation frequently occurred, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation;
In system by the high-incidence period of invasion situation, the interception operation and raising verifying dynamics that are pointedly arranged;
In the high-incidence period of O&M violation operation, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation.
It can be seen from the above, technical solution provided by the invention is by by real-time operation log and risk of the first kind rule phase
Match, it is then determining presence that whether the O&M operation behavior for determining that current time system is occurred, which is unreasonable O&M operation behavior,
The case where system is operated by invasion situation or violation O&M;On this basis, since in some embodiments, unreasonable O&M is operated
Behavior is formed by multinomial reasonable O&M operation behavior synthesis, can not be determined by real-time matching risk of the first kind rule, is
This, this programme also carries out off-line analysis to the operation log in a period in log database, and then determines whether to deposit
The case where system is operated by invasion situation and violation O&M.As it can be seen that this O&M operation audit program in real-time analytical plan with
Off-line analysis scheme can targetedly determine various forms of unreasonable O&M operation behaviors, transport to system
It is complementary to one another and supports during dimension operation audit, further expansion audit scope improves audit accuracy, timely and effectively
It was found that invasion situation and violation O&M operational circumstances present in system, meet system administration demand.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
With the continuous development of internet, Internet data center (IDC, Internet Data Center) meet the tendency of and
It is raw, become an important ring indispensable in new century Internet industry.IDC be ICP, enterprise, media and
All kinds of websites provide extensive, high quality, safe and reliable proficient service device trustship, space rental, network bandwidth, using clothes
Business supply (ASP, Application Service Provider) and e-commerce (EC, Electronic Commerce)
Etc. business.
For having for the system of monitoring demand, system to be monitored is carried out to public cloud monitoring in IDC and disposes, is privately owned
Cloud monitoring deployment or mixed cloud monitoring deployment, can be obtained a variety of monitoring services that cloud monitoring provides, including in system
The monitoring for the O&M operation that portion is occurred.Background is deployed as with the cloud monitoring on IDC herein, monitored internal system is occurred
O&M operation audit, propose O&M operation auditing method and device.
Fig. 1 shows a kind of flow chart of O&M operation auditing method according to an embodiment of the invention.Such as Fig. 1 institute
Show, this method comprises:
Risk of the first kind rule is pre-stored in the first risk rule database by step S110.
In this step, the risk of the first kind rule describes the abundant item for determining unreasonable O&M operation behavior in real time
Part.
Step S120 obtains the operation log that appointing system generates, by the operation log obtained in real time and the first wind in real time
Risk of the first kind rule in dangerous rule database is matched, if there is occurrence, it is determined that there are systems by invasion feelings
The case where condition or violation O&M operate.
In this step, the operation log that the appointing system obtained in real time generates reflects current time appointing system and is occurred
O&M operation behavior, the operation log and above-mentioned risk of the first kind rule are matched, if there is occurrence, then determine to work as
The O&M operation behavior that preceding moment appointing system is occurred is unreasonable O&M operation behavior, it can determines that there are systems to be entered
The case where invading situation or the operation of violation O&M.
Step S130, the operation log that will acquire are stored in log database.
Every operation log obtained in real time is stored into log database, operation log to whom at what time, warp
Cross whose authorization, perform what operation, operation the result is that has all carried out detailed record, so as to follow-up audit and return
It traces back.Corresponding a plurality of operation log of multiple moment is saved in log database described in this step, is referred to in a period
Determine the backtracking for the O&M operation behavior that system is occurred.
Step S140 carries out off-line analysis to the operation log in log database, judges whether there is system and invaded
The case where situation and violation O&M operate.
As it can be seen that method shown in FIG. 1 is by matching real-time operation log and risk of the first kind rule, when determining current
Whether the O&M operation behavior that etching system is occurred is unreasonable O&M operation behavior, is, determining there are systems by invasion situation
Or the case where violation O&M operation;On this basis, since in some embodiments, unreasonable O&M operation behavior is by multinomial conjunction
Reason O&M operation behavior synthesis forms, and can not be determined by real-time matching risk of the first kind rule, for this purpose, side shown in FIG. 1
Method also carries out off-line analysis to the operation log in a period in log database, and then determines whether that deposit system is entered
The case where invading situation and the operation of violation O&M.Real-time analytical plan and off-line analysis scheme in this method can be to different forms
Unreasonable O&M operation behavior targetedly determined, O&M operation audit process in be complementary to one another and support, into one
Step expands audit scope, improves audit accuracy, timely and effectively invasion situation present in discovery system and violation O&M behaviour
Make situation, meets system administration demand.
In one embodiment of the invention, method shown in FIG. 1 further comprises: beta risk rule is pre-stored in
In second risk rule database.In this step, the beta risk rule describes unreasonable in one period of judgement
O&M operates the adequate condition of comprehensive behavior.
On this basis, then step S140 carries out off-line analysis to the operation log in log database, judges whether to deposit
Include: the operation log analyzed in log database the case where system is operated by invasion situation and violation O&M, judges whether
The case where in the presence of with beta risk rule match in the second risk rule database, be that determining there are systems by invasion feelings
The case where condition and violation O&M operate.
For example, carrying out O&M operation audit to appointing system A according to system administration demand.On the one hand it is analyzed in real time:
A plurality of risk of the first kind rule, in this example, every risk of the first kind rule are saved in the first risk rule database in advance
An as unreasonable O&M operation behavior.The operation log that appointing system A is generated, current operation log reflection are obtained in real time
The O&M operation behavior that appointing system A is occurred, if the above-mentioned a plurality of risk of the first kind rule of O&M operation behavior hit
In one, i.e. there is the occurrence to match with current O&M operation behavior in the first vulnerability database, determine exist it is specified
The case where system A is operated by invasion situation or violation O&M.On the other hand off-line analysis is carried out: in advance in the second risk rule number
According to a plurality of beta risk rule is saved in library, in this example, every beta risk rule is multinomial fortune in a period
Tie up the combination of operation behavior.The operation log in the log database of appointing system A is analyzed, which is to a time
The backtracking for the O&M operation behavior that appointing system is occurred in section, if the O&M that appointing system A is occurred in a period
One in the above-mentioned a plurality of beta risk rule of the combination hit of operation behavior, that is, exist in the second risk rule database
The case where beta risk rule match, it is determined that the case where being operated there are appointing system A by invasion situation and violation O&M.?
In one specific embodiment, appointing system A is X in the O&M operation behavior that current time is occurred, if certain first kind
Risk rule is also X, it is determined that the case where being operated there are appointing system A by invasion situation and violation O&M;Otherwise continue to collect
Operation log is occurring O&M operation behavior X after a certain period of time, O&M operation behavior Y has occurred again in appointing system A, then should
In certain period of time, the O&M operation behavior combination that appointing system A is occurred is X+Y, if certain beta risk rule is
The combination of O&M operation behavior X and O&M operation behavior Y within a certain period of time, it is determined that there are appointing system A by invasion feelings
The case where condition and violation O&M operate.
In one embodiment of the invention, corresponding in above-mentioned first risk rule database to preserve risk of the first kind rule
Then with risk title;Correspondence preserves beta risk rule and risk title in above-mentioned second risk rule database;.Its
In, risk title refers to: the description title for the various situations that system is invaded or the title of all kinds of violation O&Ms operation.
During carrying out operation maintenance to appointing system, for operation maintenance personnel, the place of some registers
It is fixed and some specified files is the modification of no permission, logging in the behaviors such as place is abnormal, specified file is modified is
The unreasonable O&M operation behavior that can be directly determined indicates that the class behavior is by outside invasion personnel or internal offender institute
Implement.Therefore, in one embodiment of the invention, above-mentioned first risk rule includes one or more in following:
Point carries out register singularly;Modify the operation of specified file.
In addition, during carrying out operation maintenance to appointing system, for operation maintenance personnel, although some logins are grasped
The place of work is variation, but variation range and change frequency are all conditional;And some O&M operation behaviors are mutual exclusions
, it is unreasonable in section at the same time;Therefore, in one embodiment of the invention, above-mentioned second risk rule
Then include one or more in following: within the time of preset length, carrying out register in different location;In preset length
In time, two kinds of mutual exclusion or more is carried out and have operated.
In one embodiment of the invention, method shown in FIG. 1 further comprises: step S150, disobeys when judgement exists
When the case where advising O&M operation, the operator of violation O&M operation is determined according to log database, and further according to day
Will database recalls the O&M operation note of the operator, carries out further violation operation judgement.
In the present embodiment, since the real-time analytical plan and off-line analysis scheme that are mentioned above are for a time point
Or the O&M operation in a period is audited, the globality of audit maximizes not yet.And it is returned according to log database
Trace back an operator O&M operation note can reappear the operator to appointing system carry out O&M operation complete procedure chain,
And then the intention for the O&M operation that the operator is implemented out more can be reappeared to globality, help further to analyze and know
The degree of appointing system operated by Invasive degree and violation O&M, convenient for formulating subsequent reply, solution and precautionary measures.Tool
Body, above-mentioned steps S150 further recalls the O&M operation note of the operator according to log database, carries out further
Violation operation judgement includes: to be sentenced according to the risk rule in the first risk rule database and/or the second risk rule database
With the presence or absence of violation operation in the O&M operation note of the disconnected operator traced back to.
In one embodiment of the invention, method shown in FIG. 1 further comprises step S160, is divided into following two step:
Step S161, to the system judged by for statistical analysis, the case where invasion situation and the operation of violation O&M
Practise the rule operated about system by invasion and violation O&M.
In this step, the study about system by the rule that invasion and violation O&M operate include it is one of following or
A variety of: which system is frequently occurred by invasion situation;Which violation O&M frequent operation occurs;System is high-incidence by invasion situation
Period;The high-incidence period of O&M violation operation.
Step S162 determines countermeasure according to the rule learnt.
It is described according to the rule learnt in this step, determine that countermeasure includes one of following or a variety of:
Situation is invaded for the system frequently occurred, the interception operation or raising verifying dynamics being pointedly arranged;For frequent hair
Raw violation O&M operation improves O&M operating right threshold or closes the behaviour for frequently occurring the operator of violation O&M operation down
Make account;In system by the high-incidence period of invasion situation, pointedly setting intercepts operation and improves verifying dynamics;In O&M
The high-incidence period of violation operation improves O&M operating right threshold or closes the operator for frequently occurring the operation of violation O&M down
Operation account.
Fig. 2 shows a kind of schematic diagrames of O&M operation audit device according to an embodiment of the invention.Such as Fig. 2 institute
Show, O&M operation audit device 200 includes:
Acquiring unit 210, the operation log suitable for obtaining appointing system generation in real time are sent to 220 He of real-time auditing unit
Storage unit 230.
Real-time auditing unit 220, suitable for by first in the operation log obtained in real time and the first risk rule database
Class risk rule is matched, if there is occurrence, it is determined that there are the feelings that system is operated by invasion situation or violation O&M
Condition.
Storage unit 230 is suitable for the first risk rule database of storage, and the first risk rule database is for saving
Risk of the first kind rule, and it is suitable for storing daily record data library, the log database is for saving operation log.
Offline auditable unit 240 is judged whether there is suitable for carrying out off-line analysis to the operation log in log database
The case where system is operated by invasion situation and violation O&M.
As it can be seen that device shown in Fig. 2 is by matching real-time operation log and risk of the first kind rule, when determining current
Whether the O&M operation behavior that etching system is occurred is unreasonable O&M operation behavior, is, determining there are systems by invasion situation
Or the case where violation O&M operation;On this basis, since in some embodiments, unreasonable O&M operation behavior is by multinomial conjunction
Reason O&M operation behavior synthesis forms, and can not be determined by real-time matching risk of the first kind rule, for this purpose, dress shown in Fig. 2
It sets and off-line analysis also is carried out to the operation log in a period in log database, and then determine whether that deposit system is entered
The case where invading situation and the operation of violation O&M.Real-time analytical plan and off-line analysis scheme in this programme can be to different forms
Unreasonable O&M operation behavior targetedly determined, O&M operation audit process in be complementary to one another and support, into one
Step expands audit scope, improves audit accuracy, timely and effectively invasion situation present in discovery system and violation O&M behaviour
Make situation, meets system administration demand.
In one embodiment of the invention, the storage unit 230 of Fig. 2 shown device is further adapted for the second wind of storage
Dangerous rule database, the second risk rule database is for saving beta risk rule.Offline auditable unit 240, is fitted
Operation log in analysis log database, judges whether there is and advises with the beta risk in the second risk rule database
The case where then matching is determining the case where being operated there are system by invasion situation and violation O&M.
In one embodiment of the invention, corresponding in above-mentioned first risk rule database to preserve risk of the first kind rule
Then with risk title;Correspondence preserves beta risk rule and risk title in above-mentioned second risk rule database.Wherein,
Risk title are as follows: the description title for the various situations that system is invaded or the title of all kinds of violation O&Ms operation.
Specifically, above-mentioned first risk rule may include one or more in following: be logged in point singularly
Operation;Modify the operation of specified file.Above-mentioned second risk rule may include one or more in following: in preset length
Time in, different location carry out register;Within the preset length time, two kinds of mutual exclusion or more is carried out and have operated.
Fig. 3 shows a kind of schematic diagram of O&M operation audit device in accordance with another embodiment of the present invention.Such as Fig. 3 institute
Show, O&M operation audit device 300 includes: acquiring unit 310, real-time auditing unit 320, the storage unit 330, offline
Auditable unit 340, violation trace unit 350, unit 360 and reply unit 370.
Wherein, acquiring unit 310, real-time auditing unit 320, the storage unit 330, offline auditable unit 340 and Fig. 2
Shown in acquiring unit 210, real-time auditing unit 220, the storage unit 230, offline auditable unit 240 correspondence it is identical,
This is repeated no more.
Violation trace unit 350, suitable for when there are violation O&M operation the case where when, according to log database determine this disobey
The operator of O&M operation, and the O&M operation note suitable for further recalling the operator according to log database are advised, into
The further violation operation judgement of row.
In a specific embodiment, the violation trace unit 350, be suitable for according to the first risk rule database and/
Or the second risk rule in risk rule database, judge to whether there is in the O&M operation note of the operator traced back to
Violation operation.
Unit 360, suitable for being counted to the system judged by the case where invasion situation and the operation of violation O&M
Analysis learns the rule operated about system by invasion and violation O&M.
In a specific embodiment, the unit 360 is suitable for study and is grasped about system by invasion and violation O&M
One of following rule made is a variety of: which system is frequently occurred by invasion situation;Which violation O&M frequent operation hair
It is raw;System is by the high-incidence period of invasion situation;The high-incidence period of O&M violation operation.
Unit 370 is coped with, suitable for determining countermeasure according to the rule learnt.
In a specific embodiment, the countermeasure which determines includes one of following or more
Kind: situation is invaded for the system frequently occurred, the interception operation or raising verifying dynamics being pointedly arranged;For frequent
The violation O&M of generation operates, and improves O&M operating right threshold or closes the operator's for frequently occurring the operation of violation O&M down
Operate account;In system by the high-incidence period of invasion situation, the interception operation and raising verifying dynamics that are pointedly arranged;?
The high-incidence period of O&M violation operation improves O&M operating right threshold or closes the behaviour for frequently occurring the operation of violation O&M down
The operation account of author.
Each embodiment of Fig. 2-Fig. 3 shown device and each embodiment of method shown in Fig. 1 are corresponding identical, above in detail
Illustrate, details are not described herein.
In conclusion technical solution provided by the invention is by by real-time operation log and risk of the first kind rule phase
Match, it is then determining presence that whether the O&M operation behavior for determining that current time system is occurred, which is unreasonable O&M operation behavior,
The case where system is operated by invasion situation or violation O&M;On this basis, since in some embodiments, unreasonable O&M is operated
Behavior is formed by multinomial reasonable O&M operation behavior synthesis, can not be determined by real-time matching risk of the first kind rule, is
This, device shown in Fig. 2 also carries out off-line analysis to the operation log in a period in log database, and then determines
The case where whether deposit system is operated by invasion situation and violation O&M.As it can be seen that real-time analytical plan in the technical program with from
Line analysis scheme can targetedly determine various forms of unreasonable O&M operation behaviors, audit in O&M operation
It is complementary to one another and supports in journey, expand audit scope, improve audit accuracy, timely and effectively invaded present in discovery system
Situation and violation O&M operational circumstances, and the backtracking further operated by the O&M to operator, and by system
The study of existing invasion situation and the rule of violation O&M operational circumstances, search problem reason, formulates corresponding resolution policy
And preventative strategies, the audit security performance of monitored system is improved, system administration demand is met.
It should be understood that
Algorithm and display be not inherently related to any certain computer, virtual bench or other equipment provided herein.
Various fexible units can also be used together with teachings based herein.As described above, it constructs required by this kind of device
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) are realized in a kind of O&M operation audit device according to an embodiment of the present invention
Some or all components some or all functions.The present invention is also implemented as executing side as described herein
Some or all device or device programs (for example, computer program and computer program product) of method.It is such
It realizes that program of the invention can store on a computer-readable medium, or can have the shape of one or more signal
Formula.Such signal can be downloaded from an internet website to obtain, and perhaps be provided on the carrier signal or with any other shape
Formula provides.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
The present invention provides A1, a kind of O&Ms to operate auditing method, wherein this method comprises:
Risk of the first kind rule is pre-stored in the first risk rule database;
The operation log that appointing system generates is obtained in real time, by the operation log obtained in real time and the first risk rule data
Risk of the first kind rule in library is matched, if there is occurrence, it is determined that there are systems to transport by invasion situation or in violation of rules and regulations
The case where dimension operation;
In the operation log deposit log database that will acquire;
Off-line analysis is carried out to the operation log in log database, judges whether there is system by invasion situation and violation
The case where O&M operates.
A2, method as described in a1, wherein this method further comprises: beta risk rule is pre-stored in the second wind
In dangerous rule database;
The operation log in log database carries out off-line analysis, judge whether there is system by invasion situation and
The case where violation O&M operates includes: the operation log analyzed in log database, is judged whether there is and the second risk rule
It the case where beta risk rule match in database, is that determining there are systems to be operated by invasion situation and violation O&M
Situation.
A3, as described in A2 method, wherein
Correspondence preserves risk of the first kind rule and risk title in the first risk rule database;Second wind
Correspondence preserves beta risk rule and risk title in dangerous rule database;
Risk title are as follows: the description title for the various situations that system is invaded or the title of all kinds of violation O&Ms operation.
A4, as described in A2 method, wherein
First risk rule includes one or more in following:
Register is carried out in point singularly;
Modify the operation of specified file;
Second risk rule includes one or more in following:
Within the time of preset length, register is carried out in different location;
Within the preset length time, two kinds of mutual exclusion or more is carried out and have operated.
A5, as described in A2 method, wherein this method further comprises:
When judgement there are violation O&M operate the case where when, according to log database determine the violation O&M operation operation
Person, and the O&M operation note of the operator is further recalled according to log database, it carries out further violation operation and sentences
It is disconnected.
A6, method as described in a5, wherein described further to be operated according to the O&M that log database recalls the operator
Record, carrying out further violation operation judgement includes:
According to the risk rule in the first risk rule database and/or the second risk rule database, judgement is traced back to
The operator O&M operation note in whether there is violation operation.
A7, method as described in a1, wherein this method further comprises:
The case where being operated to the system judged by invasion situation and violation O&M is for statistical analysis, learns about system
The rule operated by invasion and violation O&M;
According to the rule learnt, countermeasure is determined.
A8, the method as described in A7, wherein the study is invaded about system and the rule of violation O&M operation includes
It is one of following or a variety of:
Which system is frequently occurred by invasion situation;
Which violation O&M frequent operation occurs;
System is by the high-incidence period of invasion situation;
The high-incidence period of O&M violation operation.
A9, the method as described in A8, wherein according to the rule learnt, determine that countermeasure includes in following
It is one or more:
Situation is invaded for the system frequently occurred, the interception operation or raising verifying dynamics being pointedly arranged;
For the violation O&M operation frequently occurred, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation;
In system by the high-incidence period of invasion situation, pointedly setting intercepts operation and improves verifying dynamics;
In the high-incidence period of O&M violation operation, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation.
The present invention also provides B10, a kind of O&Ms to operate audit device, wherein the device includes:
Acquiring unit, the operation log suitable for obtaining appointing system generation in real time is sent to real-time auditing unit and storage is single
Member;
The real-time auditing unit, suitable for by first in the operation log obtained in real time and the first risk rule database
Class risk rule is matched, if there is occurrence, it is determined that there are the feelings that system is operated by invasion situation or violation O&M
Condition;
The storage unit is suitable for the first risk rule database of storage, and the first risk rule database is for protecting
Risk of the first kind rule is deposited, and is suitable for storing daily record data library, the log database is for saving operation log;
Offline auditable unit judges whether there is suitable for carrying out off-line analysis to the operation log in log database and is
The case where system is operated by invasion situation and violation O&M.
B11, the device as described in B10, wherein
The storage unit is further adapted for the second risk rule database of storage, the second risk rule database
For saving beta risk rule;
The offline auditable unit judges whether there is and the second wind suitable for analyzing the operation log in log database
The case where beta risk rule match in dangerous rule database, be that determining there are systems by invasion situation and violation O&M
The case where operation.
B12, device as described in b11, wherein
Correspondence preserves risk of the first kind rule and risk title in the first risk rule database;Second wind
Correspondence preserves beta risk rule and risk title in dangerous rule database;
Risk title are as follows: the description title for the various situations that system is invaded or the title of all kinds of violation O&Ms operation.
B13, device as described in b11, wherein
First risk rule includes one or more in following:
Register is carried out in point singularly;
Modify the operation of specified file;
Second risk rule includes one or more in following:
Within the time of preset length, register is carried out in different location;
Within the preset length time, two kinds of mutual exclusion or more is carried out and have operated.
B14, device as described in b11, wherein the device further comprises:
Violation trace unit, suitable for when there are violation O&M operation the case where when, which is determined according to log database
The operator of O&M operation, and the O&M operation note suitable for further recalling the operator according to log database, carry out
Further violation operation judgement.
B15, the device as described in B14, wherein
The violation trace unit is suitable for according in the first risk rule database and/or the second risk rule database
Risk rule, judge in the O&M operation note of the operator traced back to the presence or absence of violation operation.
B16, the device as described in B10, wherein the device further comprises:
Unit, suitable for carrying out statistical by the case where invasion situation and the operation of violation O&M to the system judged
Analysis learns the rule operated about system by invasion and violation O&M;
Unit is coped with, suitable for determining countermeasure according to the rule learnt.
B17, the device as described in B16, wherein the unit is suitable for study and transports about system by invasion and in violation of rules and regulations
Tie up one of following rule of operation or a variety of:
Which system is frequently occurred by invasion situation;
Which violation O&M frequent operation occurs;
System is by the high-incidence period of invasion situation;
The high-incidence period of O&M violation operation.
B18, the device as described in B17, wherein the countermeasure that the reply unit determines include it is one of following or
It is a variety of:
Situation is invaded for the system frequently occurred, the interception operation or raising verifying dynamics being pointedly arranged;
For the violation O&M operation frequently occurred, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation;
In system by the high-incidence period of invasion situation, the interception operation and raising verifying dynamics that are pointedly arranged;
In the high-incidence period of O&M violation operation, improves O&M operating right threshold or close down to frequently occur and transport in violation of rules and regulations
Tie up the operation account of the operator of operation.