CN106254163A - The method and device of the USB port of monitoring LAN Computer - Google Patents

The method and device of the USB port of monitoring LAN Computer Download PDF

Info

Publication number
CN106254163A
CN106254163A CN201610863914.XA CN201610863914A CN106254163A CN 106254163 A CN106254163 A CN 106254163A CN 201610863914 A CN201610863914 A CN 201610863914A CN 106254163 A CN106254163 A CN 106254163A
Authority
CN
China
Prior art keywords
port
usb
data
usb device
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610863914.XA
Other languages
Chinese (zh)
Other versions
CN106254163B (en
Inventor
朱伟
卫世光
黄朝强
刘建林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
GUANGZHOU CHINASOFT INFORMATION TECHNOLOGY Co Ltd
Original Assignee
GUANGZHOU CHINASOFT INFORMATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GUANGZHOU CHINASOFT INFORMATION TECHNOLOGY Co Ltd filed Critical GUANGZHOU CHINASOFT INFORMATION TECHNOLOGY Co Ltd
Priority to CN201610863914.XA priority Critical patent/CN106254163B/en
Publication of CN106254163A publication Critical patent/CN106254163A/en
Application granted granted Critical
Publication of CN106254163B publication Critical patent/CN106254163B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Abstract

A kind of method that the invention discloses USB port monitoring LAN Computer, including: obtain the original port data of the USB port of the computer of same LAN;Wherein, described original port data include that USB device plug is in the record data of described USB port;Described original port data are carried out pretreatment, it is thus achieved that standard port data;Described standard port data are contrasted with black and white lists list, it is judged that the most legal plug of described USB device is in described USB port.Correspondingly, the invention also discloses the device of a kind of USB port monitoring LAN Computer.Use the embodiment of the present invention, the USB port grafting situation of computer in LAN can be monitored in real time, it is judged that the USB device that current USB port accesses is the most legal.

Description

The method and device of the USB port of monitoring LAN Computer
Technical field
The present invention relates to field of computer technology, particularly relate to the side of a kind of USB port monitoring LAN Computer Method and device.
Background technology
Electric power dispatching system has been mounted with a series of protecting information safety product at present, such as prevents fires Wall, antivirus software, isolation gap etc., break off information leakage and outer net invasion to a certain extent.But in all information securities In event, occurring in the event of Intranet more than 70%, the security threat more than 85% is from organization internal, and 16% is not from inside The access authorized.Very easy to use due to mobile memory medium (USB flash disk etc.), have become as at present computer network main frame it Between carry out the common tool of data exchange.If the random all kinds of mobile memory medium access internal institution network that allows carries out data Exchange, it is possible to cause wooden horse, virus to be propagated by mobile memory medium and infect, brings to internal institution network security Risk, " shake net " virus that particularly Iran's nuclear power station occurs, mainly caused by illegal use of USB flash disk medium.
Thus, typically the data of USB port can be transmitted being monitored, and the USB port monitor mode master of conventional art Following two mode to be used:
The first is: Agent+server (C/S), by Agent collect the standby insertion of USB port, extract dynamic Make relevant information, be uploaded to server.
The second is: stand-alone type monitors, and collects the standby insertion of USB port by calling Setup API series of functions, extracts Action relevant information, carries out safe early warning, traces to the source afterwards.
Following defect is there is in prior art to the monitoring of USB port:
The first is agent monitor mode, i.e. installs agent, agent program monitoring USB in monitored host computer system The insertion of equipment, pull action, call host computer system USB Setup API series of functions or to usb bus function, collects relevant Status information and the USB of particular category is forbidden or enables.The defect using the method maximum is safety, and user is permissible Manually enable equipment, and this application process is likely to be terminated by the user.Secondly because application software level is higher, main frame is grasped Requiring as system, not every main frame OS can monitor, and monitoring range is narrow.
The second is: USB protection plug monitoring, has a set of external equipment to constitute (including USB interface, pcb board etc.), main To report to the police again for instant blocking-up, but the risk being easily found, being removed.
Summary of the invention
The method of the USB port of the monitoring LAN Computer that the embodiment of the present invention proposes, can monitor LAN in real time The USB port grafting situation of interior computer, it is judged that the USB device that current USB port accesses is the most legal.
In first aspect, the embodiment of the present invention provides a kind of method of USB port monitoring LAN Computer, bag Include:
Obtain the original port data of the USB port of the computer of same LAN;Wherein, described original port packet Include USB device plug in the record data of described USB port;
Described original port data are carried out pretreatment, it is thus achieved that standard port data;
Described standard port data are contrasted with black and white lists list, it is judged that the most legal plug of described USB device is in institute State USB port.
Further, the original port data of the USB port of the computer of the same LAN of described acquisition include:
With frequency H, obtained the computer of all operation Windows operating systems of same LAN by WMI agreement The original port data of USB port, and, obtain all operation Linux or Unix in described LAN by SSH agreement and grasp Make the original port data of the USB port of the computer of system;
Log recording corresponding to the USB port of the computer receiving described LAN by udp protocol is as described USB end The original port data of mouth.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.
Then, described described original port data are standardized process, it is thus achieved that standard port data particularly as follows:
According to standardized algorithm, described USB device plug is carried out standard in each status data of described USB port Change processes, it is thus achieved that the first port data;
According to normalization algorithm, all numbers relevant to corresponding USB device that described first port data is comprised According to being associated process, it is thus achieved that the second port data;
According to data characteristics extraction algorithm, extract from described second port data and be used for spy same with black and white lists list The data levied are as standard port data.
Yet further, described described standard port data and black and white lists list are contrasted, it is judged that described USB device is No legal plug in described USB port, particularly as follows:
Black and white lists list is loaded from data base;
Described standard port data are compared with described black and white lists list, it is judged that described standard port data are wrapped Whether the serial number of the USB device contained is documented in described black and white lists list;
When the serial number that there is USB device in described standard port data be documented in described black and white lists list black During list, output band is documented in the alarm of the information of the serial number of the USB device of the described standard port data of described blacklist, Described USB device is pointed out illegally to pull out in USB port corresponding to described USB device;
When the serial number that there is USB device in described standard port data is not documented in described black and white lists list, Whether the serial number of the USB device of the described standard port data of described black and white lists list will be documented in system queries Information increases in described black and white lists list;The most then enter and increase the flow process of described black and white lists list;
When the serial number that there is USB device in described standard port data be documented in described black and white lists list white During list, the USB device correspondence increasing the described standard port data being documented in described white list is documented in described second port Information in data is in historical record, in order to trace to the source.
Further, it is documented in described black and white name when the serial number that there is USB device in described standard port data During blacklist in single-row table, also include:
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding The operating system that calculation machine runs is when being Window system, blocks the logical of described USB port and described USB device by WMI agreement Letter connects;
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding When the operating system that calculation machine runs is Linux or Unix system, block described USB port and described USB device by SSH agreement Communication connection.
In second aspect, the present invention also provides for the device of a kind of USB port monitoring LAN Computer, including:
Port data acquisition module, for obtaining the original port data of the USB port of the computer of same LAN;Its In, described original port data include that USB device plug is in the record data of described USB port;
Pretreatment module, for carrying out pretreatment to described original port data, it is thus achieved that standard port data;
Data Comparison module, for contrasting described standard port data with black and white lists list, it is judged that described USB device The most legal plug is in described USB port.
Further, described port data acquisition module specifically includes:
Data acquisition unit, for frequency H, all operation Windows being obtained same LAN by WMI agreement are grasped Make the original port data of the USB port of the computer of system, and, obtain owning in described LAN by SSH agreement Run the original port data of the USB port of the computer of Linux or Unix operating system;
Data receipt unit, the daily record that the USB port of the computer for receiving described LAN by udp protocol is corresponding Record the original port data as described USB port.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.
Then, described pretreatment module specifically includes:
Standardization unit, for according to standardized algorithm, by every in described USB port of described USB device plug One status data is standardized processing, it is thus achieved that the first port data;
Normalized unit, for according to normalization algorithm, described first port data is comprised with corresponding All data that USB device is relevant are associated processing, it is thus achieved that the second port data;
Data extracting unit, for according to data characteristics extraction algorithm, from described second port data extract with for The data of the same feature of black and white lists list are as standard port data.
Yet further, described Data Comparison module specifically includes:
List list loading unit, for loading black and white lists list from data base;
Judging unit, for comparing described standard port data with described black and white lists list, it is judged that described mark Whether the serial number of the USB device that quasi-port data is comprised is documented in described black and white lists list;
Alarm output unit, described for being documented in when the serial number that there is USB device in described standard port data During blacklist in black and white lists list, output band is documented in the USB device of the described standard port data of described blacklist The alarm of the information of serial number, points out described USB device illegally to pull out in USB port corresponding to described USB device;
List information increases unit, for not being documented in when the serial number that there is USB device in described standard port data Time in described black and white lists list, whether will not be documented in the described standard port number of described black and white lists list to system queries According to the information of serial number of USB device increase in described black and white lists list;The most then enter and increase described black and white lists The flow process of list;
History holding unit, described for being documented in when the serial number that there is USB device in described standard port data During white list in black and white lists list, the USB device increasing the described standard port data being documented in described white list is corresponding The information in described second port data that is documented in is in historical record, in order to trace to the source.
Further, described Data Comparison module also includes:
First blocking unit, for when the USB device institute plug of the described standard port data being documented in described blacklist The operating system run of computer corresponding to USB port when being Window system, block described USB port by WMI agreement Communication connection with described USB device;
Second blocking unit, for when the USB device institute plug of the described standard port data being documented in described blacklist The operating system run of computer corresponding to USB port when being Linux or Unix system, block described USB by SSH agreement Port and the communication connection of described USB device.
Implement the embodiment of the present invention, have the advantages that
The method and device of the USB port of the monitoring LAN Computer that the embodiment of the present invention provides, obtains same office The original port data of the USB port of the computer of territory net, can use different agreements to the USB port state in this LAN Information carries out Real-time Collection;The standard port data obtained after pretreatment are contrasted with black and white lists list, it is possible to judge institute State the most legal plug of USB device in described USB port, the illegal USB device accessed is carried out alarming processing, and to illegally connecing The USB port that the USB device entered accesses with it blocks or disables.It addition, the present invention uses without agent acquisition technology meter The USB port of calculation machine is acquired, and has configuration mode the most flexibly, implements configuration quickly and easily, can improve monitoring efficiency, And safe ready.
Accompanying drawing explanation
Fig. 1 is the flow process of an embodiment of the method for the USB port of the monitoring LAN Computer that the present invention provides Schematic diagram;
Fig. 2 is the flow chart of step S3 of the method for the USB port of the monitoring LAN Computer that Fig. 1 provides;
Fig. 3 is the structure of an embodiment of the device of the USB port of the monitoring LAN Computer that the present invention provides Schematic diagram;
Fig. 4 is the port data acquisition module of the device of the USB port of the monitoring LAN Computer that the present invention provides The structural representation of an embodiment;
Fig. 5 is of the pretreatment module of the device of the USB port of the monitoring LAN Computer that the present invention provides The structural representation of embodiment;
Fig. 6 is the one of the Data Comparison module of the device of the USB port of the monitoring LAN Computer that the present invention provides The structural representation of individual embodiment.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise Embodiment, broadly falls into the scope of protection of the invention.
See Fig. 1, be an embodiment of the method for the USB port of the monitoring LAN Computer that the present invention provides Schematic flow sheet;The method is performed by a system server, including step S1 to S3, particularly as follows:
S1, obtains the original port data of the USB port of the computer of same LAN;Wherein, described original port number According to including that USB device plug is in the record data of described USB port;
Described original port data are carried out pretreatment, it is thus achieved that standard port data by S2;
S3, contrasts described standard port data and black and white lists list, it is judged that the most legal plug of described USB device in Described USB port.
It should be noted that the method for the USB port of the monitoring LAN Computer of present invention offer, do not use The architecture of Manager-Agent, i.e. without installing one or more Agent (Agent) at monitored computer In, only from monitored computer, obtained a series of state about USB port by server by the transmission association of feature Data, thus without taking the resource of monitored computer.It addition, the present invention uses without agent acquisition technology, there is extremely spirit The configuration mode lived, implements configuration quickly and easily, it is simple to system upgrade or renewal.
Further, the specific implementation process of above-mentioned steps S1 includes:
With frequency H, obtained the computer of all operation Windows operating systems of same LAN by WMI agreement The original port data of USB port, and, obtain all operation Linux or Unix in described LAN by SSH agreement and grasp Make the original port data of the USB port of the computer of system;
Log recording corresponding to the USB port of the computer receiving described LAN by udp protocol is as described USB end The original port data of mouth.
It should be noted that owing to the quantity of the computer in monitored LAN is quite a lot of, and need not calculate The operating system that machine runs differs, generally Windows operating system, Linux or Unix operating system, thus gatherer process The communication protocol utilized is different, and the agreement that the data transmission with the computer running Windows operating system utilizes is WMI Agreement, the agreement that the data transmission with the computer running Linux or Unix operating system utilizes is SSH agreement.It addition, when place When the USB port of the computer in the LAN that this is monitored is by USB device grafting, the log server of this computer, example Such as Usb-syslog or syslog, record this USB port by the record data of USB device plug, and by udp protocol by this day In the multicast address that the record data multicast of will specifies to agreement, the server then performing this method connects from this multicast address Receive the record data of this daily record.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.Need Illustrating, except above-mentioned information, it is also possible to include, person liable that described USB device is corresponding and responsible department, described USB sets For being plugged in described USB port or the plug type extracting described USB port etc., can obtain according to demand.
Then, the specific implementation process of above-mentioned steps S2 includes:
According to standardized algorithm, described USB device plug is carried out standard in each status data of described USB port Change processes, it is thus achieved that the first port data;
According to normalization algorithm, all numbers relevant to corresponding USB device that described first port data is comprised According to being associated process, it is thus achieved that the second port data;
According to data characteristics extraction algorithm, extract from described second port data and be used for spy same with black and white lists list The data levied are as standard port data.
It should be noted that the form of the data collected due to the system of different operating system and this packet contain Have the information of repetition, standardized algorithm can be passed through, with unified standard, the data collected are formatted, and filter or Merge the information repeated.Owing to the first port data after the standardization of acquisition is not associated processing, after being not easy to Continue and be quickly found corresponding information, so that be associated process to obtain the second port data.And, owing to being obtained The port data taken not is to be completely used for comparing with black and white lists list, so that from described second port data Extract and the data for feature same with black and white lists list, compare, it is provided that the efficiency of follow-up comparison, additionally Information can be used for follow-up alarm or historical information record etc..
Yet further, the method that Fig. 2, Fig. 2 are the USB ports of the monitoring LAN Computer that Fig. 1 provides is seen The flow chart of step S3, describes being embodied as of above-mentioned steps S3 in conjunction with Fig. 2, specific as follows:
Black and white lists list is loaded from data base;
Described standard port data are compared with described black and white lists list, it is judged that described standard port data are wrapped Whether the serial number of the USB device contained is documented in described black and white lists list;
When the serial number that there is USB device in described standard port data be documented in described black and white lists list black During list, output band is documented in the alarm of the information of the serial number of the USB device of the described standard port data of described blacklist, Described USB device is pointed out illegally to pull out in USB port corresponding to described USB device;
When the serial number that there is USB device in described standard port data is not documented in described black and white lists list, Whether the serial number of the USB device of the described standard port data of described black and white lists list will be documented in system queries Information increases in described black and white lists list;The most then enter and increase the flow process of described black and white lists list;Inquiring about Before, alarm notification also can first be carried out.
When the serial number that there is USB device in described standard port data be documented in described black and white lists list white During list, the USB device correspondence increasing the described standard port data being documented in described white list is documented in described second port Information in data is in historical record, in order to trace to the source.
It should be noted that when outputting alarm, the mode of alarm includes: one, it is provided that page interrogation: show current Show and interface show up-to-date warning information, and provide can query history warning information function, and can show by grade and currently accuse Alert rank;They are two years old, it is provided that list of changing a job: needing to submit to work order to carry out procedure process satisfactory alarm, work order can be IT service management system or letter adjust flow system to carry out.Work order operation flow detail needs additionally to be defined.Its three, Offer acousto-optic-electric is pointed out: use different sound according to the grade of prompt alarm or/and operation maintenance personnel is pointed out in color combination;Its Four, it is provided that push alarm: the operation maintenance personnel information belonging to associate device, propelling movement warning information gives this operation maintenance personnel.
Further, in the specific implementation process of above-mentioned steps S3, when there is USB in described standard port data When the serial number of equipment is documented in the blacklist in described black and white lists list, also include:
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding The operating system that calculation machine runs is when being Window system, blocks the logical of described USB port and described USB device by WMI agreement Letter connects;
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding When the operating system that calculation machine runs is Linux or Unix system, block described USB port and described USB device by SSH agreement Communication connection.
It should be noted that when the serial number that there is USB device in described standard port data is documented in described black and white During blacklist in list list, illustrate that this USB device is the USB port illegally accessing its correspondence, thus remotely resistance will be enabled Break or disabling USB port command script program, interrupt or disable the communication connection of this USB port and USB device.
The method of the USB port of the monitoring LAN Computer that the present invention provides, obtains the computer of same LAN The original port data of USB port, can use different agreements that the USB port status information in this LAN is carried out in real time Gather;The standard port data obtained after pretreatment are contrasted with black and white lists list, it is possible to whether judge described USB device Legal plug in described USB port, carries out alarming processing to the illegal USB device accessed, and to the illegal USB device accessed with Its USB port accessed blocks or disables.It addition, the present invention uses without the agent acquisition technology USB port to computer It is acquired, there is configuration mode the most flexibly, implement configuration quickly and easily, monitoring efficiency, and safe ready can be improved.
Refer to Fig. 3, be an embodiment of the device of the USB port of the monitoring LAN Computer that the present invention provides Structural representation;
In second aspect, the present invention also provides for the device of a kind of USB port monitoring LAN Computer, it is possible to implement Whole flow processs of the method for the USB port of the monitoring LAN Computer of above-mentioned offer, this device includes:
Port data acquisition module 10, for obtaining the original port data of the USB port of the computer of same LAN; Wherein, described original port data include that USB device plug is in the record data of described USB port;
Pretreatment module 20, for carrying out pretreatment to described original port data, it is thus achieved that standard port data;
Data Comparison module 30, for contrasting described standard port data with black and white lists list, it is judged that described USB sets The most legal standby plug is in described USB port.
Further, see Fig. 4, be the end of the device of the USB port of the monitoring LAN Computer that the present invention provides The structural representation of one embodiment of mouth data acquisition module;Described port data acquisition module 10 specifically includes:
Data acquisition unit 11, for frequency H, obtaining all operation Windows of same LAN by WMI agreement The original port data of the USB port of the computer of operating system, and, obtain the institute in described LAN by SSH agreement There are the original port data of the USB port of the computer running Linux or Unix operating system;
Data receipt unit 12, the day that the USB port of the computer for receiving described LAN by udp protocol is corresponding Will record is as the original port data of described USB port.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.
See Fig. 5, be the pretreatment module of the device of the USB port of the monitoring LAN Computer that the present invention provides The structural representation of one embodiment;
Then, described pretreatment module 20 specifically includes:
Standardization unit 21, for according to standardized algorithm, by described USB device plug in described USB port Each status data is standardized processing, it is thus achieved that the first port data;
Normalized unit 22, for according to normalization algorithm, described first port data is comprised with corresponding The relevant all data of USB device be associated processing, it is thus achieved that the second port data;
Data extracting unit 23, for according to data characteristics extraction algorithm, extracting from described second port data and be used for The data of feature same with black and white lists list are as standard port data.
Yet further, see Fig. 6, be the device of the USB port of the monitoring LAN Computer that the present invention provides The structural representation of one embodiment of Data Comparison module;Described Data Comparison module 30 specifically includes:
List list loading unit 31, for loading black and white lists list from data base;
Judging unit 32, for comparing described standard port data with described black and white lists list, it is judged that described Whether the serial number of the USB device that standard port data are comprised is documented in described black and white lists list;
Alarm output unit 33, for being documented in institute when the serial number that there is USB device in described standard port data When stating the blacklist in black and white lists list, output band is documented in the USB device of the described standard port data of described blacklist The alarm of information of serial number, point out described USB device illegally to pull out in USB port corresponding to described USB device;
List information increases unit 34, for not recording when the serial number that there is USB device in described standard port data Time in described black and white lists list, whether will not be documented in the described standard port of described black and white lists list to system queries The information of the serial number of the USB device of data increases in described black and white lists list;The most then enter and increase described black and white name The flow process of single-row table;
History holding unit 35, for being documented in institute when the serial number that there is USB device in described standard port data When stating the white list in black and white lists list, increase the USB device pair of the described standard port data being documented in described white list The information in described second port data that should be documented in is in historical record, in order to trace to the source.
Further, described Data Comparison module 30 also includes:
First blocking unit 36, for being pulled out when the USB device of the described standard port data being documented in described blacklist When the operating system that the computer that slotting USB port is corresponding runs is Window system, block described USB end by WMI agreement Mouthful with the communication connection of described USB device;
Second blocking unit 37, for being pulled out when the USB device of the described standard port data being documented in described blacklist When the operating system that the computer that slotting USB port is corresponding runs is Linux or Unix system, blocked described by SSH agreement USB port and the communication connection of described USB device.
The device of the USB port of the monitoring LAN Computer that the present invention provides, obtains the computer of same LAN The original port data of USB port, can use different agreements that the USB port status information in this LAN is carried out in real time Gather;The standard port data obtained after pretreatment are contrasted with black and white lists list, it is possible to whether judge described USB device Legal plug in described USB port, carries out alarming processing to the illegal USB device accessed, and to the illegal USB device accessed with Its USB port accessed blocks or disables.It addition, the present invention uses without the agent acquisition technology USB port to computer It is acquired, there is configuration mode the most flexibly, implement configuration quickly and easily, monitoring efficiency, and safe ready can be improved.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc..
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications, these improvements and modifications are also considered as Protection scope of the present invention.

Claims (10)

1. the method for the USB port monitoring LAN Computer, it is characterised in that including:
Obtain the original port data of the USB port of the computer of same LAN;Wherein, described original port data include USB device plug is in the record data of described USB port;
Described original port data are carried out pretreatment, it is thus achieved that standard port data;
Described standard port data are contrasted with black and white lists list, it is judged that the most legal plug of described USB device is in described USB Port.
2. the method for the USB port of monitoring LAN Computer as claimed in claim 1, it is characterised in that described acquisition The original port data of the USB port of the computer of same LAN include:
With frequency H, obtained the USB end of the computer of all operation Windows operating systems of same LAN by WMI agreement The original port data of mouth, and, all operation Linux or the Unix operation obtained in described LAN by SSH agreement is The original port data of the USB port of the computer of system;
Log recording corresponding to the USB port of the computer receiving described LAN by udp protocol is as described USB port Original port data.
3. the method for the USB port of monitoring LAN Computer as claimed in claim 1, it is characterised in that described USB sets Standby plug in the record data of described USB port particularly as follows: the serial number of described USB device, described USB device plug are in described Time of USB port, the IP address of the computer that described USB port is corresponding, the MAC ground of computer that described USB port is corresponding Performed by location and described USB device is the pattern of read or write operation.
Then, described described original port data are standardized process, it is thus achieved that standard port data particularly as follows:
According to standardized algorithm, described USB device plug is standardized place in each status data of described USB port Reason, it is thus achieved that the first port data;
According to normalization algorithm, all data relevant to corresponding USB device comprised by described first port data are entered Row association process, it is thus achieved that the second port data;
According to data characteristics extraction algorithm, extract from described second port data and be used for feature same with black and white lists list Data are as standard port data.
4. the method for the USB port of monitoring LAN Computer as claimed in claim 3, it is characterised in that described by institute State standard port data to contrast with black and white lists list, it is judged that the most legal plug of described USB device is in described USB port, tool Body is:
Black and white lists list is loaded from data base;
Described standard port data are compared with described black and white lists list, it is judged that described standard port data are comprised Whether the serial number of USB device is documented in described black and white lists list;
When the serial number that there is USB device in described standard port data is documented in the blacklist in described black and white lists list Time, output band is documented in the alarm of the information of the serial number of the USB device of the described standard port data of described blacklist, prompting Described USB device illegally pulls out in USB port corresponding to described USB device;
When the serial number that there is USB device in described standard port data is not documented in described black and white lists list, to being Whether system inquiry will not be documented in the information of the serial number of the USB device of the described standard port data of described black and white lists list Increase in described black and white lists list;The most then enter and increase the flow process of described black and white lists list;
When the serial number that there is USB device in described standard port data is documented in the white list in described black and white lists list Time, the USB device correspondence increasing the described standard port data being documented in described white list is documented in described second port data In information in historical record, in order to trace to the source.
5. the method for the USB port of monitoring LAN Computer as claimed in claim 4, it is characterised in that when described Standard port data exist the serial number of USB device when being documented in the blacklist in described black and white lists list, also include:
When the computer that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding When the operating system run is Window system, blocked the communication link of described USB port and described USB device by WMI agreement Connect;
When the computer that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding The operating system run is when being Linux or Unix system, blocks the logical of described USB port and described USB device by SSH agreement Letter connects.
6. the device of the USB port monitoring LAN Computer, it is characterised in that including:
Port data acquisition module, for obtaining the original port data of the USB port of the computer of same LAN;Wherein, Described original port data include that USB device plug is in the record data of described USB port;
Pretreatment module, for carrying out pretreatment to described original port data, it is thus achieved that standard port data;
Data Comparison module, for contrasting described standard port data with black and white lists list, it is judged that whether described USB device Legal plug is in described USB port.
7. the device of the USB port of monitoring LAN Computer as claimed in claim 6, it is characterised in that described port Data acquisition module specifically includes:
Data acquisition unit, for frequency H, all operation Windows operation being obtained same LAN by WMI agreement is The original port data of the USB port of the computer of system, and, obtain all operations in described LAN by SSH agreement The original port data of the USB port of the computer of Linux or Unix operating system;
Data receipt unit, the log recording that the USB port of the computer for receiving described LAN by udp protocol is corresponding Original port data as described USB port.
8. the device of the USB port of monitoring LAN Computer as claimed in claim 6, it is characterised in that described USB sets Standby plug in the record data of described USB port particularly as follows: the serial number of described USB device, described USB device plug are in described Time of USB port, the IP address of the computer that described USB port is corresponding, the MAC ground of computer that described USB port is corresponding Performed by location and described USB device is the pattern of read or write operation.
Then, described pretreatment module specifically includes:
Standardization unit, for according to standardized algorithm, by described USB device plug in each of described USB port Status data is standardized processing, it is thus achieved that the first port data;
Normalized unit, for according to normalization algorithm, is set what described first port data comprised with corresponding USB Standby relevant all data are associated processing, it is thus achieved that the second port data;
Data extracting unit, for according to data characteristics extraction algorithm, extracting from described second port data and be used for and black and white The data of the same feature of list list are as standard port data.
9. the device of the USB port of monitoring LAN Computer as claimed in claim 8, it is characterised in that described data Contrast module specifically includes:
List list loading unit, for loading black and white lists list from data base;
Judging unit, for comparing described standard port data with described black and white lists list, it is judged that described normal end Whether the serial number of the USB device that mouth data are comprised is documented in described black and white lists list;
Alarm output unit, for being documented in described black and white when the serial number that there is USB device in described standard port data During blacklist in list list, output band is documented in the sequence of the USB device of the described standard port data of described blacklist Number the alarm of information, point out described USB device illegally to pull out in USB port corresponding to described USB device;
List information increases unit, for not being documented in described when the serial number that there is USB device in described standard port data Time in black and white lists list, whether will not be documented in the described standard port data of described black and white lists list to system queries The information of the serial number of USB device increases in described black and white lists list;The most then enter and increase described black and white lists list Flow process;
History holding unit, for being documented in described black and white when the serial number that there is USB device in described standard port data During white list in list list, the USB device correspondence increasing the described standard port data being documented in described white list is recorded Information in described second port data is in historical record, in order to trace to the source.
10. the device of the USB port of monitoring LAN Computer as claimed in claim 9, it is characterised in that described data Contrast module also includes:
First blocking unit, for the USB of the USB device institute plug when the described standard port data being documented in described blacklist When the operating system that the computer that port is corresponding runs is Window system, block described USB port with described by WMI agreement The communication connection of USB device;
Second blocking unit, for the USB of the USB device institute plug when the described standard port data being documented in described blacklist When the operating system that the computer that port is corresponding runs is Linux or Unix system, block described USB port by SSH agreement Communication connection with described USB device.
CN201610863914.XA 2016-09-28 2016-09-28 Monitor the method and device of the USB port of computer in local area network Active CN106254163B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610863914.XA CN106254163B (en) 2016-09-28 2016-09-28 Monitor the method and device of the USB port of computer in local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610863914.XA CN106254163B (en) 2016-09-28 2016-09-28 Monitor the method and device of the USB port of computer in local area network

Publications (2)

Publication Number Publication Date
CN106254163A true CN106254163A (en) 2016-12-21
CN106254163B CN106254163B (en) 2019-09-20

Family

ID=57611145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610863914.XA Active CN106254163B (en) 2016-09-28 2016-09-28 Monitor the method and device of the USB port of computer in local area network

Country Status (1)

Country Link
CN (1) CN106254163B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108304222A (en) * 2017-01-13 2018-07-20 中标软件有限公司 Apparatus management/control system and method
CN110221991A (en) * 2018-03-02 2019-09-10 中标软件有限公司 The management-control method and system of computer peripheral

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101546363A (en) * 2008-03-25 2009-09-30 中芯国际集成电路制造(上海)有限公司 Safe USB connection method
CN102123042A (en) * 2010-12-30 2011-07-13 中国民航信息网络股份有限公司 System configuration intelligent management system and management method thereof
CN102629403A (en) * 2012-03-14 2012-08-08 深圳市紫金支点技术股份有限公司 USB (Universal Serial Bus) flash disk authorization method and system based on ATM (Automatic Teller Machine) equipment
US20140380010A1 (en) * 2007-06-01 2014-12-25 Robert F. Hogan System and appartus for controlling use of mass storage devices
CN105718825A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Method and device for detecting malicious USB equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140380010A1 (en) * 2007-06-01 2014-12-25 Robert F. Hogan System and appartus for controlling use of mass storage devices
CN101546363A (en) * 2008-03-25 2009-09-30 中芯国际集成电路制造(上海)有限公司 Safe USB connection method
CN102123042A (en) * 2010-12-30 2011-07-13 中国民航信息网络股份有限公司 System configuration intelligent management system and management method thereof
CN102629403A (en) * 2012-03-14 2012-08-08 深圳市紫金支点技术股份有限公司 USB (Universal Serial Bus) flash disk authorization method and system based on ATM (Automatic Teller Machine) equipment
CN105718825A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Method and device for detecting malicious USB equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108304222A (en) * 2017-01-13 2018-07-20 中标软件有限公司 Apparatus management/control system and method
CN110221991A (en) * 2018-03-02 2019-09-10 中标软件有限公司 The management-control method and system of computer peripheral
CN110221991B (en) * 2018-03-02 2023-04-07 中标软件有限公司 Control method and system for computer peripheral equipment

Also Published As

Publication number Publication date
CN106254163B (en) 2019-09-20

Similar Documents

Publication Publication Date Title
CN104063473B (en) A kind of database audit monitoring system and its method
US20100325685A1 (en) Security Integration System and Device
CN110351237B (en) Honeypot method and device for numerical control machine tool
CN114598525A (en) IP automatic blocking method and device for network attack
CN110417759A (en) A kind of method of IDC information security management
CN110365709B (en) Device for sensing unknown network attack behavior based on upstream probe
CN112565300B (en) Industry cloud hacker attack identification and blocking method, system, device and medium
CN114418263A (en) A defense system for power monitoring device of thermal power plant
US9654491B2 (en) Network filtering apparatus and filtering method
CN111244806B (en) Power equipment safety debugging monitoring system and processing method
CN101540681A (en) Method and system for monitoring computer network connection statuses
CN106254163A (en) The method and device of the USB port of monitoring LAN Computer
CN110768950A (en) Permeation instruction sending method and device, storage medium and electronic device
CN111526109A (en) Method and device for automatically detecting running state of web threat recognition defense system
CN108011880A (en) The management method and computer-readable recording medium monitored in cloud data system
CN109768872A (en) A kind of ID-Nac system of real name ID network management platform
CN110958267B (en) Method and system for monitoring threat behaviors in virtual network
CN202713367U (en) Main station applicable to power utilization information acquisition system
CN112350864A (en) Protection method, device, equipment and computer readable storage medium for domain control terminal
CN112422501A (en) Forward and reverse tunnel protection method, device, equipment and storage medium
CN102404161B (en) Method and universal serial bus (USB) equipment for detecting secret leakage
CN104753955A (en) Interconnection auditing method based on rebound port Trojans
CN107124390B (en) Security defense and implementation method, device and system of computing equipment
KR20200054495A (en) Method for security operation service and apparatus therefor
CN110866245B (en) Detection method and detection system for maintaining file security of virtual machine

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant