CN106254163A - The method and device of the USB port of monitoring LAN Computer - Google Patents
The method and device of the USB port of monitoring LAN Computer Download PDFInfo
- Publication number
- CN106254163A CN106254163A CN201610863914.XA CN201610863914A CN106254163A CN 106254163 A CN106254163 A CN 106254163A CN 201610863914 A CN201610863914 A CN 201610863914A CN 106254163 A CN106254163 A CN 106254163A
- Authority
- CN
- China
- Prior art keywords
- port
- usb
- data
- usb device
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
A kind of method that the invention discloses USB port monitoring LAN Computer, including: obtain the original port data of the USB port of the computer of same LAN;Wherein, described original port data include that USB device plug is in the record data of described USB port;Described original port data are carried out pretreatment, it is thus achieved that standard port data;Described standard port data are contrasted with black and white lists list, it is judged that the most legal plug of described USB device is in described USB port.Correspondingly, the invention also discloses the device of a kind of USB port monitoring LAN Computer.Use the embodiment of the present invention, the USB port grafting situation of computer in LAN can be monitored in real time, it is judged that the USB device that current USB port accesses is the most legal.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to the side of a kind of USB port monitoring LAN Computer
Method and device.
Background technology
Electric power dispatching system has been mounted with a series of protecting information safety product at present, such as prevents fires
Wall, antivirus software, isolation gap etc., break off information leakage and outer net invasion to a certain extent.But in all information securities
In event, occurring in the event of Intranet more than 70%, the security threat more than 85% is from organization internal, and 16% is not from inside
The access authorized.Very easy to use due to mobile memory medium (USB flash disk etc.), have become as at present computer network main frame it
Between carry out the common tool of data exchange.If the random all kinds of mobile memory medium access internal institution network that allows carries out data
Exchange, it is possible to cause wooden horse, virus to be propagated by mobile memory medium and infect, brings to internal institution network security
Risk, " shake net " virus that particularly Iran's nuclear power station occurs, mainly caused by illegal use of USB flash disk medium.
Thus, typically the data of USB port can be transmitted being monitored, and the USB port monitor mode master of conventional art
Following two mode to be used:
The first is: Agent+server (C/S), by Agent collect the standby insertion of USB port, extract dynamic
Make relevant information, be uploaded to server.
The second is: stand-alone type monitors, and collects the standby insertion of USB port by calling Setup API series of functions, extracts
Action relevant information, carries out safe early warning, traces to the source afterwards.
Following defect is there is in prior art to the monitoring of USB port:
The first is agent monitor mode, i.e. installs agent, agent program monitoring USB in monitored host computer system
The insertion of equipment, pull action, call host computer system USB Setup API series of functions or to usb bus function, collects relevant
Status information and the USB of particular category is forbidden or enables.The defect using the method maximum is safety, and user is permissible
Manually enable equipment, and this application process is likely to be terminated by the user.Secondly because application software level is higher, main frame is grasped
Requiring as system, not every main frame OS can monitor, and monitoring range is narrow.
The second is: USB protection plug monitoring, has a set of external equipment to constitute (including USB interface, pcb board etc.), main
To report to the police again for instant blocking-up, but the risk being easily found, being removed.
Summary of the invention
The method of the USB port of the monitoring LAN Computer that the embodiment of the present invention proposes, can monitor LAN in real time
The USB port grafting situation of interior computer, it is judged that the USB device that current USB port accesses is the most legal.
In first aspect, the embodiment of the present invention provides a kind of method of USB port monitoring LAN Computer, bag
Include:
Obtain the original port data of the USB port of the computer of same LAN;Wherein, described original port packet
Include USB device plug in the record data of described USB port;
Described original port data are carried out pretreatment, it is thus achieved that standard port data;
Described standard port data are contrasted with black and white lists list, it is judged that the most legal plug of described USB device is in institute
State USB port.
Further, the original port data of the USB port of the computer of the same LAN of described acquisition include:
With frequency H, obtained the computer of all operation Windows operating systems of same LAN by WMI agreement
The original port data of USB port, and, obtain all operation Linux or Unix in described LAN by SSH agreement and grasp
Make the original port data of the USB port of the computer of system;
Log recording corresponding to the USB port of the computer receiving described LAN by udp protocol is as described USB end
The original port data of mouth.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device
Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described
Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.
Then, described described original port data are standardized process, it is thus achieved that standard port data particularly as follows:
According to standardized algorithm, described USB device plug is carried out standard in each status data of described USB port
Change processes, it is thus achieved that the first port data;
According to normalization algorithm, all numbers relevant to corresponding USB device that described first port data is comprised
According to being associated process, it is thus achieved that the second port data;
According to data characteristics extraction algorithm, extract from described second port data and be used for spy same with black and white lists list
The data levied are as standard port data.
Yet further, described described standard port data and black and white lists list are contrasted, it is judged that described USB device is
No legal plug in described USB port, particularly as follows:
Black and white lists list is loaded from data base;
Described standard port data are compared with described black and white lists list, it is judged that described standard port data are wrapped
Whether the serial number of the USB device contained is documented in described black and white lists list;
When the serial number that there is USB device in described standard port data be documented in described black and white lists list black
During list, output band is documented in the alarm of the information of the serial number of the USB device of the described standard port data of described blacklist,
Described USB device is pointed out illegally to pull out in USB port corresponding to described USB device;
When the serial number that there is USB device in described standard port data is not documented in described black and white lists list,
Whether the serial number of the USB device of the described standard port data of described black and white lists list will be documented in system queries
Information increases in described black and white lists list;The most then enter and increase the flow process of described black and white lists list;
When the serial number that there is USB device in described standard port data be documented in described black and white lists list white
During list, the USB device correspondence increasing the described standard port data being documented in described white list is documented in described second port
Information in data is in historical record, in order to trace to the source.
Further, it is documented in described black and white name when the serial number that there is USB device in described standard port data
During blacklist in single-row table, also include:
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding
The operating system that calculation machine runs is when being Window system, blocks the logical of described USB port and described USB device by WMI agreement
Letter connects;
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding
When the operating system that calculation machine runs is Linux or Unix system, block described USB port and described USB device by SSH agreement
Communication connection.
In second aspect, the present invention also provides for the device of a kind of USB port monitoring LAN Computer, including:
Port data acquisition module, for obtaining the original port data of the USB port of the computer of same LAN;Its
In, described original port data include that USB device plug is in the record data of described USB port;
Pretreatment module, for carrying out pretreatment to described original port data, it is thus achieved that standard port data;
Data Comparison module, for contrasting described standard port data with black and white lists list, it is judged that described USB device
The most legal plug is in described USB port.
Further, described port data acquisition module specifically includes:
Data acquisition unit, for frequency H, all operation Windows being obtained same LAN by WMI agreement are grasped
Make the original port data of the USB port of the computer of system, and, obtain owning in described LAN by SSH agreement
Run the original port data of the USB port of the computer of Linux or Unix operating system;
Data receipt unit, the daily record that the USB port of the computer for receiving described LAN by udp protocol is corresponding
Record the original port data as described USB port.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device
Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described
Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.
Then, described pretreatment module specifically includes:
Standardization unit, for according to standardized algorithm, by every in described USB port of described USB device plug
One status data is standardized processing, it is thus achieved that the first port data;
Normalized unit, for according to normalization algorithm, described first port data is comprised with corresponding
All data that USB device is relevant are associated processing, it is thus achieved that the second port data;
Data extracting unit, for according to data characteristics extraction algorithm, from described second port data extract with for
The data of the same feature of black and white lists list are as standard port data.
Yet further, described Data Comparison module specifically includes:
List list loading unit, for loading black and white lists list from data base;
Judging unit, for comparing described standard port data with described black and white lists list, it is judged that described mark
Whether the serial number of the USB device that quasi-port data is comprised is documented in described black and white lists list;
Alarm output unit, described for being documented in when the serial number that there is USB device in described standard port data
During blacklist in black and white lists list, output band is documented in the USB device of the described standard port data of described blacklist
The alarm of the information of serial number, points out described USB device illegally to pull out in USB port corresponding to described USB device;
List information increases unit, for not being documented in when the serial number that there is USB device in described standard port data
Time in described black and white lists list, whether will not be documented in the described standard port number of described black and white lists list to system queries
According to the information of serial number of USB device increase in described black and white lists list;The most then enter and increase described black and white lists
The flow process of list;
History holding unit, described for being documented in when the serial number that there is USB device in described standard port data
During white list in black and white lists list, the USB device increasing the described standard port data being documented in described white list is corresponding
The information in described second port data that is documented in is in historical record, in order to trace to the source.
Further, described Data Comparison module also includes:
First blocking unit, for when the USB device institute plug of the described standard port data being documented in described blacklist
The operating system run of computer corresponding to USB port when being Window system, block described USB port by WMI agreement
Communication connection with described USB device;
Second blocking unit, for when the USB device institute plug of the described standard port data being documented in described blacklist
The operating system run of computer corresponding to USB port when being Linux or Unix system, block described USB by SSH agreement
Port and the communication connection of described USB device.
Implement the embodiment of the present invention, have the advantages that
The method and device of the USB port of the monitoring LAN Computer that the embodiment of the present invention provides, obtains same office
The original port data of the USB port of the computer of territory net, can use different agreements to the USB port state in this LAN
Information carries out Real-time Collection;The standard port data obtained after pretreatment are contrasted with black and white lists list, it is possible to judge institute
State the most legal plug of USB device in described USB port, the illegal USB device accessed is carried out alarming processing, and to illegally connecing
The USB port that the USB device entered accesses with it blocks or disables.It addition, the present invention uses without agent acquisition technology meter
The USB port of calculation machine is acquired, and has configuration mode the most flexibly, implements configuration quickly and easily, can improve monitoring efficiency,
And safe ready.
Accompanying drawing explanation
Fig. 1 is the flow process of an embodiment of the method for the USB port of the monitoring LAN Computer that the present invention provides
Schematic diagram;
Fig. 2 is the flow chart of step S3 of the method for the USB port of the monitoring LAN Computer that Fig. 1 provides;
Fig. 3 is the structure of an embodiment of the device of the USB port of the monitoring LAN Computer that the present invention provides
Schematic diagram;
Fig. 4 is the port data acquisition module of the device of the USB port of the monitoring LAN Computer that the present invention provides
The structural representation of an embodiment;
Fig. 5 is of the pretreatment module of the device of the USB port of the monitoring LAN Computer that the present invention provides
The structural representation of embodiment;
Fig. 6 is the one of the Data Comparison module of the device of the USB port of the monitoring LAN Computer that the present invention provides
The structural representation of individual embodiment.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into the scope of protection of the invention.
See Fig. 1, be an embodiment of the method for the USB port of the monitoring LAN Computer that the present invention provides
Schematic flow sheet;The method is performed by a system server, including step S1 to S3, particularly as follows:
S1, obtains the original port data of the USB port of the computer of same LAN;Wherein, described original port number
According to including that USB device plug is in the record data of described USB port;
Described original port data are carried out pretreatment, it is thus achieved that standard port data by S2;
S3, contrasts described standard port data and black and white lists list, it is judged that the most legal plug of described USB device in
Described USB port.
It should be noted that the method for the USB port of the monitoring LAN Computer of present invention offer, do not use
The architecture of Manager-Agent, i.e. without installing one or more Agent (Agent) at monitored computer
In, only from monitored computer, obtained a series of state about USB port by server by the transmission association of feature
Data, thus without taking the resource of monitored computer.It addition, the present invention uses without agent acquisition technology, there is extremely spirit
The configuration mode lived, implements configuration quickly and easily, it is simple to system upgrade or renewal.
Further, the specific implementation process of above-mentioned steps S1 includes:
With frequency H, obtained the computer of all operation Windows operating systems of same LAN by WMI agreement
The original port data of USB port, and, obtain all operation Linux or Unix in described LAN by SSH agreement and grasp
Make the original port data of the USB port of the computer of system;
Log recording corresponding to the USB port of the computer receiving described LAN by udp protocol is as described USB end
The original port data of mouth.
It should be noted that owing to the quantity of the computer in monitored LAN is quite a lot of, and need not calculate
The operating system that machine runs differs, generally Windows operating system, Linux or Unix operating system, thus gatherer process
The communication protocol utilized is different, and the agreement that the data transmission with the computer running Windows operating system utilizes is WMI
Agreement, the agreement that the data transmission with the computer running Linux or Unix operating system utilizes is SSH agreement.It addition, when place
When the USB port of the computer in the LAN that this is monitored is by USB device grafting, the log server of this computer, example
Such as Usb-syslog or syslog, record this USB port by the record data of USB device plug, and by udp protocol by this day
In the multicast address that the record data multicast of will specifies to agreement, the server then performing this method connects from this multicast address
Receive the record data of this daily record.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device
Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described
Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.Need
Illustrating, except above-mentioned information, it is also possible to include, person liable that described USB device is corresponding and responsible department, described USB sets
For being plugged in described USB port or the plug type extracting described USB port etc., can obtain according to demand.
Then, the specific implementation process of above-mentioned steps S2 includes:
According to standardized algorithm, described USB device plug is carried out standard in each status data of described USB port
Change processes, it is thus achieved that the first port data;
According to normalization algorithm, all numbers relevant to corresponding USB device that described first port data is comprised
According to being associated process, it is thus achieved that the second port data;
According to data characteristics extraction algorithm, extract from described second port data and be used for spy same with black and white lists list
The data levied are as standard port data.
It should be noted that the form of the data collected due to the system of different operating system and this packet contain
Have the information of repetition, standardized algorithm can be passed through, with unified standard, the data collected are formatted, and filter or
Merge the information repeated.Owing to the first port data after the standardization of acquisition is not associated processing, after being not easy to
Continue and be quickly found corresponding information, so that be associated process to obtain the second port data.And, owing to being obtained
The port data taken not is to be completely used for comparing with black and white lists list, so that from described second port data
Extract and the data for feature same with black and white lists list, compare, it is provided that the efficiency of follow-up comparison, additionally
Information can be used for follow-up alarm or historical information record etc..
Yet further, the method that Fig. 2, Fig. 2 are the USB ports of the monitoring LAN Computer that Fig. 1 provides is seen
The flow chart of step S3, describes being embodied as of above-mentioned steps S3 in conjunction with Fig. 2, specific as follows:
Black and white lists list is loaded from data base;
Described standard port data are compared with described black and white lists list, it is judged that described standard port data are wrapped
Whether the serial number of the USB device contained is documented in described black and white lists list;
When the serial number that there is USB device in described standard port data be documented in described black and white lists list black
During list, output band is documented in the alarm of the information of the serial number of the USB device of the described standard port data of described blacklist,
Described USB device is pointed out illegally to pull out in USB port corresponding to described USB device;
When the serial number that there is USB device in described standard port data is not documented in described black and white lists list,
Whether the serial number of the USB device of the described standard port data of described black and white lists list will be documented in system queries
Information increases in described black and white lists list;The most then enter and increase the flow process of described black and white lists list;Inquiring about
Before, alarm notification also can first be carried out.
When the serial number that there is USB device in described standard port data be documented in described black and white lists list white
During list, the USB device correspondence increasing the described standard port data being documented in described white list is documented in described second port
Information in data is in historical record, in order to trace to the source.
It should be noted that when outputting alarm, the mode of alarm includes: one, it is provided that page interrogation: show current
Show and interface show up-to-date warning information, and provide can query history warning information function, and can show by grade and currently accuse
Alert rank;They are two years old, it is provided that list of changing a job: needing to submit to work order to carry out procedure process satisfactory alarm, work order can be
IT service management system or letter adjust flow system to carry out.Work order operation flow detail needs additionally to be defined.Its three,
Offer acousto-optic-electric is pointed out: use different sound according to the grade of prompt alarm or/and operation maintenance personnel is pointed out in color combination;Its
Four, it is provided that push alarm: the operation maintenance personnel information belonging to associate device, propelling movement warning information gives this operation maintenance personnel.
Further, in the specific implementation process of above-mentioned steps S3, when there is USB in described standard port data
When the serial number of equipment is documented in the blacklist in described black and white lists list, also include:
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding
The operating system that calculation machine runs is when being Window system, blocks the logical of described USB port and described USB device by WMI agreement
Letter connects;
When the meter that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding
When the operating system that calculation machine runs is Linux or Unix system, block described USB port and described USB device by SSH agreement
Communication connection.
It should be noted that when the serial number that there is USB device in described standard port data is documented in described black and white
During blacklist in list list, illustrate that this USB device is the USB port illegally accessing its correspondence, thus remotely resistance will be enabled
Break or disabling USB port command script program, interrupt or disable the communication connection of this USB port and USB device.
The method of the USB port of the monitoring LAN Computer that the present invention provides, obtains the computer of same LAN
The original port data of USB port, can use different agreements that the USB port status information in this LAN is carried out in real time
Gather;The standard port data obtained after pretreatment are contrasted with black and white lists list, it is possible to whether judge described USB device
Legal plug in described USB port, carries out alarming processing to the illegal USB device accessed, and to the illegal USB device accessed with
Its USB port accessed blocks or disables.It addition, the present invention uses without the agent acquisition technology USB port to computer
It is acquired, there is configuration mode the most flexibly, implement configuration quickly and easily, monitoring efficiency, and safe ready can be improved.
Refer to Fig. 3, be an embodiment of the device of the USB port of the monitoring LAN Computer that the present invention provides
Structural representation;
In second aspect, the present invention also provides for the device of a kind of USB port monitoring LAN Computer, it is possible to implement
Whole flow processs of the method for the USB port of the monitoring LAN Computer of above-mentioned offer, this device includes:
Port data acquisition module 10, for obtaining the original port data of the USB port of the computer of same LAN;
Wherein, described original port data include that USB device plug is in the record data of described USB port;
Pretreatment module 20, for carrying out pretreatment to described original port data, it is thus achieved that standard port data;
Data Comparison module 30, for contrasting described standard port data with black and white lists list, it is judged that described USB sets
The most legal standby plug is in described USB port.
Further, see Fig. 4, be the end of the device of the USB port of the monitoring LAN Computer that the present invention provides
The structural representation of one embodiment of mouth data acquisition module;Described port data acquisition module 10 specifically includes:
Data acquisition unit 11, for frequency H, obtaining all operation Windows of same LAN by WMI agreement
The original port data of the USB port of the computer of operating system, and, obtain the institute in described LAN by SSH agreement
There are the original port data of the USB port of the computer running Linux or Unix operating system;
Data receipt unit 12, the day that the USB port of the computer for receiving described LAN by udp protocol is corresponding
Will record is as the original port data of described USB port.
Further, described USB device plug in the record data of described USB port particularly as follows: the sequence of described USB device
Row number, described USB device plug are in time of described USB port, the IP address of computer that described USB port is corresponding, described
Performed by the MAC Address of the computer that USB port is corresponding and described USB device is the pattern of read or write operation.
See Fig. 5, be the pretreatment module of the device of the USB port of the monitoring LAN Computer that the present invention provides
The structural representation of one embodiment;
Then, described pretreatment module 20 specifically includes:
Standardization unit 21, for according to standardized algorithm, by described USB device plug in described USB port
Each status data is standardized processing, it is thus achieved that the first port data;
Normalized unit 22, for according to normalization algorithm, described first port data is comprised with corresponding
The relevant all data of USB device be associated processing, it is thus achieved that the second port data;
Data extracting unit 23, for according to data characteristics extraction algorithm, extracting from described second port data and be used for
The data of feature same with black and white lists list are as standard port data.
Yet further, see Fig. 6, be the device of the USB port of the monitoring LAN Computer that the present invention provides
The structural representation of one embodiment of Data Comparison module;Described Data Comparison module 30 specifically includes:
List list loading unit 31, for loading black and white lists list from data base;
Judging unit 32, for comparing described standard port data with described black and white lists list, it is judged that described
Whether the serial number of the USB device that standard port data are comprised is documented in described black and white lists list;
Alarm output unit 33, for being documented in institute when the serial number that there is USB device in described standard port data
When stating the blacklist in black and white lists list, output band is documented in the USB device of the described standard port data of described blacklist
The alarm of information of serial number, point out described USB device illegally to pull out in USB port corresponding to described USB device;
List information increases unit 34, for not recording when the serial number that there is USB device in described standard port data
Time in described black and white lists list, whether will not be documented in the described standard port of described black and white lists list to system queries
The information of the serial number of the USB device of data increases in described black and white lists list;The most then enter and increase described black and white name
The flow process of single-row table;
History holding unit 35, for being documented in institute when the serial number that there is USB device in described standard port data
When stating the white list in black and white lists list, increase the USB device pair of the described standard port data being documented in described white list
The information in described second port data that should be documented in is in historical record, in order to trace to the source.
Further, described Data Comparison module 30 also includes:
First blocking unit 36, for being pulled out when the USB device of the described standard port data being documented in described blacklist
When the operating system that the computer that slotting USB port is corresponding runs is Window system, block described USB end by WMI agreement
Mouthful with the communication connection of described USB device;
Second blocking unit 37, for being pulled out when the USB device of the described standard port data being documented in described blacklist
When the operating system that the computer that slotting USB port is corresponding runs is Linux or Unix system, blocked described by SSH agreement
USB port and the communication connection of described USB device.
The device of the USB port of the monitoring LAN Computer that the present invention provides, obtains the computer of same LAN
The original port data of USB port, can use different agreements that the USB port status information in this LAN is carried out in real time
Gather;The standard port data obtained after pretreatment are contrasted with black and white lists list, it is possible to whether judge described USB device
Legal plug in described USB port, carries out alarming processing to the illegal USB device accessed, and to the illegal USB device accessed with
Its USB port accessed blocks or disables.It addition, the present invention uses without the agent acquisition technology USB port to computer
It is acquired, there is configuration mode the most flexibly, implement configuration quickly and easily, monitoring efficiency, and safe ready can be improved.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, be permissible
Instructing relevant hardware by computer program to complete, described program can be stored in a computer read/write memory medium
In, this program is upon execution, it may include such as the flow process of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access
Memory, RAM) etc..
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art
For, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications, these improvements and modifications are also considered as
Protection scope of the present invention.
Claims (10)
1. the method for the USB port monitoring LAN Computer, it is characterised in that including:
Obtain the original port data of the USB port of the computer of same LAN;Wherein, described original port data include
USB device plug is in the record data of described USB port;
Described original port data are carried out pretreatment, it is thus achieved that standard port data;
Described standard port data are contrasted with black and white lists list, it is judged that the most legal plug of described USB device is in described USB
Port.
2. the method for the USB port of monitoring LAN Computer as claimed in claim 1, it is characterised in that described acquisition
The original port data of the USB port of the computer of same LAN include:
With frequency H, obtained the USB end of the computer of all operation Windows operating systems of same LAN by WMI agreement
The original port data of mouth, and, all operation Linux or the Unix operation obtained in described LAN by SSH agreement is
The original port data of the USB port of the computer of system;
Log recording corresponding to the USB port of the computer receiving described LAN by udp protocol is as described USB port
Original port data.
3. the method for the USB port of monitoring LAN Computer as claimed in claim 1, it is characterised in that described USB sets
Standby plug in the record data of described USB port particularly as follows: the serial number of described USB device, described USB device plug are in described
Time of USB port, the IP address of the computer that described USB port is corresponding, the MAC ground of computer that described USB port is corresponding
Performed by location and described USB device is the pattern of read or write operation.
Then, described described original port data are standardized process, it is thus achieved that standard port data particularly as follows:
According to standardized algorithm, described USB device plug is standardized place in each status data of described USB port
Reason, it is thus achieved that the first port data;
According to normalization algorithm, all data relevant to corresponding USB device comprised by described first port data are entered
Row association process, it is thus achieved that the second port data;
According to data characteristics extraction algorithm, extract from described second port data and be used for feature same with black and white lists list
Data are as standard port data.
4. the method for the USB port of monitoring LAN Computer as claimed in claim 3, it is characterised in that described by institute
State standard port data to contrast with black and white lists list, it is judged that the most legal plug of described USB device is in described USB port, tool
Body is:
Black and white lists list is loaded from data base;
Described standard port data are compared with described black and white lists list, it is judged that described standard port data are comprised
Whether the serial number of USB device is documented in described black and white lists list;
When the serial number that there is USB device in described standard port data is documented in the blacklist in described black and white lists list
Time, output band is documented in the alarm of the information of the serial number of the USB device of the described standard port data of described blacklist, prompting
Described USB device illegally pulls out in USB port corresponding to described USB device;
When the serial number that there is USB device in described standard port data is not documented in described black and white lists list, to being
Whether system inquiry will not be documented in the information of the serial number of the USB device of the described standard port data of described black and white lists list
Increase in described black and white lists list;The most then enter and increase the flow process of described black and white lists list;
When the serial number that there is USB device in described standard port data is documented in the white list in described black and white lists list
Time, the USB device correspondence increasing the described standard port data being documented in described white list is documented in described second port data
In information in historical record, in order to trace to the source.
5. the method for the USB port of monitoring LAN Computer as claimed in claim 4, it is characterised in that when described
Standard port data exist the serial number of USB device when being documented in the blacklist in described black and white lists list, also include:
When the computer that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding
When the operating system run is Window system, blocked the communication link of described USB port and described USB device by WMI agreement
Connect;
When the computer that the USB port of the USB device institute plug of the described standard port data being documented in described blacklist is corresponding
The operating system run is when being Linux or Unix system, blocks the logical of described USB port and described USB device by SSH agreement
Letter connects.
6. the device of the USB port monitoring LAN Computer, it is characterised in that including:
Port data acquisition module, for obtaining the original port data of the USB port of the computer of same LAN;Wherein,
Described original port data include that USB device plug is in the record data of described USB port;
Pretreatment module, for carrying out pretreatment to described original port data, it is thus achieved that standard port data;
Data Comparison module, for contrasting described standard port data with black and white lists list, it is judged that whether described USB device
Legal plug is in described USB port.
7. the device of the USB port of monitoring LAN Computer as claimed in claim 6, it is characterised in that described port
Data acquisition module specifically includes:
Data acquisition unit, for frequency H, all operation Windows operation being obtained same LAN by WMI agreement is
The original port data of the USB port of the computer of system, and, obtain all operations in described LAN by SSH agreement
The original port data of the USB port of the computer of Linux or Unix operating system;
Data receipt unit, the log recording that the USB port of the computer for receiving described LAN by udp protocol is corresponding
Original port data as described USB port.
8. the device of the USB port of monitoring LAN Computer as claimed in claim 6, it is characterised in that described USB sets
Standby plug in the record data of described USB port particularly as follows: the serial number of described USB device, described USB device plug are in described
Time of USB port, the IP address of the computer that described USB port is corresponding, the MAC ground of computer that described USB port is corresponding
Performed by location and described USB device is the pattern of read or write operation.
Then, described pretreatment module specifically includes:
Standardization unit, for according to standardized algorithm, by described USB device plug in each of described USB port
Status data is standardized processing, it is thus achieved that the first port data;
Normalized unit, for according to normalization algorithm, is set what described first port data comprised with corresponding USB
Standby relevant all data are associated processing, it is thus achieved that the second port data;
Data extracting unit, for according to data characteristics extraction algorithm, extracting from described second port data and be used for and black and white
The data of the same feature of list list are as standard port data.
9. the device of the USB port of monitoring LAN Computer as claimed in claim 8, it is characterised in that described data
Contrast module specifically includes:
List list loading unit, for loading black and white lists list from data base;
Judging unit, for comparing described standard port data with described black and white lists list, it is judged that described normal end
Whether the serial number of the USB device that mouth data are comprised is documented in described black and white lists list;
Alarm output unit, for being documented in described black and white when the serial number that there is USB device in described standard port data
During blacklist in list list, output band is documented in the sequence of the USB device of the described standard port data of described blacklist
Number the alarm of information, point out described USB device illegally to pull out in USB port corresponding to described USB device;
List information increases unit, for not being documented in described when the serial number that there is USB device in described standard port data
Time in black and white lists list, whether will not be documented in the described standard port data of described black and white lists list to system queries
The information of the serial number of USB device increases in described black and white lists list;The most then enter and increase described black and white lists list
Flow process;
History holding unit, for being documented in described black and white when the serial number that there is USB device in described standard port data
During white list in list list, the USB device correspondence increasing the described standard port data being documented in described white list is recorded
Information in described second port data is in historical record, in order to trace to the source.
10. the device of the USB port of monitoring LAN Computer as claimed in claim 9, it is characterised in that described data
Contrast module also includes:
First blocking unit, for the USB of the USB device institute plug when the described standard port data being documented in described blacklist
When the operating system that the computer that port is corresponding runs is Window system, block described USB port with described by WMI agreement
The communication connection of USB device;
Second blocking unit, for the USB of the USB device institute plug when the described standard port data being documented in described blacklist
When the operating system that the computer that port is corresponding runs is Linux or Unix system, block described USB port by SSH agreement
Communication connection with described USB device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610863914.XA CN106254163B (en) | 2016-09-28 | 2016-09-28 | Monitor the method and device of the USB port of computer in local area network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610863914.XA CN106254163B (en) | 2016-09-28 | 2016-09-28 | Monitor the method and device of the USB port of computer in local area network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106254163A true CN106254163A (en) | 2016-12-21 |
CN106254163B CN106254163B (en) | 2019-09-20 |
Family
ID=57611145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610863914.XA Active CN106254163B (en) | 2016-09-28 | 2016-09-28 | Monitor the method and device of the USB port of computer in local area network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106254163B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108304222A (en) * | 2017-01-13 | 2018-07-20 | 中标软件有限公司 | Apparatus management/control system and method |
CN110221991A (en) * | 2018-03-02 | 2019-09-10 | 中标软件有限公司 | The management-control method and system of computer peripheral |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101546363A (en) * | 2008-03-25 | 2009-09-30 | 中芯国际集成电路制造(上海)有限公司 | Safe USB connection method |
CN102123042A (en) * | 2010-12-30 | 2011-07-13 | 中国民航信息网络股份有限公司 | System configuration intelligent management system and management method thereof |
CN102629403A (en) * | 2012-03-14 | 2012-08-08 | 深圳市紫金支点技术股份有限公司 | USB (Universal Serial Bus) flash disk authorization method and system based on ATM (Automatic Teller Machine) equipment |
US20140380010A1 (en) * | 2007-06-01 | 2014-12-25 | Robert F. Hogan | System and appartus for controlling use of mass storage devices |
CN105718825A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and device for detecting malicious USB equipment |
-
2016
- 2016-09-28 CN CN201610863914.XA patent/CN106254163B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140380010A1 (en) * | 2007-06-01 | 2014-12-25 | Robert F. Hogan | System and appartus for controlling use of mass storage devices |
CN101546363A (en) * | 2008-03-25 | 2009-09-30 | 中芯国际集成电路制造(上海)有限公司 | Safe USB connection method |
CN102123042A (en) * | 2010-12-30 | 2011-07-13 | 中国民航信息网络股份有限公司 | System configuration intelligent management system and management method thereof |
CN102629403A (en) * | 2012-03-14 | 2012-08-08 | 深圳市紫金支点技术股份有限公司 | USB (Universal Serial Bus) flash disk authorization method and system based on ATM (Automatic Teller Machine) equipment |
CN105718825A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Method and device for detecting malicious USB equipment |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108304222A (en) * | 2017-01-13 | 2018-07-20 | 中标软件有限公司 | Apparatus management/control system and method |
CN110221991A (en) * | 2018-03-02 | 2019-09-10 | 中标软件有限公司 | The management-control method and system of computer peripheral |
CN110221991B (en) * | 2018-03-02 | 2023-04-07 | 中标软件有限公司 | Control method and system for computer peripheral equipment |
Also Published As
Publication number | Publication date |
---|---|
CN106254163B (en) | 2019-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104063473B (en) | A kind of database audit monitoring system and its method | |
US20100325685A1 (en) | Security Integration System and Device | |
CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
CN114598525A (en) | IP automatic blocking method and device for network attack | |
CN110417759A (en) | A kind of method of IDC information security management | |
CN110365709B (en) | Device for sensing unknown network attack behavior based on upstream probe | |
CN112565300B (en) | Industry cloud hacker attack identification and blocking method, system, device and medium | |
CN114418263A (en) | A defense system for power monitoring device of thermal power plant | |
US9654491B2 (en) | Network filtering apparatus and filtering method | |
CN111244806B (en) | Power equipment safety debugging monitoring system and processing method | |
CN101540681A (en) | Method and system for monitoring computer network connection statuses | |
CN106254163A (en) | The method and device of the USB port of monitoring LAN Computer | |
CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
CN111526109A (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
CN108011880A (en) | The management method and computer-readable recording medium monitored in cloud data system | |
CN109768872A (en) | A kind of ID-Nac system of real name ID network management platform | |
CN110958267B (en) | Method and system for monitoring threat behaviors in virtual network | |
CN202713367U (en) | Main station applicable to power utilization information acquisition system | |
CN112350864A (en) | Protection method, device, equipment and computer readable storage medium for domain control terminal | |
CN112422501A (en) | Forward and reverse tunnel protection method, device, equipment and storage medium | |
CN102404161B (en) | Method and universal serial bus (USB) equipment for detecting secret leakage | |
CN104753955A (en) | Interconnection auditing method based on rebound port Trojans | |
CN107124390B (en) | Security defense and implementation method, device and system of computing equipment | |
KR20200054495A (en) | Method for security operation service and apparatus therefor | |
CN110866245B (en) | Detection method and detection system for maintaining file security of virtual machine |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |