CN107911387A - Power information acquisition system account logs in the monitoring method with abnormal operation extremely - Google Patents

Power information acquisition system account logs in the monitoring method with abnormal operation extremely Download PDF

Info

Publication number
CN107911387A
CN107911387A CN201711290589.3A CN201711290589A CN107911387A CN 107911387 A CN107911387 A CN 107911387A CN 201711290589 A CN201711290589 A CN 201711290589A CN 107911387 A CN107911387 A CN 107911387A
Authority
CN
China
Prior art keywords
account
abnormal
exception
log
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711290589.3A
Other languages
Chinese (zh)
Inventor
赵佩
申洪涛
陶鹏
冯波
王立斌
曹江坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
State Grid Hebei Energy Technology Service Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
State Grid Hebei Energy Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd, State Grid Hebei Energy Technology Service Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201711290589.3A priority Critical patent/CN107911387A/en
Publication of CN107911387A publication Critical patent/CN107911387A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Log in the monitoring method with abnormal operation extremely the invention discloses a kind of power information acquisition system account, the data model operated with account is logged in by establishing record account respectively in system background, power information acquisition system account is logged in and operation information carries out log recording;By periodically judge same account in one minute or in one hour login times and number of operations whether exceed certain threshold value and/or in same second whether repeat logon and operation, judge that account logs in exception and operation exception, access account limitation;Record that account occurs in log sheet logs in exception or operation exception, including abnormal time, Exception Type and by limited number of times.The present invention by real-time monitoring system account log in and operational circumstances, the abnormal account for logging in and operating is limited in time, improves the stability and security of system operation.

Description

Power information acquisition system account logs in the monitoring method with abnormal operation extremely
Technical field
The invention belongs to information system security and monitoring technology field, and it is abnormal to be related to a kind of power information acquisition system account Log in the monitoring method with abnormal operation.
Background technology
Power information acquisition system is collection modern digital communication, computer hardware technique, Electric Energy Metering Technology, electricity The non real time information collection for the synthesis that power load administrative skill and power marketing technology are integrated and analysis process system, it is with shifting Dynamic communication network, 230MHz wireless private networks, optical networking be main communications carrier, by communication realize system main website with Data communication between on-site terminal, has data acquisition, remote meter reading, multiplexing electric abnormality information alert, electric energy quality monitoring, line The functions such as damage analysis, Reactive Voltage Management and load monitoring management.
With the development and popularization of intelligent grid, intelligent electric energy meter largely accesses acquisition system, assume responsibility for system main website The pressure of increasing debugging, access and collection etc., system loading reaches more than 90% in the peak traffic phase, or even goes out Existing server is delayed machine phenomenon, and the application of electricity consumption capturing service and achievement data gradually risen to company makes a very bad impression. Therefore, acquisition system bottleneck is timely and effectively solved, optimization acquisition system performance becomes guarantee electric energy and accurately gathers, supports intelligence The task of top priority of power network development, and as the sustainable growth of acquisition system data volume and application of function deepen constantly, system Stable operation also becomes the common expectation of all departments manager and application person.
System load and resource consumption situation are important system performance measures, and account logs in and the normalization that operates, It is an important factor for being had an impact to system load and resource consumption.Peak period is used in system, account logs in and operate frequency Rate is sharply increased, and system load and resource consumption also increase, and part system user uses account in this time window It is normative not strong, even with automatic software and the frequent login system of plug-in plug-in unit and frequent operation.By in system background number Query analysis discovery is carried out to abnormal conditions according in storehouse, there is a situation where that account logs in and frequent operation extremely, such as institute in table 1 Show.
According to statistics, within general 10 beats/min of normal account manual operation, and above-mentioned such account frequent operation consumption System vast resources, produces a very large impact the main website server service life, greatly increases system failure probability, causes system resource Waste and loss, bring serious security risk to acquisition system.By investigation, it is found that partial account number is soft by plug-in program Part logs in the acquisition system page and carries out predetermined registration operation automatically automatically, and the frequency for logging in and operating due to the use of this mode is excessive, right The safe and stable and Effec-tive Function of system makes a big impact:System average load reaches 49.8%, and highest loads 98.6%, when Its system load is as shown in Figure 1.
To ensure system safe and stable operation, the operations of system account are monitored, prevent network intrusions, illegal plug-in etc. Unartificial operational circumstances occur, it is necessary to design a kind of real-time monitoring system account, the method limited in time abnormal account. Power information acquisition system account logs in the monitoring that power information acquisition system account is realized with abnormal operation monitoring function extremely And control, including monitor the landing time of account, log in IP, login type (including normally log in, nullify and illegally log in) etc., And operating time of account, operation IP, the information such as operation content, judge account abnormal conditions by statistical analysis, and in time Limitation processing is carried out to abnormal account.
The content of the invention
Log in the monitoring side with abnormal operation extremely the object of the present invention is to provide a kind of power information acquisition system account Method, by way of being logged in system account and operation log is monitored, real-time monitoring system account logs in and operates feelings Condition, in time limits the abnormal account for logging in and operating, improves the stability and security of system operation.
The purpose of the present invention is achieved through the following technical solutions:
A kind of power information acquisition system account logs in the monitoring method with abnormal operation extremely, includes the following steps:
(1)System background respectively establish record account log in account operation data model, to power information acquisition system Account is logged in carries out log recording with operation information, and account logon information includes the landing time of account, logs in IP address, logs in Type (including log in, nullify, improper log in) etc., account operation information include the operating time of account, operation IP address, behaviour Make the information such as content;
(2)By periodically judge same account in one minute or in one hour login times and number of operations whether more than one Determine threshold value and/or in same second whether repeat logon and operation, judge that account logs in exception and operation exception, to account carry out Access limitation;
(3)Record that account occurs in log sheet logs in exception or operation exception, including abnormal time, Exception Type and is limited Number processed.
The present invention proposes a kind of power information acquisition system account and logs in monitoring method with abnormal operation extremely, has Following beneficial effect:
(1)By way of being logged in system account and operation log is monitored, real-time monitoring system account logging in and grasping Make situation, the abnormal account for logging in and operating is limited in time, prevent network intrusions, the illegally unartificial operation feelings such as plug-in Condition occurs, and improves the stability and security of system operation;
(2)Abnormal account is sealed and stopped by using the method for the present invention, system loading obtains larger alleviation, peak traffic phase (The morning 9 is when 11)Cpu load is reduced to 50% or so by original 90%, and EMS memory occupation is also effectively discharged.
System loading situation after being monitored using abnormal account is as shown in Figure 2.
Brief description of the drawings
Fig. 1 is system load curve under standing state;
Fig. 2 is to use the system load curve after the method for the present invention;
Fig. 3 is the monitoring flow of the present invention.
Embodiment
Present disclosure is further explained and illustrated with specific embodiment below in conjunction with the accompanying drawings.
Query analysis discovery is carried out to abnormal conditions in database system, logs in there are account and frequently grasps extremely The situation of work, as shown in table 1.
1 account frequent operation situation of table
Sequence number Account Action type Operating time Operation content IP address
1 sjzzh_dongsy 04 2017/2/13 15:05:03 Common item calls survey together 10.98.27.243
2 sjzzh_dongsy 04 2017/2/13 15:05:03 Common item calls survey together 10.98.27.243
3 sjzzh_dongsy 04 2017/2/13 15:05:03 Common item calls survey together 10.98.27.243
4 sjzzh_dongsy 04 2017/2/13 15:05:02 Common item calls survey together 10.98.27.243
5 sjzzh_dongsy 04 2017/2/13 15:05:02 Common item calls survey together 10.98.27.243
6 sjzzh_dongsy 04 2017/2/13 15:05:02 Common item calls survey together 10.98.27.243
7 sjzzh_dongsy 04 2017/2/13 15:05:02 Common item calls survey together 10.98.27.243
8 sjzzh_dongsy 04 2017/2/13 15:05:01 Common item calls survey together 10.98.27.243
9 sjzzh_dongsy 04 2017/2/13 15:05:01 Common item calls survey together 10.98.27.243
10 sjzzh_dongsy 04 2017/2/13 15:05:00 Common item calls survey together 10.98.27.243
11 sjzzh_dongsy 04 2017/2/13 15:05:00 Common item calls survey together 10.98.27.243
12 sjzzh_dongsy 04 2017/2/13 15:05:00 Common item calls survey together 10.98.27.243
13 sjzzh_dongsy 04 2017/2/13 15:04:59 Common item calls survey together 10.98.27.243
14 sjzzh_dongsy 04 2017/2/13 15:04:59 Common item calls survey together 10.98.27.243
15 sjzzh_dongsy 04 2017/2/13 15:04:59 Common item calls survey together 10.98.27.243
16 sjzzh_dongsy 04 2017/2/13 15:04:58 Common item calls survey together 10.98.27.243
17 sjzzh_dongsy 04 2017/2/13 15:04:58 Common item calls survey together 10.98.27.243
18 sjzzh_dongsy 04 2017/2/13 15:04:57 Common item calls survey together 10.98.27.243
19 sjzzh_dongsy 04 2017/2/13 15:04:57 Common item calls survey together 10.98.27.243
20 sjzzh_dongsy 04 2017/2/13 15:04:56 Common item calls survey together 10.98.27.243
21 sjzzh_dongsy 04 2017/2/13 15:04:56 Common item calls survey together 10.98.27.243
22 sjzzh_dongsy 04 2017/2/13 15:04:56 Common item calls survey together 10.98.27.243
23 sjzzh_dongsy 04 2017/2/13 15:04:55 Common item calls survey together 10.98.27.243
24 sjzzh_dongsy 04 2017/2/13 15:04:54 Common item calls survey together 10.98.27.243
25 sjzzh_dongsy 04 2017/2/13 15:04:53 Common item calls survey together 10.98.27.243
26 sjzzh_dongsy 04 2017/2/13 15:04:53 Common item calls survey together 10.98.27.243
27 sjzzh_dongsy 04 2017/2/13 15:04:52 Common item calls survey together 10.98.27.243
28 sjzzh_dongsy 04 2017/2/13 15:04:52 Common item calls survey together 10.98.27.243
29 sjzzh_dongsy 04 2017/2/13 15:04:51 Common item calls survey together 10.98.27.243
30 sjzzh_dongsy 04 2017/2/13 15:04:50 Common item calls survey together 10.98.27.243
31 sjzzh_dongsy 04 2017/2/13 15:04:49 Common item calls survey together 10.98.27.243
32 sjzzh_dongsy 04 2017/2/13 15:04:49 Common item calls survey together 10.98.27.243
33 sjzzh_dongsy 04 2017/2/13 15:04:49 Common item calls survey together 10.98.27.243
34 sjzzh_dongsy 04 2017/2/13 15:04:49 Common item calls survey together 10.98.27.243
35 sjzzh_dongsy 04 2017/2/13 15:04:48 Common item calls survey together 10.98.27.243
36 sjzzh_dongsy 04 2017/2/13 15:04:48 Common item calls survey together 10.98.27.243
37 sjzzh_dongsy 04 2017/2/13 15:04:48 Common item calls survey together 10.98.27.243
38 sjzzh_dongsy 04 2017/2/13 15:04:48 Common item calls survey together 10.98.27.243
39 sjzzh_dongsy 04 2017/2/13 15:04:48 Common item calls survey together 10.98.27.243
40 sjzzh_dongsy 04 2017/2/13 15:04:47 Common item calls survey together 10.98.27.243
41 sjzzh_dongsy 04 2017/2/13 15:04:47 Common item calls survey together 10.98.27.243
42 sjzzh_dongsy 04 2017/2/13 15:04:47 Common item calls survey together 10.98.27.243
43 sjzzh_dongsy 04 2017/2/13 15:04:47 Common item calls survey together 10.98.27.243
44 sjzzh_dongsy 04 2017/2/13 15:04:46 Common item calls survey together 10.98.27.243
45 sjzzh_dongsy 04 2017/2/13 15:04:46 Common item calls survey together 10.98.27.243
46 sjzzh_dongsy 04 2017/2/13 15:04:46 Common item calls survey together 10.98.27.243
According to statistics, within general 10 beats/min of normal account manual operation, and above-mentioned such account frequent operation consumption system Vast resources, produces a very large impact the main website server service life, greatly increases system failure probability, causes the wave of system resource Take and be lost in, serious security risk is brought to acquisition system.By investigation, find partial account number by plug-in program software certainly Dynamic to log in the acquisition system page and carry out predetermined registration operation automatically, the frequency for logging in and operating due to the use of this mode is excessive, to system Safe and stable and Effec-tive Function make a big impact:System average load reaches 49.8%, highest load 98.6%, the same day system System load is as shown in Figure 1.
To ensure system safe and stable operation, the operations of system account are monitored, prevent network intrusions, illegal plug-in etc. Unartificial operational circumstances occur, and the present invention devises a kind of real-time monitoring system account, abnormal account is limited in time Method i.e. provide a kind of power information acquisition system account log in extremely with abnormal operation monitoring method, realize power information The monitoring and control of acquisition system account.As shown in Fig. 2, abnormal account is sealed and stopped by using the present invention, system loading Obtain larger alleviation, peak traffic phase(The morning 9 is when 11)Cpu load is reduced to 50% or so by original 90%, and memory accounts for With also effectively being discharged.
Embodiment 1
Power information acquisition system account of the invention as shown in Figure 3 logs in the flow chart with the monitoring of abnormal operation extremely, Monitoring step is as follows:
(1)System background respectively establish record account log in account operation data model, to power information acquisition system Account is logged in carries out log recording with operation information, and account logon information includes the landing time of account, logs in IP address, logs in Type(Including logging in, nullifying, improper log in)Deng operating time of the account operation information including account, operation IP address, behaviour Make the information such as content.Account logs in the data model with account operation respectively as shown in table 2 and table 3.
Table 2 records the data model that account logs in
Table 3 records the data model of account operation
(2)Judge in same account one minute whether is login times >=50 and/or same second in whether repeat logon;
(3)If login times >=50 and/or repeat logon in same second, account log in different in same account one minute Often, access account limitation;
(4)Judge in same account one minute in number of operations whether >=50 and/or one hour that number of operations is whether >=100 and deposit In same second repetitive operation and/or in one hour there are in one second repeat behaviour's situation number >=3;
(5)If number of operations >=50 and/or in one hour number of operations >=100 and there are the same second in same account one minute Repetitive operation and/or there are behaviour's situation number >=3, then account operation exception, to account are repeated in one second in one hour in clock Access limitation, the return to step (2) if account operation is normal;
(6)It will appear from logging in or the account of operation exception recorded in daily record, including abnormal time, Exception Type and limited Number processed.
The monitoring method backstage code of the present invention is as follows:
CREATE OR REPLACE PROCEDURE monitor_user_abnormal_op IS
v_start_time DATE;
v_start_date date;
v_end_date date;
v_cnt_update number;
v_cnt_update2 number;
v_date date;
BEGIN
v_start_time := SYSDATE;
v_cnt_update := 0;
v_cnt_update2 := 0;
v_date := trunc(sysdate, 'hh24');
--- in the following, every point of number of operations is more than or equal to 50, scope is one hour
v_end_date := v_date;
v_start_date := v_date - 1 / 24;
insert into monitor_abnormal_op_datail
(date_minute,
emp_no,
op_cnt,
write_date,
org_no,
ip_addr,
op_content,
start_date,
end_date,
abnorbal_type)
select trunc(l.op_time, 'mi') date_minute,
l.emp_no,
count(*) as op_cnt,
sysdate as write_date,
max(l.org_no) as org_no,
max(l.ip_addr) as ip_addr,
l.op_content,
v_start_date,
v_end_date,
' every point of number of operations is more than or equal to 50'as abnorbal_type
from l_user_op_log l
where l.op_time >= v_start_date
and l.op_time <= v_end_date
group by trunc(l.op_time, 'mi'), l.emp_no, l.op_content
having count(*) >= 50;
commit;
--- in the following, starting to judge the situation that number of operations per second is more than or equal to 3, judge the cycle for one day
v_end_date := v_date;
v_start_date := v_date - 1 / 24;
-- number of operations per second in one day is obtained first and is more than or equal to 3 operation notes, is first inserted into interim table tmp_monitor_ abnormal_op_datail
execute immediate 'truncate table tmp_monitor_abnormal_op_datail';
insert into tmp_monitor_abnormal_op_datail
(date_minute, emp_no, op_cnt, write_date, org_no, ip_addr, op_ content)
select l.op_time date_minute,
l.emp_no,
count(*) as op_cnt,
sysdate as write_date,
max(l.org_no) as org_no,
max(l.ip_addr) as ip_addr,
l.op_content
from l_user_op_log l
where l.op_time >= v_start_date
and l.op_time <= v_end_date
group by l.op_time, l.emp_no, l.op_content
having count(*) >= 3;
commit;
-- in the following, number of operations per second is more than or equal to 3, also, there is number of operations per hour and be more than or equal to 100
insert into monitor_abnormal_op_datail
(date_minute,
emp_no,
op_cnt,
write_date,
org_no,
ip_addr,
op_content,
start_date,
end_date,
abnorbal_type)
select date_minute,
emp_no,
op_cnt,
write_date,
org_no,
ip_addr,
op_content,
start_date,
end_date,
abnorbal_type
from (select trunc(l.op_time, 'hh24') date_minute,
l.emp_no,
count(*) as op_cnt,
sysdate as write_date,
max(l.org_no) as org_no,
max(l.ip_addr) as ip_addr,
l.op_content,
v_start_date as start_date,
v_end_date as end_date,
' more than or equal to 3 &, number of operations is more than or equal to 100'as to number of operations per second per hour abnorbal_type
from l_user_op_log l
where l.op_time >= v_start_date
and l.op_time <= v_end_date
group by trunc(l.op_time, 'hh24'), l.emp_no, l.op_content
having count(*) >= 100) lix
where exists (select 1
from tmp_monitor_abnormal_op_datail t
where t.emp_no = lix.emp_no);
commit;
execute immediate 'truncate table tmp_monitor_abnormal_op_emp_no';
insert into tmp_monitor_abnormal_op_emp_no
(emp_no)
select distinct l.emp_no
from monitor_abnormal_op_datail l
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and exists (select 1
from p_sys_user p
where p.staff_no = l.emp_no
and p.cur_status_code <> '03');-- " 03 " is " deletion " state
commit;
update p_sys_user p
set p.cur_status_code = '03', p.lock_time = sysdate
where p.staff_no in
(select t.emp_no from tmp_monitor_abnormal_op_emp_no t);
v_cnt_update := sql%rowcount;
commit;
-- exception is monitored out, while account is non-delete state, while in tmp_monitor_abnormal_op_emp_no not There are record, then it is assumed that is the operation exception of kainogenesis
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select u.lock_time,
u.name,
1 as lock_cnt,
to_char(u.lock_time, 'yyyy-mm-dd hh24:mi:ss') as lock_ history
from p_sys_user u
where u.staff_no = l.emp_no)
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and exists
(select 1 from p_sys_user u where u.staff_no = l.emp_no)
and exists (select 1
from tmp_monitor_abnormal_op_emp_no uu
where uu.emp_no = l.emp_no)
and not exists (select 1
from monitor_abnormal_op_datail e
where e.write_date < v_start_time
and e.emp_no = l.emp_no);
commit;
-- exception is monitored out, while account is non-delete state, while deposited in tmp_monitor_abnormal_op_emp_no Recording, then it is assumed that be the operation exception occurred repeatedly
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select lock_time, staff_name, lock_cnt, lock_history
from (select distinct e.emp_no,
p.lock_time,
p.name as staff_name,
e.lock_cnt + 1 as lock_cnt,
e.lock_history || ',' ||
to_char(p.lock_time, 'yyyy-mm-dd hh24: mi:ss') as lock_history
from monitor_abnormal_op_datail e,
tmp_monitor_abnormal_op_emp_no t,
p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
and t.emp_no = e.emp_no) lix
where lix.emp_no = l.emp_no)
where exists (select lock_time, staff_name, lock_cnt, lock_history
from (select distinct e.emp_no,
p.lock_time,
p.name as staff_name,
e.lock_cnt + 1 as lock_cnt,
e.lock_history || ',' ||
to_char(p.lock_time, 'yyyy-mm-dd hh24: mi:ss') as lock_history
from monitor_abnormal_op_datail e,
tmp_monitor_abnormal_op_emp_no t,
p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
and t.emp_no = e.emp_no) lix
where lix.emp_no = l.emp_no);
commit;
-- exception is monitored out, but account inherently deletes state, and the preposition historical operation of stopping that can also find records, then it is assumed that It is specifically to repeat to monitor.
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select lock_time, staff_name, lock_cnt, lock_history
from (select e.emp_no,
max(p.lock_time) as lock_time,
max(p.name) as staff_name,
max(e.lock_cnt) as lock_cnt,
max(e.lock_history) as lock_history
from monitor_abnormal_op_datail e, p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
group by e.emp_no) lix
where lix.emp_no = l.emp_no)
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and l.lock_cnt is null
and exists ((select 1
from (select e.emp_no,
max(p.lock_time) as lock_time,
max(p.name) as staff_name,
max(e.lock_cnt) as lock_cnt,
max(e.lock_history) as lock_history
from monitor_abnormal_op_datail e, p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
group by e.emp_no) lix
where lix.emp_no = l.emp_no))
and not exists (select 1
from tmp_monitor_abnormal_op_emp_no uu
where uu.emp_no = l.emp_no);
commit;
-- exception is monitored out, but account inherently deletes state, but the preposition historical operation of stopping that cannot be found records, then it is assumed that This, which puts, stops being the behavior hand-manipulated outside this monitoring script.
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select u.lock_time,
u.name,
1 as lock_cnt,
to_char(u.lock_time, 'yyyy-mm-dd hh24:mi:ss') as lock_ history
from p_sys_user u
where u.staff_no = l.emp_no)
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and l.lock_cnt is null
and exists
(select 1 from p_sys_user u where u.staff_no = l.emp_no)
and not exists (select 1
from tmp_monitor_abnormal_op_emp_no uu
where uu.emp_no = l.emp_no);
commit;
calc_srv_log('301',
' monitoring user illegal operation * * ' | | v_cnt_update | | ' -- ' | | v_cnt_ update2 ||
' * * --- --- time-consuming ' | | ' (' | | to_char (v_start_time, ' hh24:mi: Ss') | | ' to ' | |
to_char(SYSDATE, 'hh24:mi:ss') || ')' ||
Round (to_number (SYSDATE-v_start_time) * 1440) | | ' point!',
'monitor_user_abnormal_op',
round(to_number(SYSDATE - v_start_time) * 1440),
'',
v_start_time,
SYSDATE);
COMMIT;
EXCEPTION
WHEN OTHERS THEN
ROLLBACK;
system_log('monitor_user_abnormal_op', '', '');
calc_srv_log('-1',
' monitoring user illegal operation -- error!',
'monitor_user_abnormal_op',
'',
'');
COMMIT;
END monitor_user_abnormal_op。
It should be noted that the above is only presently preferred embodiments of the present invention rather than whole embodiments, should not cause to this The limitation of invention protection domain, the present invention can also use other embodiment, and those skilled in the art are not doing any creation Property work on the basis of, to present disclosure carry out any modifications or substitutions, should be considered to fall the present invention protection In the range of.

Claims (7)

1. a kind of power information acquisition system account logs in the monitoring method with abnormal operation extremely, it is characterised in that it includes Following steps:
1)System background respectively establish record account log in account operation data model, to power information acquisition system account Number log in and operation information carries out log recording;
2)By periodically judge same account in one minute or in one hour login times and number of operations whether more than one Determine threshold value and/or in same second whether repeat logon and operation, judge that account logs in exception and operation exception, to account carry out Access limitation;
3)Record that account occurs in log sheet logs in exception or operation exception, including abnormal time, Exception Type and is limited Number processed.
2. monitoring method according to claim 1, it is characterised in that:Step 1)Described in account logon information include account Number landing time, log in IP address and login type.
3. monitoring method according to claim 1, it is characterised in that:Step 1)Described in account operation information include account Number operating time, operation IP address and operation content.
4. monitoring method according to claim 1, it is characterised in that step 2)Described in judge that account logs in abnormal and behaviour It is as follows to make abnormal criterion:
A. judge in same account one minute whether is login times >=50 and/or same second in whether repeat logon;
B. if login times >=50 and/or repeat logon in same second, account log in different in same account one minute Often, access account limitation.
5. monitoring method according to claim 4, it is characterised in that step 2)Described in judge that account logs in abnormal and behaviour It is as follows to make abnormal criterion:
C. judge in same account one minute in number of operations whether >=50 and/or one hour that number of operations is whether >=100 and deposit In same second repetitive operation and/or in one hour there are in one second repeat behaviour's situation number >=3;
D. if number of operations >=50 and/or in one hour number of operations >=100 and there are the same second in same account one minute Repetitive operation and/or there are behaviour's situation number >=3, then account operation exception, to account are repeated in one second in one hour in clock Access limitation.
6. monitoring method according to claim 4, it is characterised in that:The return to step A if account operation is normal.
7. monitoring method according to claim 5, it is characterised in that:The return to step C if account operation is normal.
CN201711290589.3A 2017-12-08 2017-12-08 Power information acquisition system account logs in the monitoring method with abnormal operation extremely Pending CN107911387A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711290589.3A CN107911387A (en) 2017-12-08 2017-12-08 Power information acquisition system account logs in the monitoring method with abnormal operation extremely

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711290589.3A CN107911387A (en) 2017-12-08 2017-12-08 Power information acquisition system account logs in the monitoring method with abnormal operation extremely

Publications (1)

Publication Number Publication Date
CN107911387A true CN107911387A (en) 2018-04-13

Family

ID=61854671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711290589.3A Pending CN107911387A (en) 2017-12-08 2017-12-08 Power information acquisition system account logs in the monitoring method with abnormal operation extremely

Country Status (1)

Country Link
CN (1) CN107911387A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109409764A (en) * 2018-11-08 2019-03-01 国网河北省电力有限公司电力科学研究院 Production monitoring method and terminal device
CN109831415A (en) * 2018-12-27 2019-05-31 北京奇艺世纪科技有限公司 A kind of object processing method, device, system and computer readable storage medium
CN111008377A (en) * 2019-10-12 2020-04-14 中国平安财产保险股份有限公司 Account monitoring method and device, computer equipment and storage medium
CN111046373A (en) * 2019-11-04 2020-04-21 深圳供电局有限公司 Security management method, system, medium and device for customer service center
CN111124844A (en) * 2018-10-30 2020-05-08 安碁资讯股份有限公司 Method and apparatus for detecting abnormal operation of operating system
CN111209171A (en) * 2019-12-23 2020-05-29 中国平安财产保险股份有限公司 Closed loop handling method and device for security risk and storage medium
CN111371774A (en) * 2020-02-28 2020-07-03 深信服科技股份有限公司 Information processing method and device, equipment and storage medium
WO2021063068A1 (en) * 2019-09-30 2021-04-08 全球能源互联网研究院有限公司 Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104901971A (en) * 2015-06-23 2015-09-09 北京东方棱镜科技有限公司 Method and device for carrying out safety analysis on network behaviors
CN105490854A (en) * 2015-12-11 2016-04-13 传线网络科技(上海)有限公司 Real-time log collection method and system, and application server cluster
US20170013003A1 (en) * 2013-12-14 2017-01-12 Hewlett Packard Enterprise Development Lp Log Analysis Based on User Activity Volume
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170013003A1 (en) * 2013-12-14 2017-01-12 Hewlett Packard Enterprise Development Lp Log Analysis Based on User Activity Volume
CN104901971A (en) * 2015-06-23 2015-09-09 北京东方棱镜科技有限公司 Method and device for carrying out safety analysis on network behaviors
CN105490854A (en) * 2015-12-11 2016-04-13 传线网络科技(上海)有限公司 Real-time log collection method and system, and application server cluster
CN107046550A (en) * 2017-06-14 2017-08-15 微梦创科网络科技(中国)有限公司 A kind of detection method and device of abnormal login behavior

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111124844A (en) * 2018-10-30 2020-05-08 安碁资讯股份有限公司 Method and apparatus for detecting abnormal operation of operating system
CN111124844B (en) * 2018-10-30 2023-07-21 安碁资讯股份有限公司 Method and device for detecting abnormal operation of operating system
CN109409764A (en) * 2018-11-08 2019-03-01 国网河北省电力有限公司电力科学研究院 Production monitoring method and terminal device
CN109831415A (en) * 2018-12-27 2019-05-31 北京奇艺世纪科技有限公司 A kind of object processing method, device, system and computer readable storage medium
CN109831415B (en) * 2018-12-27 2021-12-21 北京奇艺世纪科技有限公司 Object processing method, device and system and computer readable storage medium
WO2021063068A1 (en) * 2019-09-30 2021-04-08 全球能源互联网研究院有限公司 Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium
CN111008377A (en) * 2019-10-12 2020-04-14 中国平安财产保险股份有限公司 Account monitoring method and device, computer equipment and storage medium
CN111046373A (en) * 2019-11-04 2020-04-21 深圳供电局有限公司 Security management method, system, medium and device for customer service center
CN111209171A (en) * 2019-12-23 2020-05-29 中国平安财产保险股份有限公司 Closed loop handling method and device for security risk and storage medium
CN111209171B (en) * 2019-12-23 2022-09-02 中国平安财产保险股份有限公司 Closed loop handling method and device for security risk and storage medium
CN111371774A (en) * 2020-02-28 2020-07-03 深信服科技股份有限公司 Information processing method and device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107911387A (en) Power information acquisition system account logs in the monitoring method with abnormal operation extremely
CN101325520B (en) Method for locating and analyzing fault of intelligent self-adapting network based on log
CN110493348A (en) A kind of intelligent monitoring and alarming system based on Internet of Things
RU2583703C2 (en) Malicious attack detection and analysis
CN100518076C (en) Journal accounting method and system
CN105868075A (en) System and method for monitoring and analyzing large amount of logs in real time
CN104052634B (en) Information spy system and method
US20120284790A1 (en) Live service anomaly detection system for providing cyber protection for the electric grid
CN103546343B (en) The network traffics methods of exhibiting of network traffic analysis system and system
CN105282772A (en) Wireless network data communication equipment monitoring system and equipment monitoring method
CN105119757A (en) Method and system for operation and maintenance automation of enterprise servers
CN105429791A (en) Distributed service state detection device and method
CN104574219A (en) System and method for monitoring and early warning of operation conditions of power grid service information system
CN110661811A (en) Firewall policy management method and device
CN112506167B (en) Method and system for processing abnormity of industrial network equipment
CN101605065A (en) The implementation method of security incident monitoring in the system of security centre
CN104753861A (en) Security event handling method and device
CN107704359A (en) A kind of monitoring system of big data platform
CN112711493A (en) Scenario root cause analysis application
CN113076229A (en) Universal enterprise-level information technology monitoring system
CN117811898B (en) FTTR equipment fault repairing method and FTTR equipment fault repairing device
CN118200118A (en) Substation communication network equipment monitoring and fault early warning method and system
CN101499935B (en) Alarm processing method for WiMAX base station
CN113592210A (en) Internet of things integrated management platform for water supply non-negative-pressure secondary water supply facility
CN102045186A (en) Event analysis method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180413

RJ01 Rejection of invention patent application after publication