CN107911387A - Power information acquisition system account logs in the monitoring method with abnormal operation extremely - Google Patents
Power information acquisition system account logs in the monitoring method with abnormal operation extremely Download PDFInfo
- Publication number
- CN107911387A CN107911387A CN201711290589.3A CN201711290589A CN107911387A CN 107911387 A CN107911387 A CN 107911387A CN 201711290589 A CN201711290589 A CN 201711290589A CN 107911387 A CN107911387 A CN 107911387A
- Authority
- CN
- China
- Prior art keywords
- account
- abnormal
- exception
- log
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
Log in the monitoring method with abnormal operation extremely the invention discloses a kind of power information acquisition system account, the data model operated with account is logged in by establishing record account respectively in system background, power information acquisition system account is logged in and operation information carries out log recording;By periodically judge same account in one minute or in one hour login times and number of operations whether exceed certain threshold value and/or in same second whether repeat logon and operation, judge that account logs in exception and operation exception, access account limitation;Record that account occurs in log sheet logs in exception or operation exception, including abnormal time, Exception Type and by limited number of times.The present invention by real-time monitoring system account log in and operational circumstances, the abnormal account for logging in and operating is limited in time, improves the stability and security of system operation.
Description
Technical field
The invention belongs to information system security and monitoring technology field, and it is abnormal to be related to a kind of power information acquisition system account
Log in the monitoring method with abnormal operation.
Background technology
Power information acquisition system is collection modern digital communication, computer hardware technique, Electric Energy Metering Technology, electricity
The non real time information collection for the synthesis that power load administrative skill and power marketing technology are integrated and analysis process system, it is with shifting
Dynamic communication network, 230MHz wireless private networks, optical networking be main communications carrier, by communication realize system main website with
Data communication between on-site terminal, has data acquisition, remote meter reading, multiplexing electric abnormality information alert, electric energy quality monitoring, line
The functions such as damage analysis, Reactive Voltage Management and load monitoring management.
With the development and popularization of intelligent grid, intelligent electric energy meter largely accesses acquisition system, assume responsibility for system main website
The pressure of increasing debugging, access and collection etc., system loading reaches more than 90% in the peak traffic phase, or even goes out
Existing server is delayed machine phenomenon, and the application of electricity consumption capturing service and achievement data gradually risen to company makes a very bad impression.
Therefore, acquisition system bottleneck is timely and effectively solved, optimization acquisition system performance becomes guarantee electric energy and accurately gathers, supports intelligence
The task of top priority of power network development, and as the sustainable growth of acquisition system data volume and application of function deepen constantly, system
Stable operation also becomes the common expectation of all departments manager and application person.
System load and resource consumption situation are important system performance measures, and account logs in and the normalization that operates,
It is an important factor for being had an impact to system load and resource consumption.Peak period is used in system, account logs in and operate frequency
Rate is sharply increased, and system load and resource consumption also increase, and part system user uses account in this time window
It is normative not strong, even with automatic software and the frequent login system of plug-in plug-in unit and frequent operation.By in system background number
Query analysis discovery is carried out to abnormal conditions according in storehouse, there is a situation where that account logs in and frequent operation extremely, such as institute in table 1
Show.
According to statistics, within general 10 beats/min of normal account manual operation, and above-mentioned such account frequent operation consumption
System vast resources, produces a very large impact the main website server service life, greatly increases system failure probability, causes system resource
Waste and loss, bring serious security risk to acquisition system.By investigation, it is found that partial account number is soft by plug-in program
Part logs in the acquisition system page and carries out predetermined registration operation automatically automatically, and the frequency for logging in and operating due to the use of this mode is excessive, right
The safe and stable and Effec-tive Function of system makes a big impact:System average load reaches 49.8%, and highest loads 98.6%, when
Its system load is as shown in Figure 1.
To ensure system safe and stable operation, the operations of system account are monitored, prevent network intrusions, illegal plug-in etc.
Unartificial operational circumstances occur, it is necessary to design a kind of real-time monitoring system account, the method limited in time abnormal account.
Power information acquisition system account logs in the monitoring that power information acquisition system account is realized with abnormal operation monitoring function extremely
And control, including monitor the landing time of account, log in IP, login type (including normally log in, nullify and illegally log in) etc.,
And operating time of account, operation IP, the information such as operation content, judge account abnormal conditions by statistical analysis, and in time
Limitation processing is carried out to abnormal account.
The content of the invention
Log in the monitoring side with abnormal operation extremely the object of the present invention is to provide a kind of power information acquisition system account
Method, by way of being logged in system account and operation log is monitored, real-time monitoring system account logs in and operates feelings
Condition, in time limits the abnormal account for logging in and operating, improves the stability and security of system operation.
The purpose of the present invention is achieved through the following technical solutions:
A kind of power information acquisition system account logs in the monitoring method with abnormal operation extremely, includes the following steps:
(1)System background respectively establish record account log in account operation data model, to power information acquisition system
Account is logged in carries out log recording with operation information, and account logon information includes the landing time of account, logs in IP address, logs in
Type (including log in, nullify, improper log in) etc., account operation information include the operating time of account, operation IP address, behaviour
Make the information such as content;
(2)By periodically judge same account in one minute or in one hour login times and number of operations whether more than one
Determine threshold value and/or in same second whether repeat logon and operation, judge that account logs in exception and operation exception, to account carry out
Access limitation;
(3)Record that account occurs in log sheet logs in exception or operation exception, including abnormal time, Exception Type and is limited
Number processed.
The present invention proposes a kind of power information acquisition system account and logs in monitoring method with abnormal operation extremely, has
Following beneficial effect:
(1)By way of being logged in system account and operation log is monitored, real-time monitoring system account logging in and grasping
Make situation, the abnormal account for logging in and operating is limited in time, prevent network intrusions, the illegally unartificial operation feelings such as plug-in
Condition occurs, and improves the stability and security of system operation;
(2)Abnormal account is sealed and stopped by using the method for the present invention, system loading obtains larger alleviation, peak traffic phase
(The morning 9 is when 11)Cpu load is reduced to 50% or so by original 90%, and EMS memory occupation is also effectively discharged.
System loading situation after being monitored using abnormal account is as shown in Figure 2.
Brief description of the drawings
Fig. 1 is system load curve under standing state;
Fig. 2 is to use the system load curve after the method for the present invention;
Fig. 3 is the monitoring flow of the present invention.
Embodiment
Present disclosure is further explained and illustrated with specific embodiment below in conjunction with the accompanying drawings.
Query analysis discovery is carried out to abnormal conditions in database system, logs in there are account and frequently grasps extremely
The situation of work, as shown in table 1.
1 account frequent operation situation of table
Sequence number | Account | Action type | Operating time | Operation content | IP address |
1 | sjzzh_dongsy | 04 | 2017/2/13 15:05:03 | Common item calls survey together | 10.98.27.243 |
2 | sjzzh_dongsy | 04 | 2017/2/13 15:05:03 | Common item calls survey together | 10.98.27.243 |
3 | sjzzh_dongsy | 04 | 2017/2/13 15:05:03 | Common item calls survey together | 10.98.27.243 |
4 | sjzzh_dongsy | 04 | 2017/2/13 15:05:02 | Common item calls survey together | 10.98.27.243 |
5 | sjzzh_dongsy | 04 | 2017/2/13 15:05:02 | Common item calls survey together | 10.98.27.243 |
6 | sjzzh_dongsy | 04 | 2017/2/13 15:05:02 | Common item calls survey together | 10.98.27.243 |
7 | sjzzh_dongsy | 04 | 2017/2/13 15:05:02 | Common item calls survey together | 10.98.27.243 |
8 | sjzzh_dongsy | 04 | 2017/2/13 15:05:01 | Common item calls survey together | 10.98.27.243 |
9 | sjzzh_dongsy | 04 | 2017/2/13 15:05:01 | Common item calls survey together | 10.98.27.243 |
10 | sjzzh_dongsy | 04 | 2017/2/13 15:05:00 | Common item calls survey together | 10.98.27.243 |
11 | sjzzh_dongsy | 04 | 2017/2/13 15:05:00 | Common item calls survey together | 10.98.27.243 |
12 | sjzzh_dongsy | 04 | 2017/2/13 15:05:00 | Common item calls survey together | 10.98.27.243 |
13 | sjzzh_dongsy | 04 | 2017/2/13 15:04:59 | Common item calls survey together | 10.98.27.243 |
14 | sjzzh_dongsy | 04 | 2017/2/13 15:04:59 | Common item calls survey together | 10.98.27.243 |
15 | sjzzh_dongsy | 04 | 2017/2/13 15:04:59 | Common item calls survey together | 10.98.27.243 |
16 | sjzzh_dongsy | 04 | 2017/2/13 15:04:58 | Common item calls survey together | 10.98.27.243 |
17 | sjzzh_dongsy | 04 | 2017/2/13 15:04:58 | Common item calls survey together | 10.98.27.243 |
18 | sjzzh_dongsy | 04 | 2017/2/13 15:04:57 | Common item calls survey together | 10.98.27.243 |
19 | sjzzh_dongsy | 04 | 2017/2/13 15:04:57 | Common item calls survey together | 10.98.27.243 |
20 | sjzzh_dongsy | 04 | 2017/2/13 15:04:56 | Common item calls survey together | 10.98.27.243 |
21 | sjzzh_dongsy | 04 | 2017/2/13 15:04:56 | Common item calls survey together | 10.98.27.243 |
22 | sjzzh_dongsy | 04 | 2017/2/13 15:04:56 | Common item calls survey together | 10.98.27.243 |
23 | sjzzh_dongsy | 04 | 2017/2/13 15:04:55 | Common item calls survey together | 10.98.27.243 |
24 | sjzzh_dongsy | 04 | 2017/2/13 15:04:54 | Common item calls survey together | 10.98.27.243 |
25 | sjzzh_dongsy | 04 | 2017/2/13 15:04:53 | Common item calls survey together | 10.98.27.243 |
26 | sjzzh_dongsy | 04 | 2017/2/13 15:04:53 | Common item calls survey together | 10.98.27.243 |
27 | sjzzh_dongsy | 04 | 2017/2/13 15:04:52 | Common item calls survey together | 10.98.27.243 |
28 | sjzzh_dongsy | 04 | 2017/2/13 15:04:52 | Common item calls survey together | 10.98.27.243 |
29 | sjzzh_dongsy | 04 | 2017/2/13 15:04:51 | Common item calls survey together | 10.98.27.243 |
30 | sjzzh_dongsy | 04 | 2017/2/13 15:04:50 | Common item calls survey together | 10.98.27.243 |
31 | sjzzh_dongsy | 04 | 2017/2/13 15:04:49 | Common item calls survey together | 10.98.27.243 |
32 | sjzzh_dongsy | 04 | 2017/2/13 15:04:49 | Common item calls survey together | 10.98.27.243 |
33 | sjzzh_dongsy | 04 | 2017/2/13 15:04:49 | Common item calls survey together | 10.98.27.243 |
34 | sjzzh_dongsy | 04 | 2017/2/13 15:04:49 | Common item calls survey together | 10.98.27.243 |
35 | sjzzh_dongsy | 04 | 2017/2/13 15:04:48 | Common item calls survey together | 10.98.27.243 |
36 | sjzzh_dongsy | 04 | 2017/2/13 15:04:48 | Common item calls survey together | 10.98.27.243 |
37 | sjzzh_dongsy | 04 | 2017/2/13 15:04:48 | Common item calls survey together | 10.98.27.243 |
38 | sjzzh_dongsy | 04 | 2017/2/13 15:04:48 | Common item calls survey together | 10.98.27.243 |
39 | sjzzh_dongsy | 04 | 2017/2/13 15:04:48 | Common item calls survey together | 10.98.27.243 |
40 | sjzzh_dongsy | 04 | 2017/2/13 15:04:47 | Common item calls survey together | 10.98.27.243 |
41 | sjzzh_dongsy | 04 | 2017/2/13 15:04:47 | Common item calls survey together | 10.98.27.243 |
42 | sjzzh_dongsy | 04 | 2017/2/13 15:04:47 | Common item calls survey together | 10.98.27.243 |
43 | sjzzh_dongsy | 04 | 2017/2/13 15:04:47 | Common item calls survey together | 10.98.27.243 |
44 | sjzzh_dongsy | 04 | 2017/2/13 15:04:46 | Common item calls survey together | 10.98.27.243 |
45 | sjzzh_dongsy | 04 | 2017/2/13 15:04:46 | Common item calls survey together | 10.98.27.243 |
46 | sjzzh_dongsy | 04 | 2017/2/13 15:04:46 | Common item calls survey together | 10.98.27.243 |
According to statistics, within general 10 beats/min of normal account manual operation, and above-mentioned such account frequent operation consumption system
Vast resources, produces a very large impact the main website server service life, greatly increases system failure probability, causes the wave of system resource
Take and be lost in, serious security risk is brought to acquisition system.By investigation, find partial account number by plug-in program software certainly
Dynamic to log in the acquisition system page and carry out predetermined registration operation automatically, the frequency for logging in and operating due to the use of this mode is excessive, to system
Safe and stable and Effec-tive Function make a big impact:System average load reaches 49.8%, highest load 98.6%, the same day system
System load is as shown in Figure 1.
To ensure system safe and stable operation, the operations of system account are monitored, prevent network intrusions, illegal plug-in etc.
Unartificial operational circumstances occur, and the present invention devises a kind of real-time monitoring system account, abnormal account is limited in time
Method i.e. provide a kind of power information acquisition system account log in extremely with abnormal operation monitoring method, realize power information
The monitoring and control of acquisition system account.As shown in Fig. 2, abnormal account is sealed and stopped by using the present invention, system loading
Obtain larger alleviation, peak traffic phase(The morning 9 is when 11)Cpu load is reduced to 50% or so by original 90%, and memory accounts for
With also effectively being discharged.
Embodiment 1
Power information acquisition system account of the invention as shown in Figure 3 logs in the flow chart with the monitoring of abnormal operation extremely,
Monitoring step is as follows:
(1)System background respectively establish record account log in account operation data model, to power information acquisition system
Account is logged in carries out log recording with operation information, and account logon information includes the landing time of account, logs in IP address, logs in
Type(Including logging in, nullifying, improper log in)Deng operating time of the account operation information including account, operation IP address, behaviour
Make the information such as content.Account logs in the data model with account operation respectively as shown in table 2 and table 3.
Table 2 records the data model that account logs in
Table 3 records the data model of account operation
(2)Judge in same account one minute whether is login times >=50 and/or same second in whether repeat logon;
(3)If login times >=50 and/or repeat logon in same second, account log in different in same account one minute
Often, access account limitation;
(4)Judge in same account one minute in number of operations whether >=50 and/or one hour that number of operations is whether >=100 and deposit
In same second repetitive operation and/or in one hour there are in one second repeat behaviour's situation number >=3;
(5)If number of operations >=50 and/or in one hour number of operations >=100 and there are the same second in same account one minute
Repetitive operation and/or there are behaviour's situation number >=3, then account operation exception, to account are repeated in one second in one hour in clock
Access limitation, the return to step (2) if account operation is normal;
(6)It will appear from logging in or the account of operation exception recorded in daily record, including abnormal time, Exception Type and limited
Number processed.
The monitoring method backstage code of the present invention is as follows:
CREATE OR REPLACE PROCEDURE monitor_user_abnormal_op IS
v_start_time DATE;
v_start_date date;
v_end_date date;
v_cnt_update number;
v_cnt_update2 number;
v_date date;
BEGIN
v_start_time := SYSDATE;
v_cnt_update := 0;
v_cnt_update2 := 0;
v_date := trunc(sysdate, 'hh24');
--- in the following, every point of number of operations is more than or equal to 50, scope is one hour
v_end_date := v_date;
v_start_date := v_date - 1 / 24;
insert into monitor_abnormal_op_datail
(date_minute,
emp_no,
op_cnt,
write_date,
org_no,
ip_addr,
op_content,
start_date,
end_date,
abnorbal_type)
select trunc(l.op_time, 'mi') date_minute,
l.emp_no,
count(*) as op_cnt,
sysdate as write_date,
max(l.org_no) as org_no,
max(l.ip_addr) as ip_addr,
l.op_content,
v_start_date,
v_end_date,
' every point of number of operations is more than or equal to 50'as abnorbal_type
from l_user_op_log l
where l.op_time >= v_start_date
and l.op_time <= v_end_date
group by trunc(l.op_time, 'mi'), l.emp_no, l.op_content
having count(*) >= 50;
commit;
--- in the following, starting to judge the situation that number of operations per second is more than or equal to 3, judge the cycle for one day
v_end_date := v_date;
v_start_date := v_date - 1 / 24;
-- number of operations per second in one day is obtained first and is more than or equal to 3 operation notes, is first inserted into interim table tmp_monitor_
abnormal_op_datail
execute immediate 'truncate table tmp_monitor_abnormal_op_datail';
insert into tmp_monitor_abnormal_op_datail
(date_minute, emp_no, op_cnt, write_date, org_no, ip_addr, op_
content)
select l.op_time date_minute,
l.emp_no,
count(*) as op_cnt,
sysdate as write_date,
max(l.org_no) as org_no,
max(l.ip_addr) as ip_addr,
l.op_content
from l_user_op_log l
where l.op_time >= v_start_date
and l.op_time <= v_end_date
group by l.op_time, l.emp_no, l.op_content
having count(*) >= 3;
commit;
-- in the following, number of operations per second is more than or equal to 3, also, there is number of operations per hour and be more than or equal to 100
insert into monitor_abnormal_op_datail
(date_minute,
emp_no,
op_cnt,
write_date,
org_no,
ip_addr,
op_content,
start_date,
end_date,
abnorbal_type)
select date_minute,
emp_no,
op_cnt,
write_date,
org_no,
ip_addr,
op_content,
start_date,
end_date,
abnorbal_type
from (select trunc(l.op_time, 'hh24') date_minute,
l.emp_no,
count(*) as op_cnt,
sysdate as write_date,
max(l.org_no) as org_no,
max(l.ip_addr) as ip_addr,
l.op_content,
v_start_date as start_date,
v_end_date as end_date,
' more than or equal to 3 &, number of operations is more than or equal to 100'as to number of operations per second per hour
abnorbal_type
from l_user_op_log l
where l.op_time >= v_start_date
and l.op_time <= v_end_date
group by trunc(l.op_time, 'hh24'), l.emp_no, l.op_content
having count(*) >= 100) lix
where exists (select 1
from tmp_monitor_abnormal_op_datail t
where t.emp_no = lix.emp_no);
commit;
execute immediate 'truncate table tmp_monitor_abnormal_op_emp_no';
insert into tmp_monitor_abnormal_op_emp_no
(emp_no)
select distinct l.emp_no
from monitor_abnormal_op_datail l
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and exists (select 1
from p_sys_user p
where p.staff_no = l.emp_no
and p.cur_status_code <> '03');-- " 03 " is " deletion " state
commit;
update p_sys_user p
set p.cur_status_code = '03', p.lock_time = sysdate
where p.staff_no in
(select t.emp_no from tmp_monitor_abnormal_op_emp_no t);
v_cnt_update := sql%rowcount;
commit;
-- exception is monitored out, while account is non-delete state, while in tmp_monitor_abnormal_op_emp_no not
There are record, then it is assumed that is the operation exception of kainogenesis
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select u.lock_time,
u.name,
1 as lock_cnt,
to_char(u.lock_time, 'yyyy-mm-dd hh24:mi:ss') as lock_
history
from p_sys_user u
where u.staff_no = l.emp_no)
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and exists
(select 1 from p_sys_user u where u.staff_no = l.emp_no)
and exists (select 1
from tmp_monitor_abnormal_op_emp_no uu
where uu.emp_no = l.emp_no)
and not exists (select 1
from monitor_abnormal_op_datail e
where e.write_date < v_start_time
and e.emp_no = l.emp_no);
commit;
-- exception is monitored out, while account is non-delete state, while deposited in tmp_monitor_abnormal_op_emp_no
Recording, then it is assumed that be the operation exception occurred repeatedly
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select lock_time, staff_name, lock_cnt, lock_history
from (select distinct e.emp_no,
p.lock_time,
p.name as staff_name,
e.lock_cnt + 1 as lock_cnt,
e.lock_history || ',' ||
to_char(p.lock_time, 'yyyy-mm-dd hh24:
mi:ss') as lock_history
from monitor_abnormal_op_datail e,
tmp_monitor_abnormal_op_emp_no t,
p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
and t.emp_no = e.emp_no) lix
where lix.emp_no = l.emp_no)
where exists (select lock_time, staff_name, lock_cnt, lock_history
from (select distinct e.emp_no,
p.lock_time,
p.name as staff_name,
e.lock_cnt + 1 as lock_cnt,
e.lock_history || ',' ||
to_char(p.lock_time, 'yyyy-mm-dd hh24:
mi:ss') as lock_history
from monitor_abnormal_op_datail e,
tmp_monitor_abnormal_op_emp_no t,
p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
and t.emp_no = e.emp_no) lix
where lix.emp_no = l.emp_no);
commit;
-- exception is monitored out, but account inherently deletes state, and the preposition historical operation of stopping that can also find records, then it is assumed that
It is specifically to repeat to monitor.
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select lock_time, staff_name, lock_cnt, lock_history
from (select e.emp_no,
max(p.lock_time) as lock_time,
max(p.name) as staff_name,
max(e.lock_cnt) as lock_cnt,
max(e.lock_history) as lock_history
from monitor_abnormal_op_datail e, p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
group by e.emp_no) lix
where lix.emp_no = l.emp_no)
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and l.lock_cnt is null
and exists ((select 1
from (select e.emp_no,
max(p.lock_time) as lock_time,
max(p.name) as staff_name,
max(e.lock_cnt) as lock_cnt,
max(e.lock_history) as lock_history
from monitor_abnormal_op_datail e, p_sys_user p
where e.write_date < v_start_time
and p.staff_no = e.emp_no
group by e.emp_no) lix
where lix.emp_no = l.emp_no))
and not exists (select 1
from tmp_monitor_abnormal_op_emp_no uu
where uu.emp_no = l.emp_no);
commit;
-- exception is monitored out, but account inherently deletes state, but the preposition historical operation of stopping that cannot be found records, then it is assumed that
This, which puts, stops being the behavior hand-manipulated outside this monitoring script.
update monitor_abnormal_op_datail l
set (l.lock_time, l.staff_name, l.lock_cnt, l.lock_history) =
(select u.lock_time,
u.name,
1 as lock_cnt,
to_char(u.lock_time, 'yyyy-mm-dd hh24:mi:ss') as lock_
history
from p_sys_user u
where u.staff_no = l.emp_no)
where l.date_minute >= v_start_date
and l.date_minute <= v_end_date
and l.lock_cnt is null
and exists
(select 1 from p_sys_user u where u.staff_no = l.emp_no)
and not exists (select 1
from tmp_monitor_abnormal_op_emp_no uu
where uu.emp_no = l.emp_no);
commit;
calc_srv_log('301',
' monitoring user illegal operation * * ' | | v_cnt_update | | ' -- ' | | v_cnt_
update2 ||
' * * --- --- time-consuming ' | | ' (' | | to_char (v_start_time, ' hh24:mi:
Ss') | | ' to ' | |
to_char(SYSDATE, 'hh24:mi:ss') || ')' ||
Round (to_number (SYSDATE-v_start_time) * 1440) | | ' point!',
'monitor_user_abnormal_op',
round(to_number(SYSDATE - v_start_time) * 1440),
'',
v_start_time,
SYSDATE);
COMMIT;
EXCEPTION
WHEN OTHERS THEN
ROLLBACK;
system_log('monitor_user_abnormal_op', '', '');
calc_srv_log('-1',
' monitoring user illegal operation -- error!',
'monitor_user_abnormal_op',
'',
'');
COMMIT;
END monitor_user_abnormal_op。
It should be noted that the above is only presently preferred embodiments of the present invention rather than whole embodiments, should not cause to this
The limitation of invention protection domain, the present invention can also use other embodiment, and those skilled in the art are not doing any creation
Property work on the basis of, to present disclosure carry out any modifications or substitutions, should be considered to fall the present invention protection
In the range of.
Claims (7)
1. a kind of power information acquisition system account logs in the monitoring method with abnormal operation extremely, it is characterised in that it includes
Following steps:
1)System background respectively establish record account log in account operation data model, to power information acquisition system account
Number log in and operation information carries out log recording;
2)By periodically judge same account in one minute or in one hour login times and number of operations whether more than one
Determine threshold value and/or in same second whether repeat logon and operation, judge that account logs in exception and operation exception, to account carry out
Access limitation;
3)Record that account occurs in log sheet logs in exception or operation exception, including abnormal time, Exception Type and is limited
Number processed.
2. monitoring method according to claim 1, it is characterised in that:Step 1)Described in account logon information include account
Number landing time, log in IP address and login type.
3. monitoring method according to claim 1, it is characterised in that:Step 1)Described in account operation information include account
Number operating time, operation IP address and operation content.
4. monitoring method according to claim 1, it is characterised in that step 2)Described in judge that account logs in abnormal and behaviour
It is as follows to make abnormal criterion:
A. judge in same account one minute whether is login times >=50 and/or same second in whether repeat logon;
B. if login times >=50 and/or repeat logon in same second, account log in different in same account one minute
Often, access account limitation.
5. monitoring method according to claim 4, it is characterised in that step 2)Described in judge that account logs in abnormal and behaviour
It is as follows to make abnormal criterion:
C. judge in same account one minute in number of operations whether >=50 and/or one hour that number of operations is whether >=100 and deposit
In same second repetitive operation and/or in one hour there are in one second repeat behaviour's situation number >=3;
D. if number of operations >=50 and/or in one hour number of operations >=100 and there are the same second in same account one minute
Repetitive operation and/or there are behaviour's situation number >=3, then account operation exception, to account are repeated in one second in one hour in clock
Access limitation.
6. monitoring method according to claim 4, it is characterised in that:The return to step A if account operation is normal.
7. monitoring method according to claim 5, it is characterised in that:The return to step C if account operation is normal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711290589.3A CN107911387A (en) | 2017-12-08 | 2017-12-08 | Power information acquisition system account logs in the monitoring method with abnormal operation extremely |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711290589.3A CN107911387A (en) | 2017-12-08 | 2017-12-08 | Power information acquisition system account logs in the monitoring method with abnormal operation extremely |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107911387A true CN107911387A (en) | 2018-04-13 |
Family
ID=61854671
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711290589.3A Pending CN107911387A (en) | 2017-12-08 | 2017-12-08 | Power information acquisition system account logs in the monitoring method with abnormal operation extremely |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107911387A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109409764A (en) * | 2018-11-08 | 2019-03-01 | 国网河北省电力有限公司电力科学研究院 | Production monitoring method and terminal device |
CN109831415A (en) * | 2018-12-27 | 2019-05-31 | 北京奇艺世纪科技有限公司 | A kind of object processing method, device, system and computer readable storage medium |
CN111008377A (en) * | 2019-10-12 | 2020-04-14 | 中国平安财产保险股份有限公司 | Account monitoring method and device, computer equipment and storage medium |
CN111046373A (en) * | 2019-11-04 | 2020-04-21 | 深圳供电局有限公司 | Security management method, system, medium and device for customer service center |
CN111124844A (en) * | 2018-10-30 | 2020-05-08 | 安碁资讯股份有限公司 | Method and apparatus for detecting abnormal operation of operating system |
CN111209171A (en) * | 2019-12-23 | 2020-05-29 | 中国平安财产保险股份有限公司 | Closed loop handling method and device for security risk and storage medium |
CN111371774A (en) * | 2020-02-28 | 2020-07-03 | 深信服科技股份有限公司 | Information processing method and device, equipment and storage medium |
WO2021063068A1 (en) * | 2019-09-30 | 2021-04-08 | 全球能源互联网研究院有限公司 | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
CN105490854A (en) * | 2015-12-11 | 2016-04-13 | 传线网络科技(上海)有限公司 | Real-time log collection method and system, and application server cluster |
US20170013003A1 (en) * | 2013-12-14 | 2017-01-12 | Hewlett Packard Enterprise Development Lp | Log Analysis Based on User Activity Volume |
CN107046550A (en) * | 2017-06-14 | 2017-08-15 | 微梦创科网络科技(中国)有限公司 | A kind of detection method and device of abnormal login behavior |
-
2017
- 2017-12-08 CN CN201711290589.3A patent/CN107911387A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170013003A1 (en) * | 2013-12-14 | 2017-01-12 | Hewlett Packard Enterprise Development Lp | Log Analysis Based on User Activity Volume |
CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
CN105490854A (en) * | 2015-12-11 | 2016-04-13 | 传线网络科技(上海)有限公司 | Real-time log collection method and system, and application server cluster |
CN107046550A (en) * | 2017-06-14 | 2017-08-15 | 微梦创科网络科技(中国)有限公司 | A kind of detection method and device of abnormal login behavior |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111124844A (en) * | 2018-10-30 | 2020-05-08 | 安碁资讯股份有限公司 | Method and apparatus for detecting abnormal operation of operating system |
CN111124844B (en) * | 2018-10-30 | 2023-07-21 | 安碁资讯股份有限公司 | Method and device for detecting abnormal operation of operating system |
CN109409764A (en) * | 2018-11-08 | 2019-03-01 | 国网河北省电力有限公司电力科学研究院 | Production monitoring method and terminal device |
CN109831415A (en) * | 2018-12-27 | 2019-05-31 | 北京奇艺世纪科技有限公司 | A kind of object processing method, device, system and computer readable storage medium |
CN109831415B (en) * | 2018-12-27 | 2021-12-21 | 北京奇艺世纪科技有限公司 | Object processing method, device and system and computer readable storage medium |
WO2021063068A1 (en) * | 2019-09-30 | 2021-04-08 | 全球能源互联网研究院有限公司 | Operation and maintenance control and operation and maintenance analysis method and apparatus, system, and storage medium |
CN111008377A (en) * | 2019-10-12 | 2020-04-14 | 中国平安财产保险股份有限公司 | Account monitoring method and device, computer equipment and storage medium |
CN111046373A (en) * | 2019-11-04 | 2020-04-21 | 深圳供电局有限公司 | Security management method, system, medium and device for customer service center |
CN111209171A (en) * | 2019-12-23 | 2020-05-29 | 中国平安财产保险股份有限公司 | Closed loop handling method and device for security risk and storage medium |
CN111209171B (en) * | 2019-12-23 | 2022-09-02 | 中国平安财产保险股份有限公司 | Closed loop handling method and device for security risk and storage medium |
CN111371774A (en) * | 2020-02-28 | 2020-07-03 | 深信服科技股份有限公司 | Information processing method and device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107911387A (en) | Power information acquisition system account logs in the monitoring method with abnormal operation extremely | |
CN101325520B (en) | Method for locating and analyzing fault of intelligent self-adapting network based on log | |
CN110493348A (en) | A kind of intelligent monitoring and alarming system based on Internet of Things | |
RU2583703C2 (en) | Malicious attack detection and analysis | |
CN100518076C (en) | Journal accounting method and system | |
CN105868075A (en) | System and method for monitoring and analyzing large amount of logs in real time | |
CN104052634B (en) | Information spy system and method | |
US20120284790A1 (en) | Live service anomaly detection system for providing cyber protection for the electric grid | |
CN103546343B (en) | The network traffics methods of exhibiting of network traffic analysis system and system | |
CN105282772A (en) | Wireless network data communication equipment monitoring system and equipment monitoring method | |
CN105119757A (en) | Method and system for operation and maintenance automation of enterprise servers | |
CN105429791A (en) | Distributed service state detection device and method | |
CN104574219A (en) | System and method for monitoring and early warning of operation conditions of power grid service information system | |
CN110661811A (en) | Firewall policy management method and device | |
CN112506167B (en) | Method and system for processing abnormity of industrial network equipment | |
CN101605065A (en) | The implementation method of security incident monitoring in the system of security centre | |
CN104753861A (en) | Security event handling method and device | |
CN107704359A (en) | A kind of monitoring system of big data platform | |
CN112711493A (en) | Scenario root cause analysis application | |
CN113076229A (en) | Universal enterprise-level information technology monitoring system | |
CN117811898B (en) | FTTR equipment fault repairing method and FTTR equipment fault repairing device | |
CN118200118A (en) | Substation communication network equipment monitoring and fault early warning method and system | |
CN101499935B (en) | Alarm processing method for WiMAX base station | |
CN113592210A (en) | Internet of things integrated management platform for water supply non-negative-pressure secondary water supply facility | |
CN102045186A (en) | Event analysis method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180413 |
|
RJ01 | Rejection of invention patent application after publication |