CN109120448A - A kind of alarm method and system - Google Patents
A kind of alarm method and system Download PDFInfo
- Publication number
- CN109120448A CN109120448A CN201810970534.5A CN201810970534A CN109120448A CN 109120448 A CN109120448 A CN 109120448A CN 201810970534 A CN201810970534 A CN 201810970534A CN 109120448 A CN109120448 A CN 109120448A
- Authority
- CN
- China
- Prior art keywords
- alarm
- detailed catalogue
- managing detailed
- record data
- monitoring server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0686—Additional information in the notification, e.g. enhancement of specific meta-data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a kind of alarm method and system, wherein the described method includes: monitoring server obtains the access control policy baseline being made of multiple matrix units;The monitoring server parses the matrix unit, obtains access control policy corresponding with the matrix unit;The monitoring server determines the physical link result between the source network region and purpose network area;The monitoring server judges whether the physical link result and link result as defined in the access control policy are consistent;If inconsistent, the monitoring server generates alarm managing detailed catalogue.In method described herein, physical link result and defined link result are inconsistent, illustrate to be abnormal event in network system, once being abnormal event, alarm managing detailed catalogue can then be generated, according to the source network region and purpose network area for including in alarm managing detailed catalogue, that is, it can determine the generation root of anomalous event.
Description
Technical field
This application involves computer security technical fields, and in particular to a kind of alarm method and system.
Background technique
Network system generally comprises multiple network areas, usual phase according to certain rules between different two network areas
Mutually access, and interaction data stream.In order to ensure the safety of each network area, need to the abnormal thing occurred in network area
Part is alerted.
Currently, safety equipment is usually set between each network area in order to realize the alarm to anomalous event, such as
Firewall.During data flow interaction, to safety equipment, safety equipment docks the data stream transmitting that source network region is sent
The data flow received is parsed, and to determine whether data flow is legal, if legal, data flow is sent to purpose again by safety equipment
Illegal data flow is reported to monitoring server if safety equipment determines that data flow is illegal by network area.Monitoring clothes
Device be engaged in after receiving illegal data flow, determines the event that is abnormal, generates warning information, and by warning information with postal
The mode of part is sent to pre-set email address, to receive the staff of mail after receiving warning information, really
Determine to be abnormal event in network system.
However, inventor has found in the research process of the application, if by the prior art to the exception in network system
Event is alerted, and staff generally requires to be further analyzed network system at place after receiving warning information
Reason, can just find out the generation root of anomalous event and modify.During analysis processing, if blocking all in network system
Access, will affect the operation of normal network area, if not blocking all access in network system, analyzes the process of processing
In will have illegal data flow by safety equipment, into purpose network area, to influence purpose network area just
Often operation.
Summary of the invention
To solve to generally require to be further processed the warning information in network system, can just find out different in the prior art
Ordinary affair part leads to the problem of root, and the application provides a kind of alarm method and system.
The application's in a first aspect, provide a kind of alarm method, and the method is applied to warning system, the warning system
Including monitoring server, which comprises
Monitoring server obtains the access control policy baseline being made of multiple matrix units;
The monitoring server parses the matrix unit, obtains access control policy corresponding with the matrix unit;
The monitoring server obtains the corresponding source network region of the access control policy and purpose network area, and really
Physical link result between the fixed source network region and purpose network area;
The monitoring server judges that the physical link result and link result as defined in the access control policy are
It is no consistent;
If the physical link result and link result as defined in the access control policy are inconsistent, the monitoring clothes
Business device generates alarm managing detailed catalogue, and the alarm managing detailed catalogue includes: source network region, purpose network area, physical link knot
Link result as defined in fruit and access control policy.
Optionally, the monitoring server determines the physical link knot between the source network region and purpose network area
Fruit, comprising:
The monitoring server determines the corresponding firewall configuration text in the source network region and the purpose network area
Part;
The monitoring server parses the firewall configuration file, obtains the corresponding five-tuple of firewall configuration file,
Wherein, the five-tuple in the source network region is the first five-tuple, and the five-tuple of the purpose network area is the second five-tuple;
The monitoring server by parameters in first five-tuple respectively with each ginseng in second five-tuple
Number compares;
The monitoring server determines the physical link result between the network area according to comparison result, wherein if
The range of parameters is less than or equal to the range of parameters in second five-tuple, the prison in first five-tuple
Control server determines the physical link result between the network area for connection, otherwise, described in the monitoring server determination
Physical link result between network area is not to be connected to.
Optionally, the warning system further includes database server, generates alarm detail letter in the monitoring server
After breath, further includes:
The database server receives the alarm managing detailed catalogue that the monitoring server is sent;
The database server generates the first alarm record data, wherein described according to the type of alarm managing detailed catalogue
The type of first alarm record data is identical as the alarm type of managing detailed catalogue;
The first alarm record data are added to the class of the first alarm record data by the database server
The corresponding alarm record sheet of type, and mark the state value of each first alarm record data;
The each alarm record sheet of the monitoring server in the database server described in the preset time poll,
Inquire the second alarm record data in the alarm record sheet, wherein the second alarm record data are alarm note
It records in table, state value is the alarm record data that do not consult;
The monitoring server shows the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
Optionally, the first alarm record data are generated according to the type of alarm managing detailed catalogue in the database server
Later, further includes:
The database server stores each alarm managing detailed catalogue to phase according to the type of alarm managing detailed catalogue
In the alarm managing detailed catalogue table answered;
The database server generates the unique identification information of each first alarm record data, and described in foundation
The corresponding relationship of unique identification information and the alarm managing detailed catalogue.
Optionally, the monitoring server shows the corresponding alarm detail letter of the second alarm record data in homepage
Breath, comprising:
The monitoring server is alerting managing detailed catalogue table according to the unique identification information of the second alarm record data
In, inquire alarm managing detailed catalogue corresponding with the unique identification information;
The monitoring server shows alarm managing detailed catalogue corresponding with the unique identification information in homepage.
Optionally, the warning system further includes mailbox server, in the database server according to alarm detail letter
The type of breath, the first alarm of generation record after data, further includes:
The mailbox server receives the first alarm record data and the alarm that the database server is sent
Managing detailed catalogue;
The first alarm record data and the alarm managing detailed catalogue are sent to and are set in advance by the mailbox server
Fixed email address.
The second aspect of the application provides a kind of warning system, and the warning system includes monitoring server, the monitoring
Server includes:
First obtains module, for obtaining the access control policy baseline being made of multiple matrix units;
Second obtains module, for parsing the matrix unit, obtains access control plan corresponding with the matrix unit
Slightly;
Determining module, for obtaining the corresponding source network region of the access control policy and purpose network area, and really
Physical link result between the fixed source network region and purpose network area;
Judgment module, for whether judging link result as defined in the physical link result and the access control policy
Unanimously;
Managing detailed catalogue generation module is alerted, for determining the physical link result and the access in the judgment module
After link result as defined in control strategy is inconsistent, alarm managing detailed catalogue is generated, the alarm managing detailed catalogue includes: source network
Link result as defined in region, purpose network area, physical link result and access control policy.
Optionally, the warning system further includes database server, and the database server includes:
First receiving module, the alarm managing detailed catalogue sent for receiving the alarm managing detailed catalogue generation module;
First alarm record data generation module generates the first alarm record for the type according to alarm managing detailed catalogue
Data, wherein the type of the first alarm record data is identical as the alarm type of managing detailed catalogue;
State value mark module, for the first alarm record data to be added to the first alarm record data
The corresponding alarm record sheet of type, and mark the state value of each first alarm record data;
The monitoring server further include:
Enquiry module, for each alarm record sheet in the database server described in the preset time poll,
Inquire the second alarm record data in the alarm record sheet, wherein the second alarm record data are alarm note
It records in table, state value is the alarm record data that do not consult;
Display module, for showing the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
Optionally, the database server further include:
Memory module stores each alarm managing detailed catalogue to corresponding for the type according to alarm managing detailed catalogue
Alarm managing detailed catalogue table in;
Corresponding relation building module for generating the unique identification information of each first alarm record data, and is built
Found the corresponding relationship of the unique identification information and the alarm managing detailed catalogue.
Optionally, the warning system further includes mailbox server, and the mailbox server includes:
Second receiving module, the first alarm record number sent for receiving the first alarm record data generation module
Accordingly and the alarm managing detailed catalogue;
Sending module, for the first alarm record data and the alarm managing detailed catalogue to be sent to and preset
Email address.
The application provides a kind of alarm method, which comprises monitoring server acquisition is made of multiple matrix units
Access control policy baseline;The monitoring server parses the matrix unit, obtains visit corresponding with the matrix unit
Ask control strategy;The monitoring server obtains the corresponding source network region of the access control policy and purpose network area,
And determine the physical link result between the source network region and purpose network area;The monitoring server judges the reality
Whether border link result is consistent with link result as defined in the access control policy;If the physical link result and the visit
Ask that link result as defined in control strategy is inconsistent, then the monitoring server generates alarm managing detailed catalogue, the alarm detail
Information includes: source network region, purpose network area, link result as defined in physical link result and access control policy.
In method described herein, physical link result and defined link result are inconsistent, illustrate in network system
It is abnormal event, once being abnormal event, then can generate alarm managing detailed catalogue, according to the source for including in alarm managing detailed catalogue
Network area and purpose network area can determine the generation root of anomalous event in time.And in the prior art, it is accused receiving
After alert information, needing staff to network system, further analysis is handled, and just can determine that the generation root of anomalous event, because
This, compared with the existing technology for, the present processes improve the efficiency of the generation root of determining anomalous event.
Further, method described herein is not required to the current intelligence according to data flow between each network area,
Warning information is obtained, also, is not required to be further analyzed warning information processing, that is, can determine the root that anomalous event occurs
The problem of source would not also occur needing in the prior art during Network System Analysis processing, block all access, protects
The operation in proper network region is hindered.
Detailed description of the invention
In order to illustrate more clearly of the technical solution of the application, letter will be made to attached drawing needed in the embodiment below
Singly introduce, it should be apparent that, for those of ordinary skills, without creative efforts, also
Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 is a kind of workflow schematic diagram of alarm method provided by the embodiments of the present application;
Fig. 2 is the workflow signal that physical link result is determined in a kind of alarm method provided by the embodiments of the present application
Figure;
Fig. 3 is the workflow schematic diagram of another alarm method provided by the embodiments of the present application;
Fig. 4 is the workflow schematic diagram of another alarm method provided by the embodiments of the present application;
Fig. 5 is in a kind of alarm method provided by the embodiments of the present application, and monitoring server shows the work of alarm managing detailed catalogue
Make flow diagram;
Fig. 6 is the workflow schematic diagram of another alarm method provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of warning system provided by the embodiments of the present application.
Specific embodiment
To solve to generally require to be further processed the warning information in network system, can just find out different in the prior art
Ordinary affair part leads to the problem of root, and the application provides a kind of alarm method and system by following embodiment.
In network system, for the needs of safety management, network system is often divided into multiple security domains, different safety
Mutual access between domain needs to follow specific rule, and in the embodiment of the present application, these rules are realized by firewall, prevents
Wall with flues is set between each security domain, and each firewall is provided with different access control policies, utilizes these firewalls
The safety management of access control policy realization network system.Inside each security domain, it is often provided with different business, it is each
Mutual access between business is also required to follow certain rule, therefore, is again provided with firewall between each business.Example
Such as, using the part of enterprise as a security domain, Finance Department and Human Resources Department, Finance Department and occurrences in human life part are provided in the security domain
It is not provided with an operation system, in order to avoid the mutual access of Finance Department's operation system and Human Resources Department's operation system, then two
The inlet of a operation system is provided with a firewall.
Work flow diagram shown in referring to Fig.1, the embodiment of the present application provide a kind of alarm method, and the method is applied to accuse
Alert system, the warning system includes monitoring server, be the described method comprises the following steps:
Step 101, monitoring server obtains the access control policy baseline being made of multiple matrix units.
Generally comprise multiple equipment in network system, baseline be in items storing library each device version in the specific period
One version, the version can be the form of " snapshot ".Baseline provides an official standard, and subsequent work is based on the standard,
Except under authorization conditions, which cannot arbitrarily be changed.
In the embodiment of the present application, access control policy baseline be it is preset, the access control policy baseline is according to source
The difference of network area and purpose network area is divided into four classes, is respectively as follows: between security domain and visits between access control policy baseline, business
Ask control strategy baseline, security domain to business access control strategy baseline and business to security domain access control policy baseline.
Step 102, the monitoring server parses the matrix unit, obtains access control corresponding with the matrix unit
System strategy.
Access control policy baseline between one business of table
The access control policy baseline of each type show industry by baseline expression matrix corresponding with type, table one
An example of the baseline matrix of access control policy baseline between business includes two peaces as can be seen from Table I in network area
Universe separately includes two business under each security domain, then totally four business in network area, the access control between four business
System strategy constitutes 16 matrix units.For example, the access control policy between the corresponding business B1 to business A1 of matrix unit 3, square
Access control policy between the corresponding business B2 to business A1 of array element 4, that is to say, that matrix unit corresponds to access control plan
Slightly.
In a kind of implementation provided by the embodiments of the present application, access control policy include two kinds, respectively engineering noise and
" forbidding ", if the corresponding access control policy of matrix unit be it is invalid, it is corresponding that monitoring server defaults the access control policy
Physical link result it is normal, without carrying out the operation of step 103, for example, matrix unit 1, matrix unit 2,5 and of matrix unit
The corresponding access control policy of matrix unit 6 is in vain, then to illustrate that the business in security domain A can be accessed mutually.If matrix
The corresponding access control policy of unit is to forbid, then monitoring server continues to execute the operation of step 103.In addition to this, it accesses
Control strategy can also classify according to its other mode classification, and the application is not especially limited.
Step 103, the monitoring server obtains the corresponding source network region of the access control policy and purpose network
Region, and determine the physical link result between the source network region and purpose network area.
In the embodiment of the present application, matrix unit is corresponding with access control policy, and the source network region of matrix unit is
The corresponding source network region of access control policy, the purpose network area of matrix unit are the corresponding of access control policy
Purpose network area, for example, the source network region of matrix unit 3 is business B1 in table one, purpose network area is business A1, then
The source network region of the corresponding access control policy of matrix unit 3 is business B1, and purpose network area is business A1.
Step 104, the monitoring server judges chain as defined in the physical link result and the access control policy
Whether road result is consistent.
In the step, if the monitoring server judges as defined in the physical link result and the access control policy
Link result is consistent, then monitoring server will not generate alarm managing detailed catalogue;If the monitoring server judges the practical chain
Road result and link result as defined in the access control policy are inconsistent, then monitoring server continues to execute the behaviour of step 105
Make.
Step 105, if the physical link result and link result as defined in the access control policy are inconsistent, institute
It states monitoring server and generates alarm managing detailed catalogue, the alarm managing detailed catalogue includes: source network region, purpose network area, reality
Link result as defined in border link result and access control policy.
In the step, alarm managing detailed catalogue removes source network region, purpose network area, physical link result and access control
It can also include the auxiliary informations such as type and review time, for example, an alarm managing detailed catalogue outside the link result of policy definition
Are as follows: " source: B, purpose: A, actual result: it is logical, it presets: obstructed, type: zone, the review time: 2018-01-0100:00:00,
Description: safe configuration of territory is violated ".Pass through the source network region and purpose network area in alarm managing detailed catalogue, it may be determined that abnormal
The generation root of event.
In method described herein, physical link result and defined link result are inconsistent, illustrate in network system
It is abnormal event, once being abnormal event, then can generate alarm managing detailed catalogue, according to the source for including in alarm managing detailed catalogue
Network area and purpose network area can determine the generation root of anomalous event in time.And in the prior art, it is accused receiving
After alert information, needing staff to network system, further analysis is handled, and just can determine that the generation root of anomalous event, because
This, compared with the existing technology for, the present processes improve the efficiency of the generation root of determining anomalous event.
Further, method described herein is not required to the current intelligence according to data flow between each network area,
Warning information is obtained, also, is not required to be further analyzed warning information processing, that is, can determine the root that anomalous event occurs
The problem of source would not also occur needing in the prior art during Network System Analysis processing, block all access, protects
The operation in proper network region is hindered.
Referring to work flow diagram shown in Fig. 2, the monitoring server determines the source network region and purpose network area
Physical link result between domain, comprising the following steps:
Step 201, the monitoring server determines the corresponding fire prevention in the source network region and the purpose network area
Wall configuration file.
In the step, the inlet of source network region and purpose network area is each provided with a firewall, according to source net
The network address in network region or purpose network area searches firewall configuration file corresponding with network address.
Step 202, the monitoring server parses the firewall configuration file, and it is corresponding to obtain firewall configuration file
Five-tuple, wherein the five-tuple in the source network region is the first five-tuple, and the five-tuple of the purpose network area is second
Five-tuple.
In the step, five-tuple includes five parameters, respectively source IP address, source port, purpose IP address, destination port
And transport layer protocol, and each parameter in five-tuple is usually a section.
Step 203, the monitoring server by parameters in first five-tuple respectively with second five-tuple
Middle parameters compare.
In the step, when mutually being accessed due to network area, actually data flow is exchanged visits between network area,
Data flow needs to be matched with the five-tuple of firewall, that is, five with five-tuple during passing through firewall
Parameter is matched, if data flow is in the corresponding five parameter sections of five-tuple, data flow can be by firewall, otherwise
Firewall can not be passed through.
For example, during data flow flows through network area B from network area A, it is assumed that network area A corresponds to firewall A, net
Network region B corresponds to firewall B, and data flow is matched with the five-tuple of firewall A first, if data flow is corresponding in firewall A
Five parameter sections in, then data flow can flow out network area A;Then it is matched with the five-tuple of firewall B, if number
According to stream in the corresponding five parameter sections of firewall B, then data flow can flow into network area B.
If data flow is not only in the corresponding five parameter sections of firewall A it can be seen from analyzing above, but also in firewall
In the corresponding five parameter sections of B, then data flow can enter network area B, i.e. network area A to network from network area A
The physical link result of region B is connection.
Step 204, the monitoring server determines the physical link knot between the network area according to comparison result
Fruit, wherein if the range of parameters is less than or equal to parameters in second five-tuple in first five-tuple
Range, the monitoring server determine the physical link result between the network area for connection, otherwise, the monitoring service
Device determines that the physical link result between the network area is not to be connected to.
It since data flow is first matched with the first five-tuple, then is matched with the second five-tuple, in the first five-tuple
The range of middle parameters is less than or equal in the second five-tuple in the case where the range of parameters, as long as data flow can lead to
Cross the corresponding firewall of the first five-tuple, i.e. data flow is in the first five-tuple within the scope of parameters, then data flow one
It is scheduled in the second five-tuple within the scope of parameters, can also pass through the corresponding firewall of the second five-tuple.Namely
It says, the range of parameters is less than or equal to the range of parameters in the second five-tuple in the first five-tuple, can illustrate
Physical link result between network area is connection.Data flow flows through outside network area inside network area by firewall
When portion, valid data is usually defaulted as by firewall, that is to say, that data flow can pass through the first five-tuple.Therefore, the step
In, by the comparison of the first five-tuple and the second five-tuple, can determine physical link between two network areas the result is that
No connection.
Referring to work flow diagram shown in Fig. 3, the embodiment of the present application provides another alarm method, and the method is applied to
Warning system, the warning system further include database server in addition to monitoring server, generate announcement in the monitoring server
It is further comprising the steps of after alert managing detailed catalogue:
Step 301, the database server receives the alarm managing detailed catalogue that the monitoring server is sent.
In the step, before alarm managing detailed catalogue storage, monitoring server is added to Installed System Memory for managing detailed catalogue is alerted
In temporarily store, after the scanning of four control strategy baselines is fully completed, just starting alarm managing detailed catalogue enter library;Data
Library server first judges in the Installed System Memory of monitoring server with the presence or absence of alarm detail, and if it exists, will then alert managing detailed catalogue
It is sent to database server;After storage, database server still first stores alarm managing detailed catalogue in a manner of temporarily storing,
Then the operation of step 302 is executed.
Step 302, the database server generates the first alarm record data according to the type of alarm managing detailed catalogue,
Wherein, the type of the first alarm record data is identical as the alarm type of managing detailed catalogue.
In the embodiment of the present application, alerting the type of managing detailed catalogue, there are four types of, according to the alarm managing detailed catalogue of four seed types,
Generate the first alarm record data of four seed types.First alarm record data are to alert the summary information of managing detailed catalogue, usually
Including type, alarm bar number, alarm time etc..
Step 303, the first alarm record data are added to first alarm and recorded by the database server
The corresponding alarm record sheet of the type of data, and mark the state value of each first alarm record data.
In the step, while the first alarm record data are added to alarm record sheet, database server label should
The state value of the alarm record data of item first is " not consulting ", and the state value is recorded in the first alarm record data.Example
Such as, one first alarm records data are as follows: " type: zone, alarm bar number: 2, alarm time: 2017-01-0100:00:00,
State: 0 ", wherein define " 0 " representative " not consulting ", " 1 " representative " access ".
Step 304, each announcement in monitoring server database server described in the preset time poll
Alert record sheet inquires the second alarm record data in the alarm record sheet, wherein the second alarm record data are institute
It states in alarm record sheet, state value is the alarm record data that do not consult.
If alerting there is no the second alarm record data in record sheet, i.e., all the state value of alarm record data is equal
To have consulted, that is to say, that not new alarm record data are added in alarm record sheet, then monitoring server carries out next
Poll;If alerting in record sheet there are the second alarm record data, 305 operation is thened follow the steps.
Step 305, the monitoring server shows the corresponding alarm detail letter of the second alarm record data in homepage
Breath.
For monitoring server while homepage shows the second alarm record, the second alarm is recorded data by database server
State value be changed to the state of having consulted.
Referring to work flow diagram shown in Fig. 4, the embodiment of the present application provides another alarm method, and the method is applied to
Warning system, the warning system include monitoring server and database server, and it is bright to generate alarm in the monitoring server
It is further comprising the steps of after thin information:
Step 401, the database server receives the alarm managing detailed catalogue that the monitoring server is sent.
Step 402, the database server generates the first alarm record data according to the type of alarm managing detailed catalogue,
Wherein, the type of the first alarm record data is identical as the alarm type of managing detailed catalogue.
Step 403, the first alarm record data are added to first alarm and recorded by the database server
The corresponding alarm record sheet of the type of data, and mark the state value of each first alarm record data.
Step 404, the database server is according to the type for alerting managing detailed catalogue, by each alarm managing detailed catalogue
It stores into corresponding alarm managing detailed catalogue table.
Step 405, the database server generates the unique identification information of each first alarm record data, and
Establish the corresponding relationship of the unique identification information and the alarm managing detailed catalogue.
After the first alarm record data are added to alarm record sheet by database server, database server is every
A first alarm record data return to a unique designation information, for example, returning to a coding, and unique designation information are added
Into the first alarm record data, then in alarm record sheet, unique designation information exists one by one with the first alarm record data
Corresponding relationship.
Then, unique designation information is added in the corresponding alarm managing detailed catalogue of the first alarm record data, then accused
In alert managing detailed catalogue table, the corresponding unique designation information of information is recorded by inquiry and alarm, it can will be with unique designation information
Corresponding alarm managing detailed catalogue is found out.Due to the corresponding one or more alarm managing detailed catalogues of each alarm record data, then
In alarm managing detailed catalogue table, the corresponding one or more alarm managing detailed catalogues of unique designation information.
Step 406, each announcement in monitoring server database server described in the preset time poll
Alert record sheet inquires the second alarm record data in the alarm record sheet, wherein the second alarm record data are institute
It states in alarm record sheet, state value is the alarm record data that do not consult.
Step 407, the monitoring server shows the corresponding alarm detail letter of the second alarm record data in homepage
Breath.
Wherein, step 401 is to the specific operation process of step 403 and the specific operation process phase of step 301 to step 303
Together and step 405 is identical to the specific operation process of step 406 and the specific operation process of step 304 to step 305, can
Cross-referenced, details are not described herein again.
Work flow diagram referring to Figure 5, the monitoring server show the second alarm record data in homepage
Corresponding alarm managing detailed catalogue, comprising the following steps:
Step 501, the monitoring server records the unique identification information of data according to second alarm, bright alerting
In thin information table, alarm managing detailed catalogue corresponding with the unique identification information is inquired.
Step 502, the monitoring server shows alarm managing detailed catalogue corresponding with the unique identification information in homepage.
In the embodiment of the present application, monitoring server takes out alarm managing detailed catalogue according to source packet, merges composition json format
Data return to display module, when homepage shows warning information, alarm managing detailed catalogue and topological diagram are linked, intuitively shown different
The generation root of ordinary affair part carries out the reparation of network system for the generation root of anomalous event.
Referring to work flow diagram shown in fig. 6, the embodiment of the present application provides another alarm method, and the method is applied to
Warning system, the warning system further includes mailbox server in addition to monitoring server and database server, in the data
Library server is further comprising the steps of after generating the first alarm record data according to the type for alerting managing detailed catalogue:
Step 601, the mailbox server receive the first alarm record data that the database server is sent and
The alarm managing detailed catalogue.
Step 602, the mailbox server sends the first alarm record data and the alarm managing detailed catalogue
To preset email address.
The generation time of alarm managing detailed catalogue, and alarm managing detailed catalogue are listed in the embodiment of the present application, in Mail Contents
The key messages such as corresponding source and destination, staff tentatively judge the generation root of anomalous event after receiving mail.
Referring to structural schematic diagram shown in Fig. 7, the embodiment of the present application provides a kind of warning system, and the warning system includes
Monitoring server 10, the monitoring server 10 include:
First obtains module 11, for obtaining the access control policy baseline being made of multiple matrix units.
Second obtains module 12, for parsing the matrix unit, obtains access control corresponding with the matrix unit
Strategy.
Determining module 13, for obtaining the corresponding source network region of the access control policy and purpose network area, and
Determine the physical link result between the source network region and purpose network area.
Judgment module 14, for judging that the physical link result and link result as defined in the access control policy be
It is no consistent.
Managing detailed catalogue generation module 15 is alerted, for determining the physical link result and the visit in the judgment module
After asking that link result as defined in control strategy is inconsistent, alarm managing detailed catalogue is generated, the alarm managing detailed catalogue includes: source net
Link result as defined in network region, purpose network area, physical link result and access control policy.
Optionally, the warning system further includes database server 20, and the database server 20 includes:
First receiving module 21, the alarm detail letter sent for receiving the alarm managing detailed catalogue generation module
Breath;
First alarm record data generation module 22 generates the first alarm note for the type according to alarm managing detailed catalogue
Record data, wherein the type of the first alarm record data is identical as the alarm type of managing detailed catalogue;
State value mark module 23, for the first alarm record data to be added to the first alarm record data
The corresponding alarm record sheet of type, and mark it is each it is described first alarm record data state value;
The monitoring server 10 further include:
Enquiry module 16, for each alarm record in the database server described in the preset time poll
Table inquires the second alarm record data in the alarm record sheet, wherein the second alarm record data are the alarm
In record sheet, state value is the alarm record data that do not consult;
Display module 17, for showing the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
Optionally, the database server 20 further include:
Memory module 24 stores each alarm managing detailed catalogue to phase for the type according to alarm managing detailed catalogue
In the alarm managing detailed catalogue table answered;
Corresponding relation building module 25, for generating the unique identification information of each first alarm record data, and
Establish the corresponding relationship of the unique identification information and the alarm managing detailed catalogue.
Optionally, the warning system further includes mailbox server 30, and the mailbox server 30 includes:
Second receiving module 31, the first alarm record sent for receiving the first alarm record data generation module
Data and the alarm managing detailed catalogue;
Sending module 32, for the first alarm record data and the alarm managing detailed catalogue to be sent to and set in advance
Fixed email address.
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software
The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or
Say that the part that contributes to existing technology can be embodied in the form of software products, which can deposit
Storage is in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that computer equipment (can be with
It is personal computer, server or the network equipment etc.) execute certain part institutes of each embodiment of the present invention or embodiment
The method stated.
Same and similar part may refer to each other between each embodiment in this specification.Implement especially for device
For example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring in embodiment of the method
Explanation.
Combine detailed description and exemplary example that the application is described in detail above, but these explanations are simultaneously
It should not be understood as the limitation to the application.It will be appreciated by those skilled in the art that without departing from the application spirit and scope,
A variety of equivalent substitution, modification or improvements can be carried out to technical scheme and embodiments thereof, these each fall within the application
In the range of.The protection scope of the application is determined by the appended claims.
Claims (10)
1. a kind of alarm method, which is characterized in that the method is applied to warning system, and the warning system includes monitoring service
Device, which comprises
Monitoring server obtains the access control policy baseline being made of multiple matrix units;
The monitoring server parses the matrix unit, obtains access control policy corresponding with the matrix unit;
The monitoring server obtains the corresponding source network region of the access control policy and purpose network area, and determines institute
State the physical link result between source network region and purpose network area;
The monitoring server judge link result as defined in the physical link result and the access control policy whether one
It causes;
If the physical link result and link result as defined in the access control policy are inconsistent, the monitoring server
Generate alarm managing detailed catalogue, the alarm managing detailed catalogue include: source network region, purpose network area, physical link result and
Link result as defined in access control policy.
2. alarm method according to claim 1, which is characterized in that the monitoring server determines the source network region
Physical link result between purpose network area, comprising:
The monitoring server determines the corresponding firewall configuration file in the source network region and the purpose network area;
The monitoring server parses the firewall configuration file, obtains the corresponding five-tuple of firewall configuration file, wherein
The five-tuple in the source network region is the first five-tuple, and the five-tuple of the purpose network area is the second five-tuple;
The monitoring server by parameters in first five-tuple respectively with parameters phase in second five-tuple
Compare;
The monitoring server determines the physical link result between the network area, wherein if described according to comparison result
The range of parameters is less than or equal to the range of parameters in second five-tuple, the monitoring clothes in first five-tuple
Business device determines the physical link result between the network area as connection, and otherwise, the monitoring server determines the network
Physical link result between region is not to be connected to.
3. alarm method according to claim 1, which is characterized in that the warning system further includes database server,
After the monitoring server generates alarm managing detailed catalogue, further includes:
The database server receives the alarm managing detailed catalogue that the monitoring server is sent;
The database server generates the first alarm record data, wherein described first according to the type of alarm managing detailed catalogue
The type of alarm record data is identical as the alarm type of managing detailed catalogue;
The first alarm record data are added to the type pair of the first alarm record data by the database server
The alarm record sheet answered, and mark the state value of each first alarm record data;
The each alarm record sheet of the monitoring server in the database server described in the preset time poll, inquiry
The second alarm record data in the alarm record sheet, wherein the second alarm record data are the alarm record sheet
In, state value is the alarm record data that do not consult;
The monitoring server shows the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
4. alarm method according to claim 3, which is characterized in that in the database server according to alarm detail letter
The type of breath, the first alarm of generation record after data, further includes:
The database server stores each alarm managing detailed catalogue to corresponding according to the type of alarm managing detailed catalogue
It alerts in managing detailed catalogue table;
The database server generates the unique identification information of each first alarm record data, and establishes described unique
The corresponding relationship of identification information and the alarm managing detailed catalogue.
5. alarm method according to claim 4, which is characterized in that the monitoring server shows described second in homepage
The corresponding alarm managing detailed catalogue of alarm record data, comprising:
The monitoring server records the unique identification information of data according to second alarm, in alarm managing detailed catalogue table,
Inquire alarm managing detailed catalogue corresponding with the unique identification information;
The monitoring server shows alarm managing detailed catalogue corresponding with the unique identification information in homepage.
6. alarm method according to claim 3, which is characterized in that the warning system further includes mailbox server,
The database server records after data according to the type for alerting managing detailed catalogue, the first alarm of generation, further includes:
The mailbox server receives the first alarm record data and the alarm detail that the database server is sent
Information;
The first alarm record data and the alarm managing detailed catalogue are sent to preset by the mailbox server
Email address.
7. a kind of warning system, which is characterized in that the warning system includes monitoring server, and the monitoring server includes:
First obtains module, for obtaining the access control policy baseline being made of multiple matrix units;
Second obtains module, for parsing the matrix unit, obtains access control policy corresponding with the matrix unit;
Determining module for obtaining the corresponding source network region of the access control policy and purpose network area, and determines institute
State the physical link result between source network region and purpose network area;
Judgment module, for judge link result as defined in the physical link result and the access control policy whether one
It causes;
Managing detailed catalogue generation module is alerted, for determining the physical link result and the access control in the judgment module
After the link result of policy definition is inconsistent, alarm managing detailed catalogue is generated, the alarm managing detailed catalogue includes: source network area
Link result as defined in domain, purpose network area, physical link result and access control policy.
8. warning system according to claim 7, which is characterized in that the warning system further includes database server,
The database server includes:
First receiving module, the alarm managing detailed catalogue sent for receiving the alarm managing detailed catalogue generation module;
First alarm record data generation module generates the first alarm record data for the type according to alarm managing detailed catalogue,
Wherein, the type of the first alarm record data is identical as the alarm type of managing detailed catalogue;
State value mark module, for the first alarm record data to be added to the type of the first alarm record data
Corresponding alarm record sheet, and mark the state value of each first alarm record data;
The monitoring server further include:
Enquiry module, for each alarm record sheet in the database server described in the preset time poll, inquiry
The second alarm record data in the alarm record sheet, wherein the second alarm record data are the alarm record sheet
In, state value is the alarm record data that do not consult;
Display module, for showing the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
9. warning system according to claim 8, which is characterized in that the database server further include:
Each alarm managing detailed catalogue is stored to corresponding and is accused for the type according to alarm managing detailed catalogue by memory module
In alert managing detailed catalogue table;
Corresponding relation building module for generating the unique identification information of each first alarm record data, and establishes institute
State the corresponding relationship of unique identification information and the alarm managing detailed catalogue.
10. warning system according to claim 8, which is characterized in that the warning system further includes mailbox server, institute
Stating mailbox server includes:
Second receiving module, for receive it is described first alarm record data generation module send first alarm record data with
And the alarm managing detailed catalogue;
Sending module, for the first alarm record data and the alarm managing detailed catalogue to be sent to preset postal
Case address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810970534.5A CN109120448B (en) | 2018-08-24 | 2018-08-24 | Alarm method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810970534.5A CN109120448B (en) | 2018-08-24 | 2018-08-24 | Alarm method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109120448A true CN109120448A (en) | 2019-01-01 |
CN109120448B CN109120448B (en) | 2020-05-05 |
Family
ID=64860997
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810970534.5A Active CN109120448B (en) | 2018-08-24 | 2018-08-24 | Alarm method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109120448B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110086682A (en) * | 2019-05-22 | 2019-08-02 | 四川新网银行股份有限公司 | Service link call relation view and failure root based on TCP are because of localization method |
CN110324334A (en) * | 2019-06-28 | 2019-10-11 | 深圳前海微众银行股份有限公司 | Secure group policy management method, device, equipment and computer readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040193943A1 (en) * | 2003-02-13 | 2004-09-30 | Robert Angelino | Multiparameter network fault detection system using probabilistic and aggregation analysis |
CN101174973A (en) * | 2006-10-31 | 2008-05-07 | 华为技术有限公司 | Network safety control construction |
CN101399698A (en) * | 2007-09-30 | 2009-04-01 | 华为技术有限公司 | Safety management system, device and method |
CN104144063A (en) * | 2013-05-08 | 2014-11-12 | 朱烨 | Website security monitoring and alarming system based on log analysis and firewall security matrixes |
CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
CN107332802A (en) * | 2016-04-28 | 2017-11-07 | 中国移动通信集团江西有限公司 | A kind of firewall policy monitoring method and device |
-
2018
- 2018-08-24 CN CN201810970534.5A patent/CN109120448B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040193943A1 (en) * | 2003-02-13 | 2004-09-30 | Robert Angelino | Multiparameter network fault detection system using probabilistic and aggregation analysis |
CN101174973A (en) * | 2006-10-31 | 2008-05-07 | 华为技术有限公司 | Network safety control construction |
CN101399698A (en) * | 2007-09-30 | 2009-04-01 | 华为技术有限公司 | Safety management system, device and method |
CN104144063A (en) * | 2013-05-08 | 2014-11-12 | 朱烨 | Website security monitoring and alarming system based on log analysis and firewall security matrixes |
CN105704093A (en) * | 2014-11-25 | 2016-06-22 | 中国移动通信集团设计院有限公司 | Firewall access control strategy debugging method, device and system |
CN107332802A (en) * | 2016-04-28 | 2017-11-07 | 中国移动通信集团江西有限公司 | A kind of firewall policy monitoring method and device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110086682A (en) * | 2019-05-22 | 2019-08-02 | 四川新网银行股份有限公司 | Service link call relation view and failure root based on TCP are because of localization method |
CN110086682B (en) * | 2019-05-22 | 2022-06-24 | 四川新网银行股份有限公司 | Service link calling relation view and fault root cause positioning method based on TCP |
CN110324334A (en) * | 2019-06-28 | 2019-10-11 | 深圳前海微众银行股份有限公司 | Secure group policy management method, device, equipment and computer readable storage medium |
CN110324334B (en) * | 2019-06-28 | 2023-04-07 | 深圳前海微众银行股份有限公司 | Security group policy management method, device, equipment and computer readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109120448B (en) | 2020-05-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11128654B1 (en) | Systems and methods for unified hierarchical cybersecurity | |
US11477222B2 (en) | Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications | |
US11855968B2 (en) | Methods and systems for deep learning based API traffic security | |
AU2020200967B2 (en) | Cybersecurity system | |
CN112468472B (en) | Security policy self-feedback method based on security log association analysis | |
US7870598B2 (en) | Policy specification framework for insider intrusions | |
EP3731166B1 (en) | Data clustering | |
US9069954B2 (en) | Security threat detection associated with security events and an actor category model | |
US9578060B1 (en) | System and method for data loss prevention across heterogeneous communications platforms | |
US8880893B2 (en) | Enterprise information asset protection through insider attack specification, monitoring and mitigation | |
US20130081065A1 (en) | Dynamic Multidimensional Schemas for Event Monitoring | |
US8739290B1 (en) | Generating alerts in event management systems | |
US9306806B1 (en) | Intelligent resource repository based on network ontology and virtualization | |
US20020083168A1 (en) | Integrated monitoring system | |
US20090299830A1 (en) | Data analysis and flow control system | |
US20020138416A1 (en) | Object-oriented method, system and medium for risk management by creating inter-dependency between objects, criteria and metrics | |
US20080183603A1 (en) | Policy enforcement over heterogeneous assets | |
WO2002097587A2 (en) | Method and system for implementing security devices in a network | |
WO2011149773A2 (en) | Security threat detection associated with security events and an actor category model | |
US20170270602A1 (en) | Object manager | |
CN109120448A (en) | A kind of alarm method and system | |
Chuvakin | The complete guide to log and event management | |
EP2736002A1 (en) | Method, system and computer program product for enforcing access to event attributes of event streams in a complex event processing system | |
US20230396640A1 (en) | Security event management system and associated method | |
Awodele et al. | A Multi-Layered Approach to the Design of Intelligent Intrusion Detection and Prevention System (IIDPS). |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |