CN109120448A - A kind of alarm method and system - Google Patents

A kind of alarm method and system Download PDF

Info

Publication number
CN109120448A
CN109120448A CN201810970534.5A CN201810970534A CN109120448A CN 109120448 A CN109120448 A CN 109120448A CN 201810970534 A CN201810970534 A CN 201810970534A CN 109120448 A CN109120448 A CN 109120448A
Authority
CN
China
Prior art keywords
alarm
detailed catalogue
managing detailed
record data
monitoring server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810970534.5A
Other languages
Chinese (zh)
Other versions
CN109120448B (en
Inventor
李先瞧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Original Assignee
Wuhan Sipuleng Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuleng Technology Co Ltd filed Critical Wuhan Sipuleng Technology Co Ltd
Priority to CN201810970534.5A priority Critical patent/CN109120448B/en
Publication of CN109120448A publication Critical patent/CN109120448A/en
Application granted granted Critical
Publication of CN109120448B publication Critical patent/CN109120448B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0686Additional information in the notification, e.g. enhancement of specific meta-data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a kind of alarm method and system, wherein the described method includes: monitoring server obtains the access control policy baseline being made of multiple matrix units;The monitoring server parses the matrix unit, obtains access control policy corresponding with the matrix unit;The monitoring server determines the physical link result between the source network region and purpose network area;The monitoring server judges whether the physical link result and link result as defined in the access control policy are consistent;If inconsistent, the monitoring server generates alarm managing detailed catalogue.In method described herein, physical link result and defined link result are inconsistent, illustrate to be abnormal event in network system, once being abnormal event, alarm managing detailed catalogue can then be generated, according to the source network region and purpose network area for including in alarm managing detailed catalogue, that is, it can determine the generation root of anomalous event.

Description

A kind of alarm method and system
Technical field
This application involves computer security technical fields, and in particular to a kind of alarm method and system.
Background technique
Network system generally comprises multiple network areas, usual phase according to certain rules between different two network areas Mutually access, and interaction data stream.In order to ensure the safety of each network area, need to the abnormal thing occurred in network area Part is alerted.
Currently, safety equipment is usually set between each network area in order to realize the alarm to anomalous event, such as Firewall.During data flow interaction, to safety equipment, safety equipment docks the data stream transmitting that source network region is sent The data flow received is parsed, and to determine whether data flow is legal, if legal, data flow is sent to purpose again by safety equipment Illegal data flow is reported to monitoring server if safety equipment determines that data flow is illegal by network area.Monitoring clothes Device be engaged in after receiving illegal data flow, determines the event that is abnormal, generates warning information, and by warning information with postal The mode of part is sent to pre-set email address, to receive the staff of mail after receiving warning information, really Determine to be abnormal event in network system.
However, inventor has found in the research process of the application, if by the prior art to the exception in network system Event is alerted, and staff generally requires to be further analyzed network system at place after receiving warning information Reason, can just find out the generation root of anomalous event and modify.During analysis processing, if blocking all in network system Access, will affect the operation of normal network area, if not blocking all access in network system, analyzes the process of processing In will have illegal data flow by safety equipment, into purpose network area, to influence purpose network area just Often operation.
Summary of the invention
To solve to generally require to be further processed the warning information in network system, can just find out different in the prior art Ordinary affair part leads to the problem of root, and the application provides a kind of alarm method and system.
The application's in a first aspect, provide a kind of alarm method, and the method is applied to warning system, the warning system Including monitoring server, which comprises
Monitoring server obtains the access control policy baseline being made of multiple matrix units;
The monitoring server parses the matrix unit, obtains access control policy corresponding with the matrix unit;
The monitoring server obtains the corresponding source network region of the access control policy and purpose network area, and really Physical link result between the fixed source network region and purpose network area;
The monitoring server judges that the physical link result and link result as defined in the access control policy are It is no consistent;
If the physical link result and link result as defined in the access control policy are inconsistent, the monitoring clothes Business device generates alarm managing detailed catalogue, and the alarm managing detailed catalogue includes: source network region, purpose network area, physical link knot Link result as defined in fruit and access control policy.
Optionally, the monitoring server determines the physical link knot between the source network region and purpose network area Fruit, comprising:
The monitoring server determines the corresponding firewall configuration text in the source network region and the purpose network area Part;
The monitoring server parses the firewall configuration file, obtains the corresponding five-tuple of firewall configuration file, Wherein, the five-tuple in the source network region is the first five-tuple, and the five-tuple of the purpose network area is the second five-tuple;
The monitoring server by parameters in first five-tuple respectively with each ginseng in second five-tuple Number compares;
The monitoring server determines the physical link result between the network area according to comparison result, wherein if The range of parameters is less than or equal to the range of parameters in second five-tuple, the prison in first five-tuple Control server determines the physical link result between the network area for connection, otherwise, described in the monitoring server determination Physical link result between network area is not to be connected to.
Optionally, the warning system further includes database server, generates alarm detail letter in the monitoring server After breath, further includes:
The database server receives the alarm managing detailed catalogue that the monitoring server is sent;
The database server generates the first alarm record data, wherein described according to the type of alarm managing detailed catalogue The type of first alarm record data is identical as the alarm type of managing detailed catalogue;
The first alarm record data are added to the class of the first alarm record data by the database server The corresponding alarm record sheet of type, and mark the state value of each first alarm record data;
The each alarm record sheet of the monitoring server in the database server described in the preset time poll, Inquire the second alarm record data in the alarm record sheet, wherein the second alarm record data are alarm note It records in table, state value is the alarm record data that do not consult;
The monitoring server shows the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
Optionally, the first alarm record data are generated according to the type of alarm managing detailed catalogue in the database server Later, further includes:
The database server stores each alarm managing detailed catalogue to phase according to the type of alarm managing detailed catalogue In the alarm managing detailed catalogue table answered;
The database server generates the unique identification information of each first alarm record data, and described in foundation The corresponding relationship of unique identification information and the alarm managing detailed catalogue.
Optionally, the monitoring server shows the corresponding alarm detail letter of the second alarm record data in homepage Breath, comprising:
The monitoring server is alerting managing detailed catalogue table according to the unique identification information of the second alarm record data In, inquire alarm managing detailed catalogue corresponding with the unique identification information;
The monitoring server shows alarm managing detailed catalogue corresponding with the unique identification information in homepage.
Optionally, the warning system further includes mailbox server, in the database server according to alarm detail letter The type of breath, the first alarm of generation record after data, further includes:
The mailbox server receives the first alarm record data and the alarm that the database server is sent Managing detailed catalogue;
The first alarm record data and the alarm managing detailed catalogue are sent to and are set in advance by the mailbox server Fixed email address.
The second aspect of the application provides a kind of warning system, and the warning system includes monitoring server, the monitoring Server includes:
First obtains module, for obtaining the access control policy baseline being made of multiple matrix units;
Second obtains module, for parsing the matrix unit, obtains access control plan corresponding with the matrix unit Slightly;
Determining module, for obtaining the corresponding source network region of the access control policy and purpose network area, and really Physical link result between the fixed source network region and purpose network area;
Judgment module, for whether judging link result as defined in the physical link result and the access control policy Unanimously;
Managing detailed catalogue generation module is alerted, for determining the physical link result and the access in the judgment module After link result as defined in control strategy is inconsistent, alarm managing detailed catalogue is generated, the alarm managing detailed catalogue includes: source network Link result as defined in region, purpose network area, physical link result and access control policy.
Optionally, the warning system further includes database server, and the database server includes:
First receiving module, the alarm managing detailed catalogue sent for receiving the alarm managing detailed catalogue generation module;
First alarm record data generation module generates the first alarm record for the type according to alarm managing detailed catalogue Data, wherein the type of the first alarm record data is identical as the alarm type of managing detailed catalogue;
State value mark module, for the first alarm record data to be added to the first alarm record data The corresponding alarm record sheet of type, and mark the state value of each first alarm record data;
The monitoring server further include:
Enquiry module, for each alarm record sheet in the database server described in the preset time poll, Inquire the second alarm record data in the alarm record sheet, wherein the second alarm record data are alarm note It records in table, state value is the alarm record data that do not consult;
Display module, for showing the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
Optionally, the database server further include:
Memory module stores each alarm managing detailed catalogue to corresponding for the type according to alarm managing detailed catalogue Alarm managing detailed catalogue table in;
Corresponding relation building module for generating the unique identification information of each first alarm record data, and is built Found the corresponding relationship of the unique identification information and the alarm managing detailed catalogue.
Optionally, the warning system further includes mailbox server, and the mailbox server includes:
Second receiving module, the first alarm record number sent for receiving the first alarm record data generation module Accordingly and the alarm managing detailed catalogue;
Sending module, for the first alarm record data and the alarm managing detailed catalogue to be sent to and preset Email address.
The application provides a kind of alarm method, which comprises monitoring server acquisition is made of multiple matrix units Access control policy baseline;The monitoring server parses the matrix unit, obtains visit corresponding with the matrix unit Ask control strategy;The monitoring server obtains the corresponding source network region of the access control policy and purpose network area, And determine the physical link result between the source network region and purpose network area;The monitoring server judges the reality Whether border link result is consistent with link result as defined in the access control policy;If the physical link result and the visit Ask that link result as defined in control strategy is inconsistent, then the monitoring server generates alarm managing detailed catalogue, the alarm detail Information includes: source network region, purpose network area, link result as defined in physical link result and access control policy.
In method described herein, physical link result and defined link result are inconsistent, illustrate in network system It is abnormal event, once being abnormal event, then can generate alarm managing detailed catalogue, according to the source for including in alarm managing detailed catalogue Network area and purpose network area can determine the generation root of anomalous event in time.And in the prior art, it is accused receiving After alert information, needing staff to network system, further analysis is handled, and just can determine that the generation root of anomalous event, because This, compared with the existing technology for, the present processes improve the efficiency of the generation root of determining anomalous event.
Further, method described herein is not required to the current intelligence according to data flow between each network area, Warning information is obtained, also, is not required to be further analyzed warning information processing, that is, can determine the root that anomalous event occurs The problem of source would not also occur needing in the prior art during Network System Analysis processing, block all access, protects The operation in proper network region is hindered.
Detailed description of the invention
In order to illustrate more clearly of the technical solution of the application, letter will be made to attached drawing needed in the embodiment below Singly introduce, it should be apparent that, for those of ordinary skills, without creative efforts, also Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 is a kind of workflow schematic diagram of alarm method provided by the embodiments of the present application;
Fig. 2 is the workflow signal that physical link result is determined in a kind of alarm method provided by the embodiments of the present application Figure;
Fig. 3 is the workflow schematic diagram of another alarm method provided by the embodiments of the present application;
Fig. 4 is the workflow schematic diagram of another alarm method provided by the embodiments of the present application;
Fig. 5 is in a kind of alarm method provided by the embodiments of the present application, and monitoring server shows the work of alarm managing detailed catalogue Make flow diagram;
Fig. 6 is the workflow schematic diagram of another alarm method provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of warning system provided by the embodiments of the present application.
Specific embodiment
To solve to generally require to be further processed the warning information in network system, can just find out different in the prior art Ordinary affair part leads to the problem of root, and the application provides a kind of alarm method and system by following embodiment.
In network system, for the needs of safety management, network system is often divided into multiple security domains, different safety Mutual access between domain needs to follow specific rule, and in the embodiment of the present application, these rules are realized by firewall, prevents Wall with flues is set between each security domain, and each firewall is provided with different access control policies, utilizes these firewalls The safety management of access control policy realization network system.Inside each security domain, it is often provided with different business, it is each Mutual access between business is also required to follow certain rule, therefore, is again provided with firewall between each business.Example Such as, using the part of enterprise as a security domain, Finance Department and Human Resources Department, Finance Department and occurrences in human life part are provided in the security domain It is not provided with an operation system, in order to avoid the mutual access of Finance Department's operation system and Human Resources Department's operation system, then two The inlet of a operation system is provided with a firewall.
Work flow diagram shown in referring to Fig.1, the embodiment of the present application provide a kind of alarm method, and the method is applied to accuse Alert system, the warning system includes monitoring server, be the described method comprises the following steps:
Step 101, monitoring server obtains the access control policy baseline being made of multiple matrix units.
Generally comprise multiple equipment in network system, baseline be in items storing library each device version in the specific period One version, the version can be the form of " snapshot ".Baseline provides an official standard, and subsequent work is based on the standard, Except under authorization conditions, which cannot arbitrarily be changed.
In the embodiment of the present application, access control policy baseline be it is preset, the access control policy baseline is according to source The difference of network area and purpose network area is divided into four classes, is respectively as follows: between security domain and visits between access control policy baseline, business Ask control strategy baseline, security domain to business access control strategy baseline and business to security domain access control policy baseline.
Step 102, the monitoring server parses the matrix unit, obtains access control corresponding with the matrix unit System strategy.
Access control policy baseline between one business of table
The access control policy baseline of each type show industry by baseline expression matrix corresponding with type, table one An example of the baseline matrix of access control policy baseline between business includes two peaces as can be seen from Table I in network area Universe separately includes two business under each security domain, then totally four business in network area, the access control between four business System strategy constitutes 16 matrix units.For example, the access control policy between the corresponding business B1 to business A1 of matrix unit 3, square Access control policy between the corresponding business B2 to business A1 of array element 4, that is to say, that matrix unit corresponds to access control plan Slightly.
In a kind of implementation provided by the embodiments of the present application, access control policy include two kinds, respectively engineering noise and " forbidding ", if the corresponding access control policy of matrix unit be it is invalid, it is corresponding that monitoring server defaults the access control policy Physical link result it is normal, without carrying out the operation of step 103, for example, matrix unit 1, matrix unit 2,5 and of matrix unit The corresponding access control policy of matrix unit 6 is in vain, then to illustrate that the business in security domain A can be accessed mutually.If matrix The corresponding access control policy of unit is to forbid, then monitoring server continues to execute the operation of step 103.In addition to this, it accesses Control strategy can also classify according to its other mode classification, and the application is not especially limited.
Step 103, the monitoring server obtains the corresponding source network region of the access control policy and purpose network Region, and determine the physical link result between the source network region and purpose network area.
In the embodiment of the present application, matrix unit is corresponding with access control policy, and the source network region of matrix unit is The corresponding source network region of access control policy, the purpose network area of matrix unit are the corresponding of access control policy Purpose network area, for example, the source network region of matrix unit 3 is business B1 in table one, purpose network area is business A1, then The source network region of the corresponding access control policy of matrix unit 3 is business B1, and purpose network area is business A1.
Step 104, the monitoring server judges chain as defined in the physical link result and the access control policy Whether road result is consistent.
In the step, if the monitoring server judges as defined in the physical link result and the access control policy Link result is consistent, then monitoring server will not generate alarm managing detailed catalogue;If the monitoring server judges the practical chain Road result and link result as defined in the access control policy are inconsistent, then monitoring server continues to execute the behaviour of step 105 Make.
Step 105, if the physical link result and link result as defined in the access control policy are inconsistent, institute It states monitoring server and generates alarm managing detailed catalogue, the alarm managing detailed catalogue includes: source network region, purpose network area, reality Link result as defined in border link result and access control policy.
In the step, alarm managing detailed catalogue removes source network region, purpose network area, physical link result and access control It can also include the auxiliary informations such as type and review time, for example, an alarm managing detailed catalogue outside the link result of policy definition Are as follows: " source: B, purpose: A, actual result: it is logical, it presets: obstructed, type: zone, the review time: 2018-01-0100:00:00, Description: safe configuration of territory is violated ".Pass through the source network region and purpose network area in alarm managing detailed catalogue, it may be determined that abnormal The generation root of event.
In method described herein, physical link result and defined link result are inconsistent, illustrate in network system It is abnormal event, once being abnormal event, then can generate alarm managing detailed catalogue, according to the source for including in alarm managing detailed catalogue Network area and purpose network area can determine the generation root of anomalous event in time.And in the prior art, it is accused receiving After alert information, needing staff to network system, further analysis is handled, and just can determine that the generation root of anomalous event, because This, compared with the existing technology for, the present processes improve the efficiency of the generation root of determining anomalous event.
Further, method described herein is not required to the current intelligence according to data flow between each network area, Warning information is obtained, also, is not required to be further analyzed warning information processing, that is, can determine the root that anomalous event occurs The problem of source would not also occur needing in the prior art during Network System Analysis processing, block all access, protects The operation in proper network region is hindered.
Referring to work flow diagram shown in Fig. 2, the monitoring server determines the source network region and purpose network area Physical link result between domain, comprising the following steps:
Step 201, the monitoring server determines the corresponding fire prevention in the source network region and the purpose network area Wall configuration file.
In the step, the inlet of source network region and purpose network area is each provided with a firewall, according to source net The network address in network region or purpose network area searches firewall configuration file corresponding with network address.
Step 202, the monitoring server parses the firewall configuration file, and it is corresponding to obtain firewall configuration file Five-tuple, wherein the five-tuple in the source network region is the first five-tuple, and the five-tuple of the purpose network area is second Five-tuple.
In the step, five-tuple includes five parameters, respectively source IP address, source port, purpose IP address, destination port And transport layer protocol, and each parameter in five-tuple is usually a section.
Step 203, the monitoring server by parameters in first five-tuple respectively with second five-tuple Middle parameters compare.
In the step, when mutually being accessed due to network area, actually data flow is exchanged visits between network area, Data flow needs to be matched with the five-tuple of firewall, that is, five with five-tuple during passing through firewall Parameter is matched, if data flow is in the corresponding five parameter sections of five-tuple, data flow can be by firewall, otherwise Firewall can not be passed through.
For example, during data flow flows through network area B from network area A, it is assumed that network area A corresponds to firewall A, net Network region B corresponds to firewall B, and data flow is matched with the five-tuple of firewall A first, if data flow is corresponding in firewall A Five parameter sections in, then data flow can flow out network area A;Then it is matched with the five-tuple of firewall B, if number According to stream in the corresponding five parameter sections of firewall B, then data flow can flow into network area B.
If data flow is not only in the corresponding five parameter sections of firewall A it can be seen from analyzing above, but also in firewall In the corresponding five parameter sections of B, then data flow can enter network area B, i.e. network area A to network from network area A The physical link result of region B is connection.
Step 204, the monitoring server determines the physical link knot between the network area according to comparison result Fruit, wherein if the range of parameters is less than or equal to parameters in second five-tuple in first five-tuple Range, the monitoring server determine the physical link result between the network area for connection, otherwise, the monitoring service Device determines that the physical link result between the network area is not to be connected to.
It since data flow is first matched with the first five-tuple, then is matched with the second five-tuple, in the first five-tuple The range of middle parameters is less than or equal in the second five-tuple in the case where the range of parameters, as long as data flow can lead to Cross the corresponding firewall of the first five-tuple, i.e. data flow is in the first five-tuple within the scope of parameters, then data flow one It is scheduled in the second five-tuple within the scope of parameters, can also pass through the corresponding firewall of the second five-tuple.Namely It says, the range of parameters is less than or equal to the range of parameters in the second five-tuple in the first five-tuple, can illustrate Physical link result between network area is connection.Data flow flows through outside network area inside network area by firewall When portion, valid data is usually defaulted as by firewall, that is to say, that data flow can pass through the first five-tuple.Therefore, the step In, by the comparison of the first five-tuple and the second five-tuple, can determine physical link between two network areas the result is that No connection.
Referring to work flow diagram shown in Fig. 3, the embodiment of the present application provides another alarm method, and the method is applied to Warning system, the warning system further include database server in addition to monitoring server, generate announcement in the monitoring server It is further comprising the steps of after alert managing detailed catalogue:
Step 301, the database server receives the alarm managing detailed catalogue that the monitoring server is sent.
In the step, before alarm managing detailed catalogue storage, monitoring server is added to Installed System Memory for managing detailed catalogue is alerted In temporarily store, after the scanning of four control strategy baselines is fully completed, just starting alarm managing detailed catalogue enter library;Data Library server first judges in the Installed System Memory of monitoring server with the presence or absence of alarm detail, and if it exists, will then alert managing detailed catalogue It is sent to database server;After storage, database server still first stores alarm managing detailed catalogue in a manner of temporarily storing, Then the operation of step 302 is executed.
Step 302, the database server generates the first alarm record data according to the type of alarm managing detailed catalogue, Wherein, the type of the first alarm record data is identical as the alarm type of managing detailed catalogue.
In the embodiment of the present application, alerting the type of managing detailed catalogue, there are four types of, according to the alarm managing detailed catalogue of four seed types, Generate the first alarm record data of four seed types.First alarm record data are to alert the summary information of managing detailed catalogue, usually Including type, alarm bar number, alarm time etc..
Step 303, the first alarm record data are added to first alarm and recorded by the database server The corresponding alarm record sheet of the type of data, and mark the state value of each first alarm record data.
In the step, while the first alarm record data are added to alarm record sheet, database server label should The state value of the alarm record data of item first is " not consulting ", and the state value is recorded in the first alarm record data.Example Such as, one first alarm records data are as follows: " type: zone, alarm bar number: 2, alarm time: 2017-01-0100:00:00, State: 0 ", wherein define " 0 " representative " not consulting ", " 1 " representative " access ".
Step 304, each announcement in monitoring server database server described in the preset time poll Alert record sheet inquires the second alarm record data in the alarm record sheet, wherein the second alarm record data are institute It states in alarm record sheet, state value is the alarm record data that do not consult.
If alerting there is no the second alarm record data in record sheet, i.e., all the state value of alarm record data is equal To have consulted, that is to say, that not new alarm record data are added in alarm record sheet, then monitoring server carries out next Poll;If alerting in record sheet there are the second alarm record data, 305 operation is thened follow the steps.
Step 305, the monitoring server shows the corresponding alarm detail letter of the second alarm record data in homepage Breath.
For monitoring server while homepage shows the second alarm record, the second alarm is recorded data by database server State value be changed to the state of having consulted.
Referring to work flow diagram shown in Fig. 4, the embodiment of the present application provides another alarm method, and the method is applied to Warning system, the warning system include monitoring server and database server, and it is bright to generate alarm in the monitoring server It is further comprising the steps of after thin information:
Step 401, the database server receives the alarm managing detailed catalogue that the monitoring server is sent.
Step 402, the database server generates the first alarm record data according to the type of alarm managing detailed catalogue, Wherein, the type of the first alarm record data is identical as the alarm type of managing detailed catalogue.
Step 403, the first alarm record data are added to first alarm and recorded by the database server The corresponding alarm record sheet of the type of data, and mark the state value of each first alarm record data.
Step 404, the database server is according to the type for alerting managing detailed catalogue, by each alarm managing detailed catalogue It stores into corresponding alarm managing detailed catalogue table.
Step 405, the database server generates the unique identification information of each first alarm record data, and Establish the corresponding relationship of the unique identification information and the alarm managing detailed catalogue.
After the first alarm record data are added to alarm record sheet by database server, database server is every A first alarm record data return to a unique designation information, for example, returning to a coding, and unique designation information are added Into the first alarm record data, then in alarm record sheet, unique designation information exists one by one with the first alarm record data Corresponding relationship.
Then, unique designation information is added in the corresponding alarm managing detailed catalogue of the first alarm record data, then accused In alert managing detailed catalogue table, the corresponding unique designation information of information is recorded by inquiry and alarm, it can will be with unique designation information Corresponding alarm managing detailed catalogue is found out.Due to the corresponding one or more alarm managing detailed catalogues of each alarm record data, then In alarm managing detailed catalogue table, the corresponding one or more alarm managing detailed catalogues of unique designation information.
Step 406, each announcement in monitoring server database server described in the preset time poll Alert record sheet inquires the second alarm record data in the alarm record sheet, wherein the second alarm record data are institute It states in alarm record sheet, state value is the alarm record data that do not consult.
Step 407, the monitoring server shows the corresponding alarm detail letter of the second alarm record data in homepage Breath.
Wherein, step 401 is to the specific operation process of step 403 and the specific operation process phase of step 301 to step 303 Together and step 405 is identical to the specific operation process of step 406 and the specific operation process of step 304 to step 305, can Cross-referenced, details are not described herein again.
Work flow diagram referring to Figure 5, the monitoring server show the second alarm record data in homepage Corresponding alarm managing detailed catalogue, comprising the following steps:
Step 501, the monitoring server records the unique identification information of data according to second alarm, bright alerting In thin information table, alarm managing detailed catalogue corresponding with the unique identification information is inquired.
Step 502, the monitoring server shows alarm managing detailed catalogue corresponding with the unique identification information in homepage.
In the embodiment of the present application, monitoring server takes out alarm managing detailed catalogue according to source packet, merges composition json format Data return to display module, when homepage shows warning information, alarm managing detailed catalogue and topological diagram are linked, intuitively shown different The generation root of ordinary affair part carries out the reparation of network system for the generation root of anomalous event.
Referring to work flow diagram shown in fig. 6, the embodiment of the present application provides another alarm method, and the method is applied to Warning system, the warning system further includes mailbox server in addition to monitoring server and database server, in the data Library server is further comprising the steps of after generating the first alarm record data according to the type for alerting managing detailed catalogue:
Step 601, the mailbox server receive the first alarm record data that the database server is sent and The alarm managing detailed catalogue.
Step 602, the mailbox server sends the first alarm record data and the alarm managing detailed catalogue To preset email address.
The generation time of alarm managing detailed catalogue, and alarm managing detailed catalogue are listed in the embodiment of the present application, in Mail Contents The key messages such as corresponding source and destination, staff tentatively judge the generation root of anomalous event after receiving mail.
Referring to structural schematic diagram shown in Fig. 7, the embodiment of the present application provides a kind of warning system, and the warning system includes Monitoring server 10, the monitoring server 10 include:
First obtains module 11, for obtaining the access control policy baseline being made of multiple matrix units.
Second obtains module 12, for parsing the matrix unit, obtains access control corresponding with the matrix unit Strategy.
Determining module 13, for obtaining the corresponding source network region of the access control policy and purpose network area, and Determine the physical link result between the source network region and purpose network area.
Judgment module 14, for judging that the physical link result and link result as defined in the access control policy be It is no consistent.
Managing detailed catalogue generation module 15 is alerted, for determining the physical link result and the visit in the judgment module After asking that link result as defined in control strategy is inconsistent, alarm managing detailed catalogue is generated, the alarm managing detailed catalogue includes: source net Link result as defined in network region, purpose network area, physical link result and access control policy.
Optionally, the warning system further includes database server 20, and the database server 20 includes:
First receiving module 21, the alarm detail letter sent for receiving the alarm managing detailed catalogue generation module Breath;
First alarm record data generation module 22 generates the first alarm note for the type according to alarm managing detailed catalogue Record data, wherein the type of the first alarm record data is identical as the alarm type of managing detailed catalogue;
State value mark module 23, for the first alarm record data to be added to the first alarm record data The corresponding alarm record sheet of type, and mark it is each it is described first alarm record data state value;
The monitoring server 10 further include:
Enquiry module 16, for each alarm record in the database server described in the preset time poll Table inquires the second alarm record data in the alarm record sheet, wherein the second alarm record data are the alarm In record sheet, state value is the alarm record data that do not consult;
Display module 17, for showing the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
Optionally, the database server 20 further include:
Memory module 24 stores each alarm managing detailed catalogue to phase for the type according to alarm managing detailed catalogue In the alarm managing detailed catalogue table answered;
Corresponding relation building module 25, for generating the unique identification information of each first alarm record data, and Establish the corresponding relationship of the unique identification information and the alarm managing detailed catalogue.
Optionally, the warning system further includes mailbox server 30, and the mailbox server 30 includes:
Second receiving module 31, the first alarm record sent for receiving the first alarm record data generation module Data and the alarm managing detailed catalogue;
Sending module 32, for the first alarm record data and the alarm managing detailed catalogue to be sent to and set in advance Fixed email address.
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or Say that the part that contributes to existing technology can be embodied in the form of software products, which can deposit Storage is in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that computer equipment (can be with It is personal computer, server or the network equipment etc.) execute certain part institutes of each embodiment of the present invention or embodiment The method stated.
Same and similar part may refer to each other between each embodiment in this specification.Implement especially for device For example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring in embodiment of the method Explanation.
Combine detailed description and exemplary example that the application is described in detail above, but these explanations are simultaneously It should not be understood as the limitation to the application.It will be appreciated by those skilled in the art that without departing from the application spirit and scope, A variety of equivalent substitution, modification or improvements can be carried out to technical scheme and embodiments thereof, these each fall within the application In the range of.The protection scope of the application is determined by the appended claims.

Claims (10)

1. a kind of alarm method, which is characterized in that the method is applied to warning system, and the warning system includes monitoring service Device, which comprises
Monitoring server obtains the access control policy baseline being made of multiple matrix units;
The monitoring server parses the matrix unit, obtains access control policy corresponding with the matrix unit;
The monitoring server obtains the corresponding source network region of the access control policy and purpose network area, and determines institute State the physical link result between source network region and purpose network area;
The monitoring server judge link result as defined in the physical link result and the access control policy whether one It causes;
If the physical link result and link result as defined in the access control policy are inconsistent, the monitoring server Generate alarm managing detailed catalogue, the alarm managing detailed catalogue include: source network region, purpose network area, physical link result and Link result as defined in access control policy.
2. alarm method according to claim 1, which is characterized in that the monitoring server determines the source network region Physical link result between purpose network area, comprising:
The monitoring server determines the corresponding firewall configuration file in the source network region and the purpose network area;
The monitoring server parses the firewall configuration file, obtains the corresponding five-tuple of firewall configuration file, wherein The five-tuple in the source network region is the first five-tuple, and the five-tuple of the purpose network area is the second five-tuple;
The monitoring server by parameters in first five-tuple respectively with parameters phase in second five-tuple Compare;
The monitoring server determines the physical link result between the network area, wherein if described according to comparison result The range of parameters is less than or equal to the range of parameters in second five-tuple, the monitoring clothes in first five-tuple Business device determines the physical link result between the network area as connection, and otherwise, the monitoring server determines the network Physical link result between region is not to be connected to.
3. alarm method according to claim 1, which is characterized in that the warning system further includes database server, After the monitoring server generates alarm managing detailed catalogue, further includes:
The database server receives the alarm managing detailed catalogue that the monitoring server is sent;
The database server generates the first alarm record data, wherein described first according to the type of alarm managing detailed catalogue The type of alarm record data is identical as the alarm type of managing detailed catalogue;
The first alarm record data are added to the type pair of the first alarm record data by the database server The alarm record sheet answered, and mark the state value of each first alarm record data;
The each alarm record sheet of the monitoring server in the database server described in the preset time poll, inquiry The second alarm record data in the alarm record sheet, wherein the second alarm record data are the alarm record sheet In, state value is the alarm record data that do not consult;
The monitoring server shows the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
4. alarm method according to claim 3, which is characterized in that in the database server according to alarm detail letter The type of breath, the first alarm of generation record after data, further includes:
The database server stores each alarm managing detailed catalogue to corresponding according to the type of alarm managing detailed catalogue It alerts in managing detailed catalogue table;
The database server generates the unique identification information of each first alarm record data, and establishes described unique The corresponding relationship of identification information and the alarm managing detailed catalogue.
5. alarm method according to claim 4, which is characterized in that the monitoring server shows described second in homepage The corresponding alarm managing detailed catalogue of alarm record data, comprising:
The monitoring server records the unique identification information of data according to second alarm, in alarm managing detailed catalogue table, Inquire alarm managing detailed catalogue corresponding with the unique identification information;
The monitoring server shows alarm managing detailed catalogue corresponding with the unique identification information in homepage.
6. alarm method according to claim 3, which is characterized in that the warning system further includes mailbox server, The database server records after data according to the type for alerting managing detailed catalogue, the first alarm of generation, further includes:
The mailbox server receives the first alarm record data and the alarm detail that the database server is sent Information;
The first alarm record data and the alarm managing detailed catalogue are sent to preset by the mailbox server Email address.
7. a kind of warning system, which is characterized in that the warning system includes monitoring server, and the monitoring server includes:
First obtains module, for obtaining the access control policy baseline being made of multiple matrix units;
Second obtains module, for parsing the matrix unit, obtains access control policy corresponding with the matrix unit;
Determining module for obtaining the corresponding source network region of the access control policy and purpose network area, and determines institute State the physical link result between source network region and purpose network area;
Judgment module, for judge link result as defined in the physical link result and the access control policy whether one It causes;
Managing detailed catalogue generation module is alerted, for determining the physical link result and the access control in the judgment module After the link result of policy definition is inconsistent, alarm managing detailed catalogue is generated, the alarm managing detailed catalogue includes: source network area Link result as defined in domain, purpose network area, physical link result and access control policy.
8. warning system according to claim 7, which is characterized in that the warning system further includes database server, The database server includes:
First receiving module, the alarm managing detailed catalogue sent for receiving the alarm managing detailed catalogue generation module;
First alarm record data generation module generates the first alarm record data for the type according to alarm managing detailed catalogue, Wherein, the type of the first alarm record data is identical as the alarm type of managing detailed catalogue;
State value mark module, for the first alarm record data to be added to the type of the first alarm record data Corresponding alarm record sheet, and mark the state value of each first alarm record data;
The monitoring server further include:
Enquiry module, for each alarm record sheet in the database server described in the preset time poll, inquiry The second alarm record data in the alarm record sheet, wherein the second alarm record data are the alarm record sheet In, state value is the alarm record data that do not consult;
Display module, for showing the corresponding alarm managing detailed catalogue of the second alarm record data in homepage.
9. warning system according to claim 8, which is characterized in that the database server further include:
Each alarm managing detailed catalogue is stored to corresponding and is accused for the type according to alarm managing detailed catalogue by memory module In alert managing detailed catalogue table;
Corresponding relation building module for generating the unique identification information of each first alarm record data, and establishes institute State the corresponding relationship of unique identification information and the alarm managing detailed catalogue.
10. warning system according to claim 8, which is characterized in that the warning system further includes mailbox server, institute Stating mailbox server includes:
Second receiving module, for receive it is described first alarm record data generation module send first alarm record data with And the alarm managing detailed catalogue;
Sending module, for the first alarm record data and the alarm managing detailed catalogue to be sent to preset postal Case address.
CN201810970534.5A 2018-08-24 2018-08-24 Alarm method and system Active CN109120448B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810970534.5A CN109120448B (en) 2018-08-24 2018-08-24 Alarm method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810970534.5A CN109120448B (en) 2018-08-24 2018-08-24 Alarm method and system

Publications (2)

Publication Number Publication Date
CN109120448A true CN109120448A (en) 2019-01-01
CN109120448B CN109120448B (en) 2020-05-05

Family

ID=64860997

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810970534.5A Active CN109120448B (en) 2018-08-24 2018-08-24 Alarm method and system

Country Status (1)

Country Link
CN (1) CN109120448B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086682A (en) * 2019-05-22 2019-08-02 四川新网银行股份有限公司 Service link call relation view and failure root based on TCP are because of localization method
CN110324334A (en) * 2019-06-28 2019-10-11 深圳前海微众银行股份有限公司 Secure group policy management method, device, equipment and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040193943A1 (en) * 2003-02-13 2004-09-30 Robert Angelino Multiparameter network fault detection system using probabilistic and aggregation analysis
CN101174973A (en) * 2006-10-31 2008-05-07 华为技术有限公司 Network safety control construction
CN101399698A (en) * 2007-09-30 2009-04-01 华为技术有限公司 Safety management system, device and method
CN104144063A (en) * 2013-05-08 2014-11-12 朱烨 Website security monitoring and alarming system based on log analysis and firewall security matrixes
CN105704093A (en) * 2014-11-25 2016-06-22 中国移动通信集团设计院有限公司 Firewall access control strategy debugging method, device and system
CN107332802A (en) * 2016-04-28 2017-11-07 中国移动通信集团江西有限公司 A kind of firewall policy monitoring method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040193943A1 (en) * 2003-02-13 2004-09-30 Robert Angelino Multiparameter network fault detection system using probabilistic and aggregation analysis
CN101174973A (en) * 2006-10-31 2008-05-07 华为技术有限公司 Network safety control construction
CN101399698A (en) * 2007-09-30 2009-04-01 华为技术有限公司 Safety management system, device and method
CN104144063A (en) * 2013-05-08 2014-11-12 朱烨 Website security monitoring and alarming system based on log analysis and firewall security matrixes
CN105704093A (en) * 2014-11-25 2016-06-22 中国移动通信集团设计院有限公司 Firewall access control strategy debugging method, device and system
CN107332802A (en) * 2016-04-28 2017-11-07 中国移动通信集团江西有限公司 A kind of firewall policy monitoring method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086682A (en) * 2019-05-22 2019-08-02 四川新网银行股份有限公司 Service link call relation view and failure root based on TCP are because of localization method
CN110086682B (en) * 2019-05-22 2022-06-24 四川新网银行股份有限公司 Service link calling relation view and fault root cause positioning method based on TCP
CN110324334A (en) * 2019-06-28 2019-10-11 深圳前海微众银行股份有限公司 Secure group policy management method, device, equipment and computer readable storage medium
CN110324334B (en) * 2019-06-28 2023-04-07 深圳前海微众银行股份有限公司 Security group policy management method, device, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN109120448B (en) 2020-05-05

Similar Documents

Publication Publication Date Title
US11128654B1 (en) Systems and methods for unified hierarchical cybersecurity
US11477222B2 (en) Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications
US11855968B2 (en) Methods and systems for deep learning based API traffic security
AU2020200967B2 (en) Cybersecurity system
CN112468472B (en) Security policy self-feedback method based on security log association analysis
US7870598B2 (en) Policy specification framework for insider intrusions
EP3731166B1 (en) Data clustering
US9069954B2 (en) Security threat detection associated with security events and an actor category model
US9578060B1 (en) System and method for data loss prevention across heterogeneous communications platforms
US8880893B2 (en) Enterprise information asset protection through insider attack specification, monitoring and mitigation
US20130081065A1 (en) Dynamic Multidimensional Schemas for Event Monitoring
US8739290B1 (en) Generating alerts in event management systems
US9306806B1 (en) Intelligent resource repository based on network ontology and virtualization
US20020083168A1 (en) Integrated monitoring system
US20090299830A1 (en) Data analysis and flow control system
US20020138416A1 (en) Object-oriented method, system and medium for risk management by creating inter-dependency between objects, criteria and metrics
US20080183603A1 (en) Policy enforcement over heterogeneous assets
WO2002097587A2 (en) Method and system for implementing security devices in a network
WO2011149773A2 (en) Security threat detection associated with security events and an actor category model
US20170270602A1 (en) Object manager
CN109120448A (en) A kind of alarm method and system
Chuvakin The complete guide to log and event management
EP2736002A1 (en) Method, system and computer program product for enforcing access to event attributes of event streams in a complex event processing system
US20230396640A1 (en) Security event management system and associated method
Awodele et al. A Multi-Layered Approach to the Design of Intelligent Intrusion Detection and Prevention System (IIDPS).

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant