CN109359098A - A kind of dispatch data net behavior monitoring system and method - Google Patents
A kind of dispatch data net behavior monitoring system and method Download PDFInfo
- Publication number
- CN109359098A CN109359098A CN201811284447.0A CN201811284447A CN109359098A CN 109359098 A CN109359098 A CN 109359098A CN 201811284447 A CN201811284447 A CN 201811284447A CN 109359098 A CN109359098 A CN 109359098A
- Authority
- CN
- China
- Prior art keywords
- log
- sample
- abnormal
- rule
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/50—Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the present application provides a kind of dispatch data net behavior monitoring system and method, and monitoring system includes log collection tool management module, temporary log library module, comprehensive analysis module, abnormal log library, closes rule log library and results management module.Log collection tool management module is for the distributing log of collection scheduling data web network equipment and safety equipment and the centralized log of dispatch data net safety auditing system;Temporary log library module obtains normal form log for normal formization processing;Comprehensive analysis module is used for normal form log and closes rule log library, abnormal log library progress pattern match, is formed and closes rule log or abnormal log;Results management module trains for carrying out machine learning according to conjunction rule log, or carries out machine learning according to abnormal log.The embodiment of the present application can complete Network Abnormal monitoring in first time, and the state of affairs is effectively prevent to expand, to avoid that the great network safety event of dispatch data net occurs.
Description
Technical field
This application involves network safety filed more particularly to a kind of dispatch data net behavior monitoring system and methods.
Background technique
Dispatch data net is to be used for transmission grid automation information, dispatch control instruction, relay protection and safety automation to fill
The network for setting the power generations real time information such as control information, carries the real-time production business of electric power monitoring system, exchanges degree
Carrying out behavior monitoring according to net is to guarantee power grid security, economy, stabilization, reliable operation, and network safety event is avoided to exchange degree
According to net bring economic loss, the important measure of corporate image damage and the influence to the people's livelihood.
With the rapid development and growth of dispatch data net and information support system, dispatch data net show scale it is big,
The features such as region is wide, plant stand management disperses, brings significant challenge to dispatch data net behavior monitoring.Dispatch data net is at different levels at present
Main website and the area plant stand I, II, III only dispose IDS (Intrusion Detection Systems, intruding detection system) and diseases prevention
Malicious center is scheduled data network behavior monitoring, still have network perimeter security behavior monitoring it is insufficient, can not to abnormal network
The disadvantages of behavior is detected contains great security risk.It can find to adjust accurately and in time there is an urgent need to one kind at present
Spend abnormal behaviour and the technological means of security threat present in data network.
Summary of the invention
This application provides a kind of dispatch data net behavior monitoring system and methods, to solve dispatch data net behavior monitoring
The problem of.
In a first aspect, the system includes: log collection work this application provides a kind of dispatch data net behavior monitoring system
Have management module, temporary log library module, comprehensive analysis module, abnormal log library, close rule log library and results management module,
In,
The log collection tool management module is used for the log of collection scheduling data network, and is sent to the temporary log
Library module, the dispatch data net log include distributing log and the scheduling number of the dispatch data net network equipment and safety equipment
According to the centralized log of net safety auditing system;
The temporary log library module obtains normal form for carrying out normal form processing to the dispatch data net log
Log, and the comprehensive analysis module is sent by the normal form log;
The comprehensive analysis module, for rule log to be closed in the normal form log and the history closed in rule log library
History abnormal log sample in sample, the abnormal log library carries out pattern match, is formed and closes rule log or abnormal log, will
The conjunction rule log or abnormal log are sent to the results management module;
The results management module carries out machine learning training for advising log according to the conjunction, obtains closing rule day in real time
Will sample sends the conjunction for the real-time conjunction rule log sample and advises log library, or carries out machine according to the abnormal log
Study, obtains real-time abnormal log sample, sends the abnormal log library for the real-time abnormal log sample;
Log library is advised in the conjunction, and for storing, the history closes rule log sample and real-time close advises log sample;
The abnormal log library, for storing the history abnormal log sample and real-time abnormal log sample.
It preferably, further include memory management module, the memory management module comes from the results management mould for storing
Log sample is advised in the real-time conjunction that block is sent.
Second aspect, present invention also provides a kind of dispatch data net behavior monitoring methods, this method comprises:
Collection scheduling data network log, the dispatch data net log include the dispatch data net network equipment and safety equipment
Distributing log and dispatch data net safety auditing system centralized log;
The dispatch data net log is subjected to normal form processing, obtains normal form log;
By the normal form log and rule log library and abnormal log library progress pattern match are closed, is formed and closes rule log or different
Chang Zhi;
Machine learning algorithm based on hidden Markov model advises log to the conjunction or abnormal log carries out machine learning
Training obtains closing rule log sample or real-time abnormal log sample in real time;
The real-time conjunction rule log sample or real-time abnormal log sample category are stored.
Preferably, described that rule log sample and history abnormal log sample progress mould are closed into the normal form log and history
Formula matching, before further include: by the machine learning algorithm based on hidden Markov model, established using hidden Markov model
The history of dispatch data net is closed rule log sample and history abnormal log sample is input to by the normal sample profile for closing rule log
The normal sample profile simultaneously carries out machine learning, establishes and closes rule log library and abnormal log library.
Preferably, the machine learning algorithm based on hidden Markov model, pairing advises log or abnormal log carries out
Machine learning obtains closing rule log sample or real-time abnormal log sample in real time, comprising:
Establish hidden Markov model;
The normal form log is input to the hidden Markov model;
Data processing is carried out to the hidden Markov model, is formed and closes rule log sample or real-time abnormal log sample in real time
This, the data processing includes slide window processing.
Preferably, the message structure of the normal form log includes: Log Names, the device type for generating the log, day
Will generate device address, log generate time, the source device in log, the source address in log, the source port in log,
The destination address in purpose equipment, log in log, the destination port in log, the network connection type in log, log
Event description and behavior state.
Preferably, the rule log library and the message structure in abnormal log library of closing includes: the corresponding device type of log, inspection
Survey sample type, sample log details, sample log creation or renewal time, sample stl status.
Preferably, described to close rule log or the message structure of abnormal log includes: detection time, log is associated sets for detection
Standby type, testing result, detection samples sources, detection sample type, result phase and log raw information.
Preferably, history being stored in conjunction rule log library and closing rule log sample, the abnormal log inventory, which contains, to go through
History abnormal log sample, the history close rule log sample and history abnormal log sample message structure include: stl status,
The log frequency of occurrences, log Exception Type, log warping apparatus, log warping apparatus address, log warping apparatus port, exception
Stl status, abnormal log discovery time and log raw information.
Preferably, further includes: abnormal log alarm is carried out according to real-time abnormal log sample.
The beneficial effect of dispatch data net behavior monitoring system and method provided by the embodiments of the present application includes:
Log detection for dispatch data net, by log collection by all kinds of means, can guarantee the validity in log source
And consistency;By continual machine learning, abnormal log library is improved automatically and closes rule log library, can accurately find to dispatch
Data network log abnormal conditions;Analysis is deployed as a result, obtaining abnormal behaviour present in dispatch data net by system, and is locked
Its log details issues alarm in time, can complete Network Abnormal monitoring in first time, the state of affairs is effectively prevent to expand,
To avoid that the great network safety event of dispatch data net occurs.
Detailed description of the invention
In order to illustrate more clearly of the technical solution of the application, letter will be made to attached drawing needed in the embodiment below
Singly introduce, it should be apparent that, for those of ordinary skills, without any creative labor,
It is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of structural schematic diagram of dispatch data net behavior monitoring system provided by the embodiments of the present application;
Fig. 2 is a kind of flow diagram of dispatch data net behavior monitoring method provided by the embodiments of the present application;
Fig. 3 is a kind of flow diagram of machine learning training algorithm provided by the embodiments of the present application.
Specific embodiment
In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with the application reality
The attached drawing in example is applied, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described implementation
Example is only some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, the common skill in this field
The application protection all should belong in art personnel every other embodiment obtained without making creative work
Range.
It is a kind of structural schematic diagram of dispatch data net behavior monitoring system provided by the embodiments of the present application, such as referring to Fig. 1
Shown in Fig. 1, scheduling net behavior monitoring system provided by the embodiments of the present application, comprising: log collection tool management module, interim day
Will library module, abnormal log library, closes rule log library, results management module and memory management module at comprehensive analysis module.
Specifically, user in advance configures log collection tool, day is netted by log collection tool for dispatching data
Will is acquired.The dispatch data net log acquired in the embodiment of the present application includes the dispatch data net network equipment and safety equipment
Distributing log and dispatch data net safety auditing system centralized log, acquired respectively by different channels.Scheduling
The log of data web network equipment and safety equipment is distributing log, is obtained by classification acquisition, can specifically pass through syslog
(system log) mode is sent to log collection tool management module;The log of dispatch data net safety auditing system is centralization
Log, calling safety auditing system log query API by timing, (Application Programming Interface, is answered
With Program Interfaces) by the log inquired be written log collection tool management module.
The dispatch data net log of acquisition is reported to temporary log library module, interim day by log collection tool management module
Will library module carries out normal form processing to the dispatch data net log collected according to unified database format, obtains normal form
Change log.Normal formization processing include arrange dispatch data net log include Time To Event, source IP, source port, destination IP,
Destination port, network protocol, event description, operation behavior state content.The message structure of normal form log includes: Log Names
(Log_Name), the device type (Log_Asset_Type) of the log is generated, the device address (Log_Asset_ that log generates
IP), the time (Log_Time) of log generation, the source device (Log_Source_Asset) in log, the source address in log
(Log_Source_IP), the source port in log (Log_Source_Port), the purpose equipment (Log_ in log
Destination_Asset), the destination address in log (Log_Destination_IP), the destination port (Log_ in log
Destination_Port), the network connection type in log (Log_Network_Protocol), log event description
(Log_Event) and behavior state (permission/blocking/success/failure, Log_Status).
Normal form log is sent comprehensive analysis module by temporary log library module.Comprehensive analysis module utilizes sorting algorithm
Current normal form log to be analyzed and the history conjunction rule log sample in conjunction rule log library, the history in abnormal log library is different
Chang Zhi sample carries out pattern match, and whether the network behavior of the current normal form log description to be analyzed of judgement meets network peace
Full rule requires, and pattern match may include polymerization, analysis, compare, detection.If meeting the requirement of network security rule, determine
Log is advised to close, the requirement of network security rule is not met, is then determined as abnormal log.By by current normal form day to be analyzed
Will closes rule log sample with history, history abnormal log sample is matched, and matching result accuracy is high, certainly, in practical reality
It applies in example, current normal form log to be analyzed only can also be closed into rule log sample progress with the history closed in rule log library
Match, can be improved matching efficiency.
Temporary log library module will determine as a result, i.e. the log of current scheduling data network is sent out to close rule log or abnormal log
It is sent to results management module.Net log analysis result carries out classification processing to results management module for dispatching data, includes abnormal day
Rule log filing is closed in will alarm, daily log filing.
Specifically, results management module will be closed rule log and be sent if current scheduling data network log is to close rule log
Filing storage is carried out to memory management module, memory management module will also close rule log and carry out machine learning training, obtains in real time
Rule log sample is closed, conjunction rule log library is sent to, is used for next comprehensive analysis module analysis, realize and be based on machine learning algorithm
Conjunction rule log library it is automatically perfect;If current scheduling data network log is abnormal log, results management module is by abnormal day
Will is sent to log alarm module (not shown), and log alarm module handles the monitoring alarm of abnormal log, sends out
It is sent to user, whether network communication behavior is abnormal in dispatch data net so as to timely reflect.Results management module will be different
Chang Zhi also carries out filing storage, and abnormal log is specially carried out machine learning training, obtains real-time abnormal log sample, is sent out
It is sent to abnormal log library, is used for next comprehensive analysis module analysis, keeps comprehensive analysis module continuous using machine learning algorithm
Improve abnormal log discrimination.
Rule log library is closed, for storing history conjunction rule log sample and closing rule log sample in real time, and provides maintenance port,
Pairing rule log library is allowed users to carry out manual maintenance, update.
Abnormal log library, for storing history abnormal log sample and real-time abnormal log sample.
Close rule log library and abnormal log library message structure include: the corresponding device type of log (Asset_Type),
Detect sample type (closing rule log/abnormal log, Sample_Type), sample log details (Sample_Log_
Detail), sample log creation/renewal time (Sample_Log_Update_Time), sample stl status (creation/update,
Sample_Log_Update_Status)。
It is further described for the working method to dispatch data net behavior monitoring system provided by the embodiments of the present application,
The embodiment of the present application also provides a kind of dispatch data net behavior monitoring methods, are provided by the embodiments of the present application one referring to fig. 2
The flow diagram of kind dispatch data net behavior monitoring method, as shown in Fig. 2, dispatch data net row provided by the embodiments of the present application
For monitoring method, specifically includes the following steps:
Step S110: collection scheduling data network log, dispatch data net log include the dispatch data net network equipment and peace
The full distributing log of equipment and the centralized log of dispatch data net safety auditing system.
Specifically, being acquired by the net log for dispatching data of log collection tool, by the dispatch data net day of acquisition
Will is reported to temporary log library module.
Step S120: dispatch data net log is subjected to normal form processing, obtains normal form log.
Specifically, temporary log library module carries out normal form processing to temporary log library module, normal form log is obtained.
Temporary log library module sends comprehensive analysis module for normal form log and handles.
Step S130: by normal form log and rule log library and abnormal log library progress pattern match are closed, is formed and closes rule day
Will or abnormal log.
Specifically, first passing through the machine learning algorithm based on hidden Markov model in advance, built using hidden Markov model
The history of dispatch data net is closed rule log sample and history abnormal log sample inputs by the vertical normal sample profile for closing rule log
To the normal sample profile and carry out machine learning.History closes the message structure of rule log sample and history abnormal log sample
It include: stl status (closing rule/exception, Log_Status), the log frequency of occurrences (Log_Rate), log Exception Type
(Unusual_Type), log warping apparatus (Unusual_Asset), log warping apparatus address (Unusual_IP), log
Warping apparatus port (Unusual_Port), abnormal log state (in the presence/absence of Unusual_Log_Status), exception
Log discovery time (Unusual_Log_Status) and this record generate used raw information (RAW_MSG), this implementation
In example, this record generates used raw information, that is, log raw information.
Using machine learning algorithm repetition training and characteristic value is extracted, to set up conjunction rule log library and abnormal log
Library.
In this step, comprehensive analysis module by normal form log and abnormal log library history abnormal log sample,
The history conjunction rule log sample closed in rule log library is analyzed, is compared, is detected, and forms log analysis as a result, its message structure
It include: detection time (Detect_Time), the detection associated device type of log (Detect_Type_Asset), testing result
(Detect_Result), samples sources (closing rule log library/log exception library, Sample_Soucre), detection sample class are detected
Used in type (closing rule log/abnormal log, Sample_Type), result phase (Result_Status) and this record generate
Raw information (RAW_MSG).
Further, sentence using approximate forward-backward algorithm algorithm and according to compliance of the bayesian criterion to log
Disconnected, the current normal form log to be analyzed of judgement belongs to abnormal log or closes rule log.
Step S140: the machine learning algorithm based on hidden Markov model, pairing advises log or abnormal log carries out machine
Device learning training obtains closing rule log sample or real-time abnormal log sample in real time.
Specifically, comprehensive analysis module will close rule log or abnormal log is sent to results management module, results management mould
Block pairing advises log or abnormal log carries out machine learning training.
Machine learning training is the following steps are included: establish hidden Markov model;Normal form log is input to hidden Ma Er
It can husband's model;Data processing is carried out to hidden Markov model, is formed and closes rule log sample or real-time abnormal log sample in real time,
Data processing includes slide window processing.
It after pairing advises log progress machine learning training, obtains closing rule log sample in real time, to abnormal log progress machine
After learning training, real-time abnormal log sample is obtained.
Step S150: real-time conjunction rule log sample or real-time abnormal log sample category are stored.
Specifically, results management module will close the storage of rule log sample to closing in rule log library in real time, then rule day is closed in real time
Will sample is converted to history and closes rule log sample, by the storage of real-time abnormal log sample into abnormal log library, then abnormal in real time
Log sample is converted to history abnormal log sample.
Results management module is alerted also directed to abnormal log information.
Further, results management module can will also close rule log and be sent to memory management module, by memory management module
Pairing advises log and carries out machine learning training.
Machine learning training algorithm used in the embodiment of the present application is one kind provided by the embodiments of the present application referring to Fig. 3
The flow diagram of machine learning training algorithm, as shown in figure 3, machine learning training algorithm provided by the embodiments of the present application, packet
It includes abnormal log machine learning training, online log detection and closes rule log machine learning three big modules of training.
Specifically, in abnormal log machine learning training module, by initial abnormal log data, i.e. history abnormal log
After sample carries out normal form processing, machine learning training is carried out into abnormal log training process.Abnormal log machine learning instruction
White silk includes: to establish hidden Markov model;Normal form log is input to hidden Markov model;To hidden Markov model into
The data processings such as row sliding window, obtain real-time abnormal log sample, and abnormal log library is arrived in storage.
In closing rule log machine learning training module, will initially close rule daily record data, i.e., history close rule log sample into
After the processing of row normal formization, machine learning training is carried out into abnormal log training process.Closing rule log machine learning training includes:
Establish hidden Markov model;Normal form log is input to hidden Markov model;Sliding window is carried out to hidden Markov model
Equal data processings obtain real-time close and advise log sample, storage to conjunction rule log library.
In online log detection module, by real-time logs, i.e., the dispatch data net log currently obtained is sent at log
Reason process according to abnormal log machine learning training module and closes the Hidden Markov advising log machine learning training module and providing
Then the Hidden Markov Model of model foundation real-time logs carries out slide window processing, the state that obtains shifts short sequence, then with exception
Rule log library progress pattern match is closed in log library, determines that real-time logs are to close rule log or abnormal log, and carry out at filing
Reason, abnormal log are sent into abnormal log training process and carry out abnormal log study, accurate with the identification for improving next real-time logs
Rate, conjunction rule log are sent into conjunction rule log training process gold and carry out conjunction rule log study, be equally used for improving next real-time logs
Recognition accuracy.For abnormal schedule, also progress abnormal log alarm.
As seen from the above-described embodiment, dispatch data net behavior monitoring system and method provided by the embodiments of the present application, for
The log of dispatch data net detects, and by log collection by all kinds of means, can guarantee the validity and consistency in log source;Pass through
Continual machine learning improves abnormal log library automatically and closes rule log library, can accurately find dispatch data net day mystery
Reason condition;Analysis is deployed as a result, obtaining abnormal behaviour present in dispatch data net by system, and is locked its log and believed in detail
Breath issues alarm in time, can complete Network Abnormal monitoring in first time, effectively prevent the state of affairs to expand, to avoid occurring
The great network safety event of dispatch data net.
Since embodiment of above is that reference combination is illustrated on other modes, have between different embodiments
There is identical part, identical, similar part may refer to each other between each embodiment in this specification.Herein no longer in detail
It illustrates.
It should be noted that in the present specification, such as the terms "include", "comprise" or its any other variant are intended to
Cover non-exclusive inclusion, so that the circuit structure, article or the equipment that include a series of elements not only include those
Element, but also including other elements that are not explicitly listed, or further include for this circuit structure, article or equipment
Intrinsic element.In the absence of more restrictions, the element for thering is sentence "including a ..." to limit, it is not excluded that
There is also other identical elements in circuit structure, article or equipment including the element.
Those skilled in the art will readily occur to its of the application after considering specification and practicing the disclosure invented here
His embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or
Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are wanted by right
The content asked is pointed out.
Above-described the application embodiment does not constitute the restriction to the application protection scope.
Claims (10)
1. a kind of dispatch data net behavior monitoring system, which is characterized in that including log collection tool management module, temporary log
Library module, abnormal log library, closes rule log library and results management module at comprehensive analysis module, wherein
The log collection tool management module is used for the log of collection scheduling data network, and is sent to temporary log library mould
Block, the dispatch data net log include distributing log and the dispatch data net of the dispatch data net network equipment and safety equipment
The centralized log of safety auditing system;
The temporary log library module, for obtaining normal form log to dispatch data net log progress normal form processing,
And the comprehensive analysis module is sent by the normal form log;
The comprehensive analysis module, for rule log sample to be closed in the normal form log and the history closed in rule log library
Originally, the history abnormal log sample in the abnormal log library carries out pattern match, is formed and closes rule log or abnormal log, by institute
It states conjunction rule log or abnormal log is sent to the results management module;
The results management module carries out machine learning training for advising log according to the conjunction, obtains closing rule log sample in real time
This, sends the conjunction for the real-time conjunction rule log sample and advises log library, or carry out machine learning according to the abnormal log,
Real-time abnormal log sample is obtained, sends the abnormal log library for the real-time abnormal log sample;
Log library is advised in the conjunction, and for storing, the history closes rule log sample and real-time close advises log sample;
The abnormal log library, for storing the history abnormal log sample and real-time abnormal log sample.
2. dispatch data net behavior monitoring system as described in claim 1, which is characterized in that it further include memory management module,
The memory management module is used to store the real-time conjunction rule log sample sent from the results management module.
3. a kind of dispatch data net behavior monitoring method characterized by comprising
Collection scheduling data network log, the dispatch data net log include point of the dispatch data net network equipment and safety equipment
Dissipate the centralized log of formula log and dispatch data net safety auditing system;
The dispatch data net log is subjected to normal form processing, obtains normal form log;
By the normal form log and rule log library and abnormal log library progress pattern match are closed, is formed and closes rule log or abnormal day
Will;
Machine learning algorithm based on hidden Markov model advises log to the conjunction or abnormal log carries out machine learning instruction
Practice, obtains closing rule log sample or real-time abnormal log sample in real time;
The real-time conjunction rule log sample or real-time abnormal log sample category are stored.
4. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that described by the normal form log
Rule log sample is closed with history and history abnormal log sample carries out pattern match, before further include: by being based on hidden Ma Erke
The machine learning algorithm of husband's model is established the normal sample profile for closing rule log using hidden Markov model, will dispatch data
The history of net closes rule log sample and history abnormal log sample is input to the normal sample profile and carries out machine learning, builds
It is vertical to close rule log library and abnormal log library.
5. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that described to be based on hidden Markov mould
The machine learning algorithm of type, pairing rule log or abnormal log carry out machine learning, obtain closing rule log sample or real-time in real time
Abnormal log sample, comprising:
Establish hidden Markov model;
The normal form log is input to the hidden Markov model;
Data processing is carried out to the hidden Markov model, is formed and closes rule log sample or real-time abnormal log sample in real time,
The data processing includes slide window processing.
6. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that the information of the normal form log
Structure includes: Log Names, the device type for generating the log, the device address of log generation, the time of log generation, log
In source device, the source address in log, the source port in log, the purpose equipment in log, the destination address in log, day
The network connection type in destination port, log, log event description and behavior state in will.
7. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that the conjunction rule log library and exception
The message structure in log library includes: the corresponding device type of log, detection sample type, sample log details, sample day
Will creation or renewal time, sample stl status.
8. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that the conjunction rule log or abnormal day
The message structure of will includes: detection time, the associated device type of detection log, testing result, detection samples sources, detection sample
This type, result phase and log raw information.
9. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that the conjunction rule store in log library
There is history to close rule log sample, the abnormal log inventory contains history abnormal log sample, and the history closes rule log sample
Message structure with history abnormal log sample includes: stl status, the log frequency of occurrences, log Exception Type, log exception
Equipment, log warping apparatus address, log warping apparatus port, abnormal log state, abnormal log discovery time and log are former
Beginning information.
10. dispatch data net behavior monitoring method as claimed in claim 3, which is characterized in that further include: according to real-time exception
Log sample carries out abnormal log alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811284447.0A CN109359098B (en) | 2018-10-31 | 2018-10-31 | System and method for monitoring scheduling data network behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811284447.0A CN109359098B (en) | 2018-10-31 | 2018-10-31 | System and method for monitoring scheduling data network behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109359098A true CN109359098A (en) | 2019-02-19 |
| CN109359098B CN109359098B (en) | 2023-04-11 |
Family
ID=65347502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811284447.0A Active CN109359098B (en) | 2018-10-31 | 2018-10-31 | System and method for monitoring scheduling data network behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109359098B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069401A (en) * | 2019-03-18 | 2019-07-30 | 平安科技(深圳)有限公司 | System testing exception localization method and system based on data modeling |
| CN110096486A (en) * | 2019-05-07 | 2019-08-06 | 苏州浪潮智能科技有限公司 | A kind of log monitoring method, device, equipment and computer readable storage medium |
| CN110134615A (en) * | 2019-04-10 | 2019-08-16 | 百度在线网络技术(北京)有限公司 | The method and device of application program acquisition daily record data |
| CN110224850A (en) * | 2019-04-19 | 2019-09-10 | 北京亿阳信通科技有限公司 | Telecommunication network fault early warning method, device and terminal device |
| CN110753038A (en) * | 2019-09-29 | 2020-02-04 | 武汉大学 | Self-adaptive authority control system and method for anomaly detection |
| CN111314302A (en) * | 2020-01-17 | 2020-06-19 | 山东超越数控电子股份有限公司 | Network log auditing method, equipment and medium |
| CN111708678A (en) * | 2020-08-18 | 2020-09-25 | 北京志翔科技股份有限公司 | Abnormity monitoring method and device |
| CN112416732A (en) * | 2021-01-20 | 2021-02-26 | 国能信控互联技术有限公司 | Hidden Markov model-based data acquisition operation anomaly detection method |
| CN112883004A (en) * | 2021-02-24 | 2021-06-01 | 上海浦东发展银行股份有限公司 | Log knowledge base and health degree acquisition method and system based on log aggregation |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080086554A1 (en) * | 2006-10-06 | 2008-04-10 | Royalty Charles D | Methods and systems for network failure reporting |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN103338128A (en) * | 2013-02-25 | 2013-10-02 | 中国人民解放军91655部队 | Information security management system with integrated security management and control function |
| CN103473626A (en) * | 2013-08-20 | 2013-12-25 | 国家电网公司 | Security protection method based on integrated dispatching data network operation and maintenance system |
| CN104636494A (en) * | 2015-03-04 | 2015-05-20 | 浪潮电子信息产业股份有限公司 | Spark-based log auditing and reversed checking system for big data platforms |
| CN104980317A (en) * | 2015-06-18 | 2015-10-14 | 南京南瑞集团公司 | Automatic test system and test method for dispatching data network equipment |
| CN105678413A (en) * | 2015-12-30 | 2016-06-15 | 广东电网有限责任公司电力调度控制中心 | Power network and power plant cooperative scheduling operation business integrated management system |
| CN105959131A (en) * | 2016-04-15 | 2016-09-21 | 贵州电网有限责任公司信息中心 | Electric power information network security measuring method based on security log data mining |
| CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
| CN106778259A (en) * | 2016-12-28 | 2017-05-31 | 北京明朝万达科技股份有限公司 | A kind of abnormal behaviour based on big data machine learning finds method and system |
| CN106790008A (en) * | 2016-12-13 | 2017-05-31 | 浙江中都信息技术有限公司 | Machine learning system for detecting abnormal host in enterprise network |
| CN106815125A (en) * | 2015-12-02 | 2017-06-09 | 阿里巴巴集团控股有限公司 | A kind of log audit method and platform |
| CN107612779A (en) * | 2017-10-10 | 2018-01-19 | 云南电网有限责任公司 | The dispatch data net secondary safety protection network equipment and service operation monitoring system |
| CN107769958A (en) * | 2017-09-01 | 2018-03-06 | 杭州安恒信息技术有限公司 | Server network security event automated analysis method and system based on daily record |
| CN107835087A (en) * | 2017-09-14 | 2018-03-23 | 北京科东电力控制系统有限责任公司 | A kind of safety means alarm regulation extraction method based on Frequent Pattern Mining |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108366090A (en) * | 2018-01-09 | 2018-08-03 | 国网安徽省电力公司阜阳供电公司 | A kind of system that dispatch data net remotely accesses reinforcing and Centralized Monitoring |
-
2018
- 2018-10-31 CN CN201811284447.0A patent/CN109359098B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080086554A1 (en) * | 2006-10-06 | 2008-04-10 | Royalty Charles D | Methods and systems for network failure reporting |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN103338128A (en) * | 2013-02-25 | 2013-10-02 | 中国人民解放军91655部队 | Information security management system with integrated security management and control function |
| CN103473626A (en) * | 2013-08-20 | 2013-12-25 | 国家电网公司 | Security protection method based on integrated dispatching data network operation and maintenance system |
| CN104636494A (en) * | 2015-03-04 | 2015-05-20 | 浪潮电子信息产业股份有限公司 | Spark-based log auditing and reversed checking system for big data platforms |
| CN104980317A (en) * | 2015-06-18 | 2015-10-14 | 南京南瑞集团公司 | Automatic test system and test method for dispatching data network equipment |
| CN106815125A (en) * | 2015-12-02 | 2017-06-09 | 阿里巴巴集团控股有限公司 | A kind of log audit method and platform |
| CN105678413A (en) * | 2015-12-30 | 2016-06-15 | 广东电网有限责任公司电力调度控制中心 | Power network and power plant cooperative scheduling operation business integrated management system |
| CN105959131A (en) * | 2016-04-15 | 2016-09-21 | 贵州电网有限责任公司信息中心 | Electric power information network security measuring method based on security log data mining |
| CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
| CN106790008A (en) * | 2016-12-13 | 2017-05-31 | 浙江中都信息技术有限公司 | Machine learning system for detecting abnormal host in enterprise network |
| CN106778259A (en) * | 2016-12-28 | 2017-05-31 | 北京明朝万达科技股份有限公司 | A kind of abnormal behaviour based on big data machine learning finds method and system |
| CN107769958A (en) * | 2017-09-01 | 2018-03-06 | 杭州安恒信息技术有限公司 | Server network security event automated analysis method and system based on daily record |
| CN107835087A (en) * | 2017-09-14 | 2018-03-23 | 北京科东电力控制系统有限责任公司 | A kind of safety means alarm regulation extraction method based on Frequent Pattern Mining |
| CN107612779A (en) * | 2017-10-10 | 2018-01-19 | 云南电网有限责任公司 | The dispatch data net secondary safety protection network equipment and service operation monitoring system |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108366090A (en) * | 2018-01-09 | 2018-08-03 | 国网安徽省电力公司阜阳供电公司 | A kind of system that dispatch data net remotely accesses reinforcing and Centralized Monitoring |
Non-Patent Citations (2)
| Title |
|---|
| 任晓辉;: "电网调控自动化系统运行状态在线监视与智能诊断研究及应用" * |
| 金学成等: "电力二次系统内网安全监视平台的设计和实现" * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069401A (en) * | 2019-03-18 | 2019-07-30 | 平安科技(深圳)有限公司 | System testing exception localization method and system based on data modeling |
| CN110069401B (en) * | 2019-03-18 | 2023-09-12 | 平安科技(深圳)有限公司 | System test abnormality positioning method and system based on data modeling |
| CN110134615A (en) * | 2019-04-10 | 2019-08-16 | 百度在线网络技术(北京)有限公司 | The method and device of application program acquisition daily record data |
| CN110224850A (en) * | 2019-04-19 | 2019-09-10 | 北京亿阳信通科技有限公司 | Telecommunication network fault early warning method, device and terminal device |
| CN110096486A (en) * | 2019-05-07 | 2019-08-06 | 苏州浪潮智能科技有限公司 | A kind of log monitoring method, device, equipment and computer readable storage medium |
| CN110753038A (en) * | 2019-09-29 | 2020-02-04 | 武汉大学 | Self-adaptive authority control system and method for anomaly detection |
| CN111314302A (en) * | 2020-01-17 | 2020-06-19 | 山东超越数控电子股份有限公司 | Network log auditing method, equipment and medium |
| CN111708678A (en) * | 2020-08-18 | 2020-09-25 | 北京志翔科技股份有限公司 | Abnormity monitoring method and device |
| CN112416732A (en) * | 2021-01-20 | 2021-02-26 | 国能信控互联技术有限公司 | Hidden Markov model-based data acquisition operation anomaly detection method |
| CN112416732B (en) * | 2021-01-20 | 2021-06-01 | 国能信控互联技术有限公司 | Hidden Markov model-based data acquisition operation anomaly detection method |
| CN112883004A (en) * | 2021-02-24 | 2021-06-01 | 上海浦东发展银行股份有限公司 | Log knowledge base and health degree acquisition method and system based on log aggregation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109359098B (en) | 2023-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109359098A (en) | A kind of dispatch data net behavior monitoring system and method | |
| CN110210512B (en) | Automatic log anomaly detection method and system | |
| CN106778259B (en) | Abnormal behavior discovery method and system based on big data machine learning | |
| Oliveira et al. | Mobile device detection through WiFi probe request analysis | |
| CN110247792A (en) | One kind being based on the associated fault handling method of network alarm and device | |
| CN106686264B (en) | Fraud telephone screening and analyzing method and system | |
| CN105320854B (en) | By signing, balance prevents automation component from being distorted by program | |
| CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
| US20140223555A1 (en) | Method and system for improving security threats detection in communication networks | |
| CN106888106A (en) | The extensive detecting system of IT assets in intelligent grid | |
| CN109687993A (en) | A kind of Internet of Things alarm and control system and method based on block chain | |
| CN109639631A (en) | A kind of network security cruising inspection system and method for inspecting | |
| CN104092577B (en) | A kind of network alarm notice system and its notification method | |
| CN115150589A (en) | Video monitoring operation and maintenance management system for coal mine enterprise | |
| CN109840183B (en) | Data center grading early warning method and device and storage medium | |
| CN110443627A (en) | Sample commission detection logistics and information management system and method based on block chain | |
| CN107103410A (en) | A kind of supervisory systems and method of construction engineering quality detection | |
| CN109522166A (en) | A kind of automatic assessment method and system of equal guarantors' assessment | |
| CN112687022A (en) | Intelligent building inspection method and system based on video | |
| CN109756395A (en) | A kind of business datum monitoring method and system | |
| CN113327037A (en) | Model-based risk identification method and device, computer equipment and storage medium | |
| CN112348306A (en) | TitanOS artificial intelligence development method and device for power distribution operation inspection | |
| CN110045699A (en) | Data center's power manages system and method | |
| CN107426536A (en) | A kind of intelligent residential district manages communication system | |
| CN114598480B (en) | Method and system for processing machine data of network security operation platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |