CN110535707A - A kind of hybrid network monitoring system based on active network technology - Google Patents

A kind of hybrid network monitoring system based on active network technology Download PDF

Info

Publication number
CN110535707A
CN110535707A CN201910823276.2A CN201910823276A CN110535707A CN 110535707 A CN110535707 A CN 110535707A CN 201910823276 A CN201910823276 A CN 201910823276A CN 110535707 A CN110535707 A CN 110535707A
Authority
CN
China
Prior art keywords
active
engine
message
node
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910823276.2A
Other languages
Chinese (zh)
Inventor
温伟球
刘晓光
汪志武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Wisdom Cloud Technology Co Ltd
Original Assignee
Beijing Wisdom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Wisdom Cloud Technology Co Ltd filed Critical Beijing Wisdom Cloud Technology Co Ltd
Priority to CN201910823276.2A priority Critical patent/CN110535707A/en
Publication of CN110535707A publication Critical patent/CN110535707A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0813Configuration setting characterised by the conditions triggering a change of settings
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2212/00Encapsulation of packets

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The hybrid network monitoring system based on active network technology that the invention discloses a kind of, equipped with active node host, proxy, mirrored host computer, active node host are the node hosts with active node ability in the node host either traditional network for participate in Active Networks monitoring;The active applications of active node host are made of extension engine, acquisition engine, interception engine, retrospect 5 active applications of engine and management engine, the computing capability of Active Networks intermediate node is utilized, propose the hybrid network monitoring system based on Active Networks, on the basis of monitoring compatible conventional monitoring systems, overcome the defect of traditional network monitoring system, extend the function of traditional network monitoring system again simultaneously, cost is relatively low, convenient for promoting the use of.

Description

A kind of hybrid network monitoring system based on active network technology
Technical field
The present invention relates to Internet technical field, in particular to a kind of hybrid network based on active network technology monitors system System.
Background technique
Traditional network monitoring system is generally used Manager/Agent model, and Manager is center management equipment; Agent is monitoring agent equipment;For its typical architecture as shown in Figure 1, state in this configuration, Agent is usually multiple, And it is distributed on unused monitoring point, Manager is usually one, positioned at the administrative center of concentration.Agent is responsible for acquisition prison Data message on measuring point, and specific data message forwarding is often used to Manager, Manager according to rule by layering Structure, including information collection layer, information extraction layer and information excavating layer, information collection layer acquires each Agent and sends over Data message, and necessary formatting processing is carried out to information, is then forwarded to information extraction layer.Information extraction layer is to information The information of acquisition layer is associated processing, therefrom extracts relevant information, submits to information excavating etc..Information excavating layer uses one Fixed method (such as data mining, artificial intelligence) excavates the information of information extraction layer, so that useful information is obtained, And it takes appropriate measures.
Traditional network monitoring system has some defects, comprising:
1, must extract useful information from a large amount of data message: traditional network monitoring system using Manager/Agent model all concentrates on the end Manager to the major function of information processing.In view of performance, Agent end function Can be often relatively simple, the generally only acquisition of responsible data message.This make the end Manager will receive largely may is that it is useless Information, to reduce extraction to useful information.
2, discovery suspicious actions can only take limited active behavior: traditional network monitoring system finds suspicious behavior very When to intrusion behavior, passively behavior or limited active behavior can only be often taken.Passively behavior includes notice system Administrator issues warning information etc..Limited active behavior include stop object certain services, setting firewall rule with Filter the data message etc. of certain main bodys.Both behaviors cannot all take suspicious main body the measure of comprehensive active.
3, cannot position the main body of network behavior well: the application of internet is more and more wider, and web assault is more next More, attack means are more and more brilliant.Method of many attackers by forging IP source address, chases after attack to escape Track.This allows for traditional network monitoring system, and purely message can not position the main body of network behavior well according to the collected data That is the side of launching a offensive.
4, cannot extension process unknown protocol well data message, with the continuous development of network, transport network layer Agreement is more and more.With deepening continuously for network application, network application-level protocol is also more and more.If monitoring system cannot These unknown protocols are better understood, corresponding protocol massages cannot be handled well.Traditional network monitoring system, Zhi Nengtong The data message of new agreement is adapted to after constantly upgrading Agent.
Summary of the invention
For the substantive defect and deficiency proposed in above-mentioned background content, the present invention provides a kind of based on Active Networks skill The hybrid network monitoring system of art, active node not only has the ability of transmitting data message, while there are also the meters to data message Processing capacity is calculated, can solve problem pointed in background technique.
A kind of hybrid network monitoring system based on active network technology is equipped with active node host, proxy, mirror image Host, in 3 class hosts, active node host, proxy belong to Agent monitoring agent equipment;Mirrored host computer belongs to Manager centre management equipment;Active node host is the node host or traditional network that monitoring is participated in Active Networks In with active node ability node host;The active applications of active node host are drawn by extension engine, acquisition engine, interception It holds up, trace 5 active applications compositions of engine and management engine, in which:
Extension engine: extension engine is the extension of performing environment in active node, is provided for other engines of upper layer most basic Function, including to performing environment funcall, being passed up of message, select to handle engine accordingly, by active generation Code, which is more newly arrived, supports processing to unknown protocol data message;
Acquisition engine: acquisition engine is responsible for being acquired the message of matching rule, counts to necessary object, root According to the heading or message content for needing to acquire main body or object, the information of accounting message, the net of statistical subject or object Network behavioural characteristic;Acquisition engine is also responsible for for message content being transmitted to Manager centre management equipment simultaneously;
It intercepts engine: intercepting engine and be responsible for being sent to suspicious invasion or confirmation invasion main body the part of object or even all reports Text is intercepted;These messages, which can abandon, perhaps changes or is forwarded to place appropriate for further handling, so that Suspicious main body or the invasion main body behavior of taking the initiative are possibly realized;
Retrospect engine: retrospect engine traces specific message or specific main body, especially to false source The attack message of address traces its source place, traces its physical location to the attack main body with address dummy;
Management engine: management engine is responsible for managing all engines, at the same be responsible for and centre management equipment Manager and its Communication between his active node;Management to engine, including active code message is assembled into corresponding engine code, suitably When engine code is updated;Communication include generate necessary active packet to centre management equipment Manager or its His node receives message from center management equipment Manager or other nodes and is handled.
In the above-mentioned technical solutions, when active node or Manager centre management equipment generate active packet, first report Text is packaged into message after a Monitor monitoring device, and Monitor message is then packaged into ANEP Active Networks encapsulation association again Message is discussed, ANEP message is finally packaged into IP packet.
In the above-mentioned technical solutions, active packet specifically: active network technology is applied in network management, it makes pipe Node programmable is managed, administrative center can send program to management node.
A kind of hybrid network monitoring system based on active network technology provided by the invention, by cleverly designing, benefit With the computing capability of Active Networks intermediate node, the hybrid network monitoring system based on Active Networks is proposed.It On the basis of monitoring compatible conventional monitoring systems, the defect of traditional network monitoring system is overcome, while extending traditional net again The function of network monitoring system, cost is relatively low, convenient for promoting the use of.
Detailed description of the invention
Fig. 1 is a kind of knot of the prior art of the hybrid network monitoring system based on active network technology provided by the invention Structure schematic diagram.
Fig. 2 is a kind of structural schematic diagram of the hybrid network monitoring system based on active network technology provided by the invention.
Fig. 3 is a kind of knot of the active node of the hybrid network monitoring system based on active network technology provided by the invention Structure schematic diagram.
Fig. 4 is a kind of active packet application of the hybrid network monitoring system based on active network technology provided by the invention Structural schematic diagram into network management.
Fig. 5 is during a kind of Manager of the hybrid network monitoring system based on active network technology provided by the invention is The structural schematic diagram of heart management equipment.
Specific embodiment
With reference to the accompanying drawing, the specific embodiment of the present invention is described in detail, it is to be understood that of the invention Protection scope be not limited by the specific implementation.
Active Networks are programmable packet switching networks.Traditional network using " Store and forword " one dimensional network Model, and Active Networks are using the two-dimensional network model of " storage-calculating-forwarding ".Therefore, in Active Networks, network The ability that not only there is node grouping to route, but also can calculate the content of grouping, and making to be grouped in transmission process can be with By modification, storage or redirection.Active Networks allow user to be inserted into the program of customization to network node, modify network with this The function of configuration or extended network makes network have stronger flexibility and scalability.
As shown in Figure 2-5, a kind of hybrid network monitoring system based on active network technology, in hybrid network monitoring system Active node, can be participated in Active Networks monitoring node, be also possible in traditional network have active node ability Node, participate in monitoring active node structure it is as shown in Figure 3.
The active applications of active node include extension engine, acquisition engine, intercept engine, retrospect engine and management engine etc. 5 active applications.
1, extend engine: extension engine is the extension of performing environment in active node, and for upper layer, other engines provide most base This function, including to performing environment funcall, being passed up of message, select to handle engine accordingly, pass through active Code update supports the processing etc. to unknown protocol data message.
2, acquisition engine: acquisition engine is responsible for being acquired the message of matching rule, counts to necessary object, The heading or message content of acquisition main body or object as needed, the information of accounting message, statistical subject or object Network behavior feature.Acquisition engine is also responsible for message content being transmitted to Manager simultaneously.
3, intercept engine: interception engine is responsible for being sent to the part of object to suspicious invasion or confirmation invasion main body or even be owned Message is intercepted.These messages, which can abandon, perhaps changes or is forwarded to place appropriate for further handling, and makes It obtains and suspicious main body or the invasion main body behavior of taking the initiative is possibly realized.
4, trace engine: retrospect engine traces specific message or specific main body, especially false to having The attack message of source address traces its source place, traces its physical location to the attack main body with address dummy.
5, management engine: management engine is responsible for managing all engines, while responsible and Manager and other active nodes Between communication.Management to engine, including active code message is assembled into corresponding engine code, to drawing when appropriate Code is held up to be updated.Communication includes generating necessary active packet to Manager or other nodes, from Manager or other Node receives message and is handled.
Active packet description:
Active network technology is applied in network management, it makes management node programmable, and administrative center can send Program is to management node.On this basis, have applied to the Monitor Packet of hybrid network monitoring system as shown in Figure 4 Encapsulating structure.
When active node or Manager generate active packet, message is packaged into a Monitor message first, then Monitor message is packaged into ANEP message again, ANEP message is finally packaged into IP packet.Monitor header has 3 type, context, sequence number fields.Type has 5 classes, including extension active packet, acquisition active packet, interception active report Text, retrospect active packet and management active packet.Context value is generated by ANEP encapsulation process, is used to recognition node.Sequence number Then it is used to identify different Monitor messages.
Manager description
Manager is processing and the administrative center of information, is responsible for acquisition, extraction and excavation to information, to the system of rule Fixed, update and management, generation, delivery and management to active code, structure are as shown in Figure 5.
Manager lowest level is active node communicator and general node communication device, respectively with the engine of active node and The Agent of general node is communicated.Information collection layer, information extraction layer, information excavating layer and traditional network monitoring system one Sample handles information and is excavated, while generating certain rule.Generation, setting and update of the rule management to rule Etc. being managed.Corresponding rule is then translated into active code by active code manager, and to the generation of active code, setting With update etc. be managed.Active code distributor is then responsible for active code to be distributed in corresponding active node.
" storage calculates, forwarding " model of Active Networks, solves the problems, such as many and defect of traditional network.The present invention Based on Active Networks, the network monitoring system of a mixing is proposed, on the basis of compatible traditional network monitoring system, is introduced Active network technology solves some defects of traditional network monitoring system.
Disclosed above is only several specific embodiments of the invention, and still, the embodiment of the present invention is not limited to this, is appointed What what those skilled in the art can think variation should all fall into protection scope of the present invention.

Claims (3)

1. a kind of hybrid network monitoring system based on active network technology, which is characterized in that be equipped with active node host, agency Host, mirrored host computer, in 3 class hosts, active node host, proxy belong to Agent monitoring agent equipment;Mirror image master Machine belongs to Manager centre management equipment;Active node host is the node host that monitoring is participated in Active Networks, either With the node host of active node ability in traditional network;The active applications of active node host are drawn by extension engine, acquisition It holds up, intercept engine, 5 active applications of retrospect engine and management engine are constituted, in which:
Extension engine: extension engine is the extension of performing environment in active node, and for upper layer, other engines provide most basic function Can, including to performing environment funcall, being passed up of message, select to handle engine accordingly, pass through active code more It newly arrives and supports processing to unknown protocol data message;
Acquisition engine: acquisition engine is responsible for being acquired the message of matching rule, counts to necessary object, according to need Acquire the heading or message content of main body or object, the information of accounting message, the network row of statistical subject or object It is characterized;Acquisition engine is also responsible for for message content being transmitted to Manager centre management equipment simultaneously;
Intercept engine: intercept engine be responsible for it is suspicious invasion or confirmation invasion main body be sent to object part so that all messages into Row intercepts;These messages, which can abandon, perhaps changes or is forwarded to place appropriate for further handling, so as to can It doubts main body or the invasion main body behavior of taking the initiative is possibly realized;
Retrospect engine: retrospect engine traces specific message or specific main body, especially to false source address Attack message trace its source place, its physical location is traced to the attack main body with address dummy;
Management engine: management engine is responsible for managing all engines, while responsible and centre management equipment Manager and other masters Communication between dynamic node;Management to engine, including active code message is assembled into corresponding engine code, when appropriate Time is updated engine code;Communication includes generating necessary active packet to centre management equipment Manager or other sections Point receives message from center management equipment Manager or other nodes and is handled.
2. a kind of hybrid network monitoring system based on active network technology according to claim 1, which is characterized in that main When dynamic node or Manager centre management equipment generate active packet, message is packaged into a Monitor monitoring device first Then Monitor message is packaged into ANEP active network encapsulation protocol message again, finally ANEP message is packaged by message afterwards IP packet.
3. a kind of hybrid network monitoring system based on active network technology according to claim 2, which is characterized in that main Dynamic message specifically: active network technology is applied in network management, it makes management node programmable, and administrative center can Program is sent to management node.
CN201910823276.2A 2019-09-02 2019-09-02 A kind of hybrid network monitoring system based on active network technology Pending CN110535707A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910823276.2A CN110535707A (en) 2019-09-02 2019-09-02 A kind of hybrid network monitoring system based on active network technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910823276.2A CN110535707A (en) 2019-09-02 2019-09-02 A kind of hybrid network monitoring system based on active network technology

Publications (1)

Publication Number Publication Date
CN110535707A true CN110535707A (en) 2019-12-03

Family

ID=68666168

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910823276.2A Pending CN110535707A (en) 2019-09-02 2019-09-02 A kind of hybrid network monitoring system based on active network technology

Country Status (1)

Country Link
CN (1) CN110535707A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040098618A1 (en) * 2002-11-14 2004-05-20 Kim Hyun Joo System and method for defending against distributed denial-of-service attack on active network
CN101170573A (en) * 2007-11-21 2008-04-30 湖南大学 Active radio sensor network middleware system and implementation method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040098618A1 (en) * 2002-11-14 2004-05-20 Kim Hyun Joo System and method for defending against distributed denial-of-service attack on active network
CN101170573A (en) * 2007-11-21 2008-04-30 湖南大学 Active radio sensor network middleware system and implementation method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘鹏等: "基于主动网络技术的混合网络监控系统", 《计算机工程与设计》 *

Similar Documents

Publication Publication Date Title
Gavalas et al. Advanced network monitoring applications based on mobile/intelligent agent technology
CN103947156B (en) Method, apparatus and communication network for root cause analysis
CN100514921C (en) Network flow abnormal detecting method and system
CN102045214B (en) Botnet detection method, device and system
DE60024908T2 (en) Aggregation method for global flow information
US20140280338A1 (en) Distributed network analytics
US20060165003A1 (en) Method and apparatus for monitoring data routing over a network
CN108400909A (en) A kind of flow statistical method, device, terminal device and storage medium
CN102820984A (en) Automatic network topology detection and modeling
CN101741608B (en) Traffic characteristic-based P2P application identification system and method
CN102638453B (en) A kind of voice data kernel retransmission method based on Linux system server
CN107147535A (en) A kind of distributed network measurement data statistical analysis technique
CN114531273B (en) Method for defending distributed denial of service attack of industrial network system
CN103248512A (en) Method and system for generating topological structure of application layer in communication network
CN100493065C (en) Method for using immediate information software by data detection network address switching equipment
Hasan et al. A constraint-based intrusion detection system
Polychronakis et al. Design of an application programming interface for ip network monitoring
CN206461664U (en) A kind of data collecting system
CN110535707A (en) A kind of hybrid network monitoring system based on active network technology
CN105991353A (en) Fault location method and device
CN103227781A (en) Network diagnose and performance evaluation system and method based on user datagram protocol
CN110138593B (en) SMC network-based distributed system simulation communication system
US20200067820A1 (en) System and method for scattering network traffic across a number of disparate hosts
Ahmed et al. Implementation of Internet of Things (IoT) based on IPv6 over wireless sensor networks
CN105515899B (en) A kind of network analog router Netflow data generation system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191203

RJ01 Rejection of invention patent application after publication