CN110535707A - A kind of hybrid network monitoring system based on active network technology - Google Patents
A kind of hybrid network monitoring system based on active network technology Download PDFInfo
- Publication number
- CN110535707A CN110535707A CN201910823276.2A CN201910823276A CN110535707A CN 110535707 A CN110535707 A CN 110535707A CN 201910823276 A CN201910823276 A CN 201910823276A CN 110535707 A CN110535707 A CN 110535707A
- Authority
- CN
- China
- Prior art keywords
- active
- engine
- message
- node
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/046—Network management architectures or arrangements comprising network management agents or mobile agents therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2212/00—Encapsulation of packets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The hybrid network monitoring system based on active network technology that the invention discloses a kind of, equipped with active node host, proxy, mirrored host computer, active node host are the node hosts with active node ability in the node host either traditional network for participate in Active Networks monitoring;The active applications of active node host are made of extension engine, acquisition engine, interception engine, retrospect 5 active applications of engine and management engine, the computing capability of Active Networks intermediate node is utilized, propose the hybrid network monitoring system based on Active Networks, on the basis of monitoring compatible conventional monitoring systems, overcome the defect of traditional network monitoring system, extend the function of traditional network monitoring system again simultaneously, cost is relatively low, convenient for promoting the use of.
Description
Technical field
The present invention relates to Internet technical field, in particular to a kind of hybrid network based on active network technology monitors system
System.
Background technique
Traditional network monitoring system is generally used Manager/Agent model, and Manager is center management equipment;
Agent is monitoring agent equipment;For its typical architecture as shown in Figure 1, state in this configuration, Agent is usually multiple,
And it is distributed on unused monitoring point, Manager is usually one, positioned at the administrative center of concentration.Agent is responsible for acquisition prison
Data message on measuring point, and specific data message forwarding is often used to Manager, Manager according to rule by layering
Structure, including information collection layer, information extraction layer and information excavating layer, information collection layer acquires each Agent and sends over
Data message, and necessary formatting processing is carried out to information, is then forwarded to information extraction layer.Information extraction layer is to information
The information of acquisition layer is associated processing, therefrom extracts relevant information, submits to information excavating etc..Information excavating layer uses one
Fixed method (such as data mining, artificial intelligence) excavates the information of information extraction layer, so that useful information is obtained,
And it takes appropriate measures.
Traditional network monitoring system has some defects, comprising:
1, must extract useful information from a large amount of data message: traditional network monitoring system using
Manager/Agent model all concentrates on the end Manager to the major function of information processing.In view of performance, Agent end function
Can be often relatively simple, the generally only acquisition of responsible data message.This make the end Manager will receive largely may is that it is useless
Information, to reduce extraction to useful information.
2, discovery suspicious actions can only take limited active behavior: traditional network monitoring system finds suspicious behavior very
When to intrusion behavior, passively behavior or limited active behavior can only be often taken.Passively behavior includes notice system
Administrator issues warning information etc..Limited active behavior include stop object certain services, setting firewall rule with
Filter the data message etc. of certain main bodys.Both behaviors cannot all take suspicious main body the measure of comprehensive active.
3, cannot position the main body of network behavior well: the application of internet is more and more wider, and web assault is more next
More, attack means are more and more brilliant.Method of many attackers by forging IP source address, chases after attack to escape
Track.This allows for traditional network monitoring system, and purely message can not position the main body of network behavior well according to the collected data
That is the side of launching a offensive.
4, cannot extension process unknown protocol well data message, with the continuous development of network, transport network layer
Agreement is more and more.With deepening continuously for network application, network application-level protocol is also more and more.If monitoring system cannot
These unknown protocols are better understood, corresponding protocol massages cannot be handled well.Traditional network monitoring system, Zhi Nengtong
The data message of new agreement is adapted to after constantly upgrading Agent.
Summary of the invention
For the substantive defect and deficiency proposed in above-mentioned background content, the present invention provides a kind of based on Active Networks skill
The hybrid network monitoring system of art, active node not only has the ability of transmitting data message, while there are also the meters to data message
Processing capacity is calculated, can solve problem pointed in background technique.
A kind of hybrid network monitoring system based on active network technology is equipped with active node host, proxy, mirror image
Host, in 3 class hosts, active node host, proxy belong to Agent monitoring agent equipment;Mirrored host computer belongs to
Manager centre management equipment;Active node host is the node host or traditional network that monitoring is participated in Active Networks
In with active node ability node host;The active applications of active node host are drawn by extension engine, acquisition engine, interception
It holds up, trace 5 active applications compositions of engine and management engine, in which:
Extension engine: extension engine is the extension of performing environment in active node, is provided for other engines of upper layer most basic
Function, including to performing environment funcall, being passed up of message, select to handle engine accordingly, by active generation
Code, which is more newly arrived, supports processing to unknown protocol data message;
Acquisition engine: acquisition engine is responsible for being acquired the message of matching rule, counts to necessary object, root
According to the heading or message content for needing to acquire main body or object, the information of accounting message, the net of statistical subject or object
Network behavioural characteristic;Acquisition engine is also responsible for for message content being transmitted to Manager centre management equipment simultaneously;
It intercepts engine: intercepting engine and be responsible for being sent to suspicious invasion or confirmation invasion main body the part of object or even all reports
Text is intercepted;These messages, which can abandon, perhaps changes or is forwarded to place appropriate for further handling, so that
Suspicious main body or the invasion main body behavior of taking the initiative are possibly realized;
Retrospect engine: retrospect engine traces specific message or specific main body, especially to false source
The attack message of address traces its source place, traces its physical location to the attack main body with address dummy;
Management engine: management engine is responsible for managing all engines, at the same be responsible for and centre management equipment Manager and its
Communication between his active node;Management to engine, including active code message is assembled into corresponding engine code, suitably
When engine code is updated;Communication include generate necessary active packet to centre management equipment Manager or its
His node receives message from center management equipment Manager or other nodes and is handled.
In the above-mentioned technical solutions, when active node or Manager centre management equipment generate active packet, first report
Text is packaged into message after a Monitor monitoring device, and Monitor message is then packaged into ANEP Active Networks encapsulation association again
Message is discussed, ANEP message is finally packaged into IP packet.
In the above-mentioned technical solutions, active packet specifically: active network technology is applied in network management, it makes pipe
Node programmable is managed, administrative center can send program to management node.
A kind of hybrid network monitoring system based on active network technology provided by the invention, by cleverly designing, benefit
With the computing capability of Active Networks intermediate node, the hybrid network monitoring system based on Active Networks is proposed.It
On the basis of monitoring compatible conventional monitoring systems, the defect of traditional network monitoring system is overcome, while extending traditional net again
The function of network monitoring system, cost is relatively low, convenient for promoting the use of.
Detailed description of the invention
Fig. 1 is a kind of knot of the prior art of the hybrid network monitoring system based on active network technology provided by the invention
Structure schematic diagram.
Fig. 2 is a kind of structural schematic diagram of the hybrid network monitoring system based on active network technology provided by the invention.
Fig. 3 is a kind of knot of the active node of the hybrid network monitoring system based on active network technology provided by the invention
Structure schematic diagram.
Fig. 4 is a kind of active packet application of the hybrid network monitoring system based on active network technology provided by the invention
Structural schematic diagram into network management.
Fig. 5 is during a kind of Manager of the hybrid network monitoring system based on active network technology provided by the invention is
The structural schematic diagram of heart management equipment.
Specific embodiment
With reference to the accompanying drawing, the specific embodiment of the present invention is described in detail, it is to be understood that of the invention
Protection scope be not limited by the specific implementation.
Active Networks are programmable packet switching networks.Traditional network using " Store and forword " one dimensional network
Model, and Active Networks are using the two-dimensional network model of " storage-calculating-forwarding ".Therefore, in Active Networks, network
The ability that not only there is node grouping to route, but also can calculate the content of grouping, and making to be grouped in transmission process can be with
By modification, storage or redirection.Active Networks allow user to be inserted into the program of customization to network node, modify network with this
The function of configuration or extended network makes network have stronger flexibility and scalability.
As shown in Figure 2-5, a kind of hybrid network monitoring system based on active network technology, in hybrid network monitoring system
Active node, can be participated in Active Networks monitoring node, be also possible in traditional network have active node ability
Node, participate in monitoring active node structure it is as shown in Figure 3.
The active applications of active node include extension engine, acquisition engine, intercept engine, retrospect engine and management engine etc.
5 active applications.
1, extend engine: extension engine is the extension of performing environment in active node, and for upper layer, other engines provide most base
This function, including to performing environment funcall, being passed up of message, select to handle engine accordingly, pass through active
Code update supports the processing etc. to unknown protocol data message.
2, acquisition engine: acquisition engine is responsible for being acquired the message of matching rule, counts to necessary object,
The heading or message content of acquisition main body or object as needed, the information of accounting message, statistical subject or object
Network behavior feature.Acquisition engine is also responsible for message content being transmitted to Manager simultaneously.
3, intercept engine: interception engine is responsible for being sent to the part of object to suspicious invasion or confirmation invasion main body or even be owned
Message is intercepted.These messages, which can abandon, perhaps changes or is forwarded to place appropriate for further handling, and makes
It obtains and suspicious main body or the invasion main body behavior of taking the initiative is possibly realized.
4, trace engine: retrospect engine traces specific message or specific main body, especially false to having
The attack message of source address traces its source place, traces its physical location to the attack main body with address dummy.
5, management engine: management engine is responsible for managing all engines, while responsible and Manager and other active nodes
Between communication.Management to engine, including active code message is assembled into corresponding engine code, to drawing when appropriate
Code is held up to be updated.Communication includes generating necessary active packet to Manager or other nodes, from Manager or other
Node receives message and is handled.
Active packet description:
Active network technology is applied in network management, it makes management node programmable, and administrative center can send
Program is to management node.On this basis, have applied to the Monitor Packet of hybrid network monitoring system as shown in Figure 4
Encapsulating structure.
When active node or Manager generate active packet, message is packaged into a Monitor message first, then
Monitor message is packaged into ANEP message again, ANEP message is finally packaged into IP packet.Monitor header has
3 type, context, sequence number fields.Type has 5 classes, including extension active packet, acquisition active packet, interception active report
Text, retrospect active packet and management active packet.Context value is generated by ANEP encapsulation process, is used to recognition node.Sequence number
Then it is used to identify different Monitor messages.
Manager description
Manager is processing and the administrative center of information, is responsible for acquisition, extraction and excavation to information, to the system of rule
Fixed, update and management, generation, delivery and management to active code, structure are as shown in Figure 5.
Manager lowest level is active node communicator and general node communication device, respectively with the engine of active node and
The Agent of general node is communicated.Information collection layer, information extraction layer, information excavating layer and traditional network monitoring system one
Sample handles information and is excavated, while generating certain rule.Generation, setting and update of the rule management to rule
Etc. being managed.Corresponding rule is then translated into active code by active code manager, and to the generation of active code, setting
With update etc. be managed.Active code distributor is then responsible for active code to be distributed in corresponding active node.
" storage calculates, forwarding " model of Active Networks, solves the problems, such as many and defect of traditional network.The present invention
Based on Active Networks, the network monitoring system of a mixing is proposed, on the basis of compatible traditional network monitoring system, is introduced
Active network technology solves some defects of traditional network monitoring system.
Disclosed above is only several specific embodiments of the invention, and still, the embodiment of the present invention is not limited to this, is appointed
What what those skilled in the art can think variation should all fall into protection scope of the present invention.
Claims (3)
1. a kind of hybrid network monitoring system based on active network technology, which is characterized in that be equipped with active node host, agency
Host, mirrored host computer, in 3 class hosts, active node host, proxy belong to Agent monitoring agent equipment;Mirror image master
Machine belongs to Manager centre management equipment;Active node host is the node host that monitoring is participated in Active Networks, either
With the node host of active node ability in traditional network;The active applications of active node host are drawn by extension engine, acquisition
It holds up, intercept engine, 5 active applications of retrospect engine and management engine are constituted, in which:
Extension engine: extension engine is the extension of performing environment in active node, and for upper layer, other engines provide most basic function
Can, including to performing environment funcall, being passed up of message, select to handle engine accordingly, pass through active code more
It newly arrives and supports processing to unknown protocol data message;
Acquisition engine: acquisition engine is responsible for being acquired the message of matching rule, counts to necessary object, according to need
Acquire the heading or message content of main body or object, the information of accounting message, the network row of statistical subject or object
It is characterized;Acquisition engine is also responsible for for message content being transmitted to Manager centre management equipment simultaneously;
Intercept engine: intercept engine be responsible for it is suspicious invasion or confirmation invasion main body be sent to object part so that all messages into
Row intercepts;These messages, which can abandon, perhaps changes or is forwarded to place appropriate for further handling, so as to can
It doubts main body or the invasion main body behavior of taking the initiative is possibly realized;
Retrospect engine: retrospect engine traces specific message or specific main body, especially to false source address
Attack message trace its source place, its physical location is traced to the attack main body with address dummy;
Management engine: management engine is responsible for managing all engines, while responsible and centre management equipment Manager and other masters
Communication between dynamic node;Management to engine, including active code message is assembled into corresponding engine code, when appropriate
Time is updated engine code;Communication includes generating necessary active packet to centre management equipment Manager or other sections
Point receives message from center management equipment Manager or other nodes and is handled.
2. a kind of hybrid network monitoring system based on active network technology according to claim 1, which is characterized in that main
When dynamic node or Manager centre management equipment generate active packet, message is packaged into a Monitor monitoring device first
Then Monitor message is packaged into ANEP active network encapsulation protocol message again, finally ANEP message is packaged by message afterwards
IP packet.
3. a kind of hybrid network monitoring system based on active network technology according to claim 2, which is characterized in that main
Dynamic message specifically: active network technology is applied in network management, it makes management node programmable, and administrative center can
Program is sent to management node.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910823276.2A CN110535707A (en) | 2019-09-02 | 2019-09-02 | A kind of hybrid network monitoring system based on active network technology |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910823276.2A CN110535707A (en) | 2019-09-02 | 2019-09-02 | A kind of hybrid network monitoring system based on active network technology |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110535707A true CN110535707A (en) | 2019-12-03 |
Family
ID=68666168
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910823276.2A Pending CN110535707A (en) | 2019-09-02 | 2019-09-02 | A kind of hybrid network monitoring system based on active network technology |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110535707A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040098618A1 (en) * | 2002-11-14 | 2004-05-20 | Kim Hyun Joo | System and method for defending against distributed denial-of-service attack on active network |
CN101170573A (en) * | 2007-11-21 | 2008-04-30 | 湖南大学 | Active radio sensor network middleware system and implementation method |
-
2019
- 2019-09-02 CN CN201910823276.2A patent/CN110535707A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040098618A1 (en) * | 2002-11-14 | 2004-05-20 | Kim Hyun Joo | System and method for defending against distributed denial-of-service attack on active network |
CN101170573A (en) * | 2007-11-21 | 2008-04-30 | 湖南大学 | Active radio sensor network middleware system and implementation method |
Non-Patent Citations (1)
Title |
---|
刘鹏等: "基于主动网络技术的混合网络监控系统", 《计算机工程与设计》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gavalas et al. | Advanced network monitoring applications based on mobile/intelligent agent technology | |
CN103947156B (en) | Method, apparatus and communication network for root cause analysis | |
CN100514921C (en) | Network flow abnormal detecting method and system | |
CN102045214B (en) | Botnet detection method, device and system | |
DE60024908T2 (en) | Aggregation method for global flow information | |
US20140280338A1 (en) | Distributed network analytics | |
US20060165003A1 (en) | Method and apparatus for monitoring data routing over a network | |
CN108400909A (en) | A kind of flow statistical method, device, terminal device and storage medium | |
CN102820984A (en) | Automatic network topology detection and modeling | |
CN101741608B (en) | Traffic characteristic-based P2P application identification system and method | |
CN102638453B (en) | A kind of voice data kernel retransmission method based on Linux system server | |
CN107147535A (en) | A kind of distributed network measurement data statistical analysis technique | |
CN114531273B (en) | Method for defending distributed denial of service attack of industrial network system | |
CN103248512A (en) | Method and system for generating topological structure of application layer in communication network | |
CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
Hasan et al. | A constraint-based intrusion detection system | |
Polychronakis et al. | Design of an application programming interface for ip network monitoring | |
CN206461664U (en) | A kind of data collecting system | |
CN110535707A (en) | A kind of hybrid network monitoring system based on active network technology | |
CN105991353A (en) | Fault location method and device | |
CN103227781A (en) | Network diagnose and performance evaluation system and method based on user datagram protocol | |
CN110138593B (en) | SMC network-based distributed system simulation communication system | |
US20200067820A1 (en) | System and method for scattering network traffic across a number of disparate hosts | |
Ahmed et al. | Implementation of Internet of Things (IoT) based on IPv6 over wireless sensor networks | |
CN105515899B (en) | A kind of network analog router Netflow data generation system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191203 |
|
RJ01 | Rejection of invention patent application after publication |