CN110855699B - Flow auditing method and device, server and auditing equipment - Google Patents
Flow auditing method and device, server and auditing equipment Download PDFInfo
- Publication number
- CN110855699B CN110855699B CN201911138606.0A CN201911138606A CN110855699B CN 110855699 B CN110855699 B CN 110855699B CN 201911138606 A CN201911138606 A CN 201911138606A CN 110855699 B CN110855699 B CN 110855699B
- Authority
- CN
- China
- Prior art keywords
- server
- auditing
- configuration information
- internal
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/565—Conversion or adaptation of application format or content
- H04L67/5651—Reducing the amount or size of exchanged application data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a flow auditing method, a flow auditing device, a server and auditing equipment, wherein the method is applied to the server and comprises the following steps: obtaining configuration information for acquiring flow; acquiring internal flow generated by the server according to the configuration information, wherein the internal flow does not pass through the network equipment; and sending the internal flow to the auditing equipment so that the auditing equipment audits the internal flow. Through obtaining the inside traffic of the server in the server and forwarding the inside traffic to the auditing equipment, the auditing equipment audits the inside traffic, and the problem that the auditing operation of the inside traffic of the server is difficult to carry out when the inside traffic of the server does not pass through the switch is effectively solved through the mode.
Description
Technical Field
The application relates to the technical field of computer security and network security, in particular to a flow auditing method, a flow auditing device, a server and auditing equipment.
Background
Port Mirroring (Port Mirroring) refers to the monitoring of a network by forwarding data traffic of one or more source ports to a certain designated Port on a switch or a router, where the designated Port is called a "mirror Port" or a "destination Port", and the monitoring and analysis of the network traffic can be performed through the mirror Port without seriously affecting the normal throughput of the source ports.
The current common flow auditing method is that the flow auditing is realized by setting a port mirror image on a switch at a network outlet, namely, a source port needing flow auditing is forwarded to a mirror image port in the switch, and the flow is sent to auditing equipment through the mirror image port, so that the purpose of flow auditing is achieved. However, in practical practice, it is found that it is difficult to audit the internal traffic of the server in this way, that is, when the internal traffic of the server does not pass through the switch, it is difficult to audit the internal traffic of the server.
Disclosure of Invention
An object of the embodiments of the present application is to provide a traffic auditing method and apparatus, a server, and an auditing device, which are used to solve the problem that it is difficult to audit internal traffic of the server when the internal traffic of the server does not pass through a switch.
The application provides a flow auditing method, which is applied to a server and comprises the following steps: obtaining configuration information for acquiring flow; acquiring internal traffic generated by the server according to the configuration information, wherein the internal traffic does not pass through network equipment; and sending the internal flow to auditing equipment so that the auditing equipment audits the internal flow. In the implementation process, the internal flow of the server is obtained inside the server, the internal flow is forwarded to the auditing equipment, and the auditing equipment performs auditing operation on the internal flow, so that the problem that the auditing operation on the internal flow of the server is difficult when the internal flow of the server does not pass through the switch is effectively solved.
Optionally, the server runs a console service program, and the obtaining configuration information for acquiring traffic includes: receiving the configuration information sent by the auditing equipment by using the console service program; and storing the configuration information into a local cache. In the implementation process, the configuration information sent by the auditing equipment is received by using the console service program, so that the analysis of the configuration information is more accurate, and the storage and reading speed of the configuration information is accelerated by using the local cache.
Optionally, the running of a packet capturing and forwarding program on the server, the obtaining of the internal traffic generated by the server according to the configuration information, includes: reading the configuration information from the local cache; and acquiring the internal flow generated by the server according to the configuration information by using the packet capturing and forwarding program. In the implementation process, the internal flow is obtained by using the packet capturing and forwarding program, so that the performance of obtaining the internal flow is greatly improved, and the load pressure of the server is reduced.
Optionally, the configuration information includes: at least one source port and a mirror image port, where the mirror image port is connected with the auditing device, and the using of the packet capturing and forwarding program to obtain the internal flow generated by the server according to the configuration information includes: obtaining internal flow of the at least one source port by using the packet grabbing and forwarding program; the sending the internal traffic to an auditing device includes: and sending the internal flow to the mirror image port by using the packet capturing and forwarding program so as to send the internal flow to the auditing equipment through the mirror image port. In the implementation process, the internal flow of the source port is obtained by using the packet capturing and forwarding program, and the internal flow is forwarded to the destination port so as to send the internal flow to the auditing equipment through the port, so that the performance of obtaining the internal flow is greatly improved, and the load pressure of the server is reduced.
Optionally, the configuration information includes: compressing the information; the sending the internal traffic to an auditing device includes: compressing the internal flow according to the compression information; and sending the compressed internal flow to the auditing equipment. In the implementation process, the internal flow is compressed according to the compression information, and the compressed internal flow is sent to the auditing equipment, so that the network load is reduced, namely the data flow required to be transmitted by the network is reduced.
Optionally, the configuration information further includes: compressing the switch state; before the compressing the internal traffic according to the compression information, the method further includes: determining that the compression switch state is on. In the implementation process, the compression switch is determined to be on, the internal flow is compressed according to the compression information, and the compressed internal flow is sent to the auditing equipment, so that the network load is reduced, namely the data flow required to be transmitted by the network is reduced.
Optionally, the configuration information includes: encrypting the information; the sending the internal traffic to an auditing device includes: encrypting the internal flow according to the encryption information; and sending the encrypted internal flow to the audit equipment. In the implementation process, the internal flow is encrypted according to the encryption information, and the encrypted internal flow is sent to the auditing equipment, so that the safety of the internal flow in transmission is enhanced.
Optionally, the configuration information further includes: encrypting the switch state; before encrypting the internal traffic according to the encryption information, the method further includes: determining that the encryption switch state is on. In the implementation process, the encryption switch is determined to be on, the internal flow is encrypted according to the encryption information, and the encrypted internal flow is sent to the auditing equipment, so that the safety of the internal flow in transmission is enhanced.
The application also provides a flow auditing method, which is applied to auditing equipment and comprises the following steps: sending configuration information to a server so that the server acquires and sends the internal flow of the server according to the configuration information; and receiving the internal flow sent by the server, and auditing the internal flow. In the implementation process, the internal flow of the server is obtained inside the server, the internal flow is forwarded to the auditing equipment, and the auditing equipment performs auditing operation on the internal flow, so that the problem that the auditing operation on the internal flow of the server is difficult when the internal flow of the server does not pass through the switch is effectively solved.
The application also provides a flow audit device, which is applied to a server and comprises: the configuration information acquisition module is used for acquiring configuration information used for acquiring flow; an internal traffic obtaining module, configured to obtain, according to the configuration information, internal traffic generated by the server, where the internal traffic does not pass through a network device; and the internal flow sending module is used for sending the internal flow to auditing equipment so that the auditing equipment audits the internal flow.
Optionally, the server runs a console service program, and the configuration information obtaining module includes: the configuration information receiving module is used for receiving the configuration information sent by the auditing equipment by using the console service program; and the configuration information storage module is used for storing the configuration information into a local cache.
Optionally, the server runs a packet capturing and forwarding program, and the internal traffic obtaining module includes: a configuration information reading module, configured to read the configuration information from the local cache; and the first flow acquiring module is used for acquiring the internal flow generated by the server according to the configuration information by using the packet capturing and forwarding program.
Optionally, the configuration information includes: at least one source port and a mirror image port, the mirror image port with audit equipment is connected, inside flow packet capturing module includes: a second traffic obtaining module, configured to obtain internal traffic of the at least one source port by using the packet capturing and forwarding program; the internal traffic sending module includes: and the first flow sending module is used for sending the internal flow to the mirror image port by using the packet capturing and forwarding program so as to send the internal flow to the auditing equipment through the mirror image port.
Optionally, the configuration information includes: compressing the information; the internal traffic sending module includes: the internal flow compression module is used for compressing the internal flow according to the compression information; and the second flow sending module is used for sending the compressed internal flow to the auditing equipment.
Optionally, the configuration information further includes: compressing the switch state; the flow auditing device further comprises: and the first state determination module is used for determining that the compression switch state is on.
Optionally, the configuration information includes: encrypting the information; the internal traffic sending module includes: the internal flow encryption module is used for encrypting the internal flow according to the encryption information; and the third flow sending module is used for sending the encrypted internal flow to the auditing equipment.
Optionally, the configuration information further includes: encrypting the switch state; the flow auditing device further comprises: and the second state determining module is used for determining that the encryption switch state is on.
The application also provides a flow audit device, which is applied to audit equipment and comprises: the configuration information sending module is used for sending configuration information to a server so that the server can acquire and send the internal flow of the server according to the configuration information; and the internal flow receiving module is used for receiving the internal flow sent by the server and auditing the internal flow.
The present application further provides a server, including: a first processor and a first memory, the first memory storing machine-readable instructions executable by the first processor, the machine-readable instructions, when executed by the first processor, performing a method as described above.
The application also provides an audit device, including: a second processor and a second memory, the second memory storing machine-readable instructions executable by the second processor, the machine-readable instructions, when executed by the second processor, performing the method as described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a schematic view of an audit system of a comparative embodiment;
FIG. 2 is a schematic diagram of a flow auditing system provided by an embodiment of the present application in a first case;
FIG. 3 is a schematic diagram of a flow auditing system provided by an embodiment of the present application in a second case;
fig. 4 is a schematic flow chart of a traffic auditing method at a server end according to an embodiment of the present application;
FIG. 5 is a flow chart of a traffic auditing method provided by an embodiment of the present application;
fig. 6 is a schematic structural diagram of a traffic auditing apparatus applied to a server according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a server provided in an embodiment of the present application;
fig. 8 shows a schematic structural diagram of an audit device provided by an embodiment of the present application.
Icon: 100-a flow audit system; 101-a server; 102-an auditing device; 103-core switches; 104-a router; 110-a server; 111-a first server; 112-a second server; 113-a first processor; 114-a first memory; 115-a storage medium; 116-a first network interface; 120-audit equipment; 121-a second processor; 122-a second memory; 123-a second network interface; 130-core switches; 400-a flow auditing means; 410-a configuration information obtaining module; 420-internal traffic acquisition module; 430-internal traffic sending module.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Before describing the flow auditing method in the embodiment of the present application, some concepts related to the embodiment of the present application are described below:
the traffic, also called traffic data, refers to data generated by a server in a working operation state, and the data includes: persistent data that the application transmits to the database update, business data that the application transmits to the cache database, business data that the database transmits to the application, and the like.
The flow probe refers to agent tool software for forwarding flow data. In some embodiments of the present application, a flow probe may include: a console service program, a packet capturing and forwarding program and an audit management program; the functions of these three programs will be described in detail in the following embodiments.
Audit (audit) refers to actions such as collecting, analyzing and deciding data traffic to achieve the effects of detecting security threats, performing early warning on intrusion behaviors, obtaining evidence of intrusion traces, tracing sources or stopping damage after intrusion, and the like, and specifically includes: collecting and acquiring data traffic in the network, analyzing the data traffic, discovering the security threat of the intrusion behavior according to the analysis result, and early warning the intrusion behavior.
The Transmission Control Protocol (TCP), also known as network communication Protocol, is the most basic Protocol of the Internet and the basis of the Internet, and is composed of an IP Protocol of a network layer and a TCP Protocol of a transport layer. The communication may be based on transmission control protocol/internet protocol (TCP/IP) or may be based on hypertext transfer protocol. An Internet Protocol Address (also translated to an Internet Protocol Address), abbreviated to an IP Address, is a digital label assigned to a device of an Internet Protocol (IP) used by a user to access the Internet.
DataBase (DB) is a collection for storing electronic data or electronic files, and may be regarded as an electronic file cabinet, in short, and a user may add, intercept, update, delete, etc. to the data in the file. A "database" is a collection of data that is stored together in a manner that can be shared by multiple users, has as little redundancy as possible, and is independent of the application. The database includes: memory databases, relational databases, and non-relational databases:
the Memory database refers to a data set searched based on a Random Access Memory (RAM), and is characterized by a fast read/write speed, and therefore, the Memory database is also called a cache database, and a common Memory database is, for example: memcached and Redis, etc.
A relational database refers to a database that organizes data using a relational model, and the relational database stores data in the form of rows and columns for easy understanding by users, and the series of rows and columns of the relational database is called a table, and a common relational database is, for example: mysql, Oracle, SQLSever, etc.
A non-relational database, also called nosql (not Only SQL), means that it is not Only Structured Query Language (SQL), but also mainly includes the following components according to the difference of the Structured method and the application scenario: three non-relational databases of columnar storage, document storage and key-value pair storage are oriented, and a common non-relational database comprises: hadoop subsystems HBase, MongoDB and CouchDB, and the like.
An encryption algorithm, also called encryption and decryption algorithm, refers to an algorithm for encrypting and decrypting data, and a general encryption algorithm includes: a symmetric encryption algorithm and an asymmetric encryption algorithm; the symmetric encryption algorithm refers to an encryption algorithm using the same key for encryption and decryption, that is, an encryption password known by both communication parties used in encryption and decryption, and a common symmetric encryption algorithm: DES, 3DES, RC4, RC5, RC6, AES, and the like. The asymmetric encryption algorithm refers to an encryption algorithm using different keys for encryption and decryption, which is also called public-private key encryption, that is, an encryption key is used for encryption and decryption, the encryption key includes a public key and a private key, the public key is a public key, the private key is an private key, and a common asymmetric encryption algorithm: RSA, Diffie-Hellman, DSA, etc.
Please refer to fig. 1, which shows a schematic view of an auditing system of a comparative embodiment; before introducing the flow auditing method provided by the embodiment of the application, an auditing system of a comparison embodiment is introduced, and the auditing system comprises: a server 101, an audit device 102 and a core switch 103; the server 101 can communicate with the router 104 through the core switch 103, the server 101 can also communicate with the audit device 102 through the core switch 103, and the audit device 102 can also communicate with the router 104 through the core switch 103, so that the router 104, the server 101, the audit device 102 and the core switch 103 are interconnected.
When data traffic passing through core switch 103 needs to be audited, port mirroring may be performed on core switch 103, specifically, for example: the port of the core switch 103 connected to the router 104 is used as a source port, the port of the core switch 103 connected to the audit device 102 is used as a mirror port, that is, data traffic passing through the source port is all copied, and the copied data traffic is forwarded to the mirror port. Of course, a port of the core switch 103 connected to the server 101 may also be used as a source port, the data traffic passing through the source port is all copied, and the copied data traffic is forwarded to a mirror port, where the difference is that the former is to perform port mirroring on the data traffic passing through the router 104, and the latter is to perform port mirroring on the data traffic passing through the server 101.
Of course, in a specific implementation process, the network structure may further include more devices, such as: the server may also communicate with access devices (not shown) of the local area network through the core switch; the access device herein comprises: the access switch, the first terminal computer and the second terminal computer. Another example is: the servers may also communicate with the internet (not shown) through core switches and egress routers (not shown), etc.
An application scenario to which the traffic auditing method is applicable is described below, where the application scenario includes, but is not limited to, auditing internal traffic of servers or internal traffic transmitted between servers, where the internal traffic refers to traffic that does not pass through a network device, and specific definitions will be described below. The devices applied to the flow auditing method include but are not limited to auditing devices and servers, and the applied products include but are not limited to: attack defense Systems, security protection Systems, Intrusion Detection Systems (IDS), honeypot Systems, and the like, wherein the application of the flow audit method can make the functions of the product more complete and rich, and the like. The IDS system is a software system that monitors the operation status of the network and the system through software and hardware according to a certain security policy, and finds out various attack attempts, attack behaviors, or attack results as much as possible to ensure the confidentiality, integrity, and availability of network system resources.
The server is different from the switch, the switch is easy to do port mirroring through a configuration command, however, the server is difficult to do port mirroring, and the method for auditing the internal traffic of the server is described as an example, and specifically includes two cases: in the first case, the server sends the data traffic to the server itself; in a second case, the network device is a device that is not an end recipient of the data traffic but merely forwards the data traffic to the end recipient, and the network device includes: bridges, switches, routers, and the like. For ease of understanding and explanation, the following description will be made separately for these two cases:
please refer to fig. 2, which is a schematic diagram of a flow auditing system provided by the embodiment of the present application in a first case; the flow audit system 100 includes: a server 110 and an auditing device 120; wherein, the dotted line in the figure indicates that the server 110 forwards the data traffic sent to the server 110 itself to the auditing apparatus 120, where the data traffic is sent to the server 110 itself by the server 110; the server 110 and the audit device 120 can directly communicate with each other, where the direct communication refers to communication without forwarding through any network device, and the specific communication mode between the server 110 and the audit device 120 may be wireless network communication or wired network communication. Of course, the server 110 and the audit device 120 can also communicate with each other through the core switch 130, the core switch 130 forwards the data traffic sent by the server 110 to the audit device 120, and meanwhile, the core switch 130 also forwards the data traffic sent by the audit device 120 to the server 110.
The audit of the data traffic sent to the server 110 itself is performed, for example: the traffic auditing method may be used to audit data traffic between the running program on server 110 and the database, with server 110 running both the running program that provides the service and the database that provides data storage for the running program. The specific communication contents of the server 110 and the auditing device 120 are as follows: the server 110 sends data traffic to the auditing device 120 to enable the auditing device 120 to audit the data traffic.
Please refer to fig. 3, which is a schematic diagram of a flow auditing system provided by the embodiment of the present application in a second case; the second case is similar to the first case except that the server 110 described above includes: a first server 111 and a second server 112; the first server 111 and the second server 112 can communicate with the auditing equipment 120 through the core switch 130, and the first server 111 and the second server 112 can also communicate with each other; and the dotted line in the figure indicates that the first server 111 or the second server 112 sends data traffic communicated between the first server 111 and the second server 112 to the audit device 120, namely the data traffic communicated between the first server 111 and the second server 112. Of course, in a specific implementation, both the first server 111 and the second server 112 may send the internal traffic of both and the data traffic communicated between both to the auditing apparatus 120.
It is understood that the internal traffic mentioned above refers to traffic that does not pass through the network device, for example: the data traffic transmitted between the server 110 and the database in fig. 2 is referred to as internal traffic, where the server 110 runs both the running program providing the service and the database providing the data storage for the running program, and the data traffic transmitted between the running program and the database. Another example is: the data traffic sent by the first server 111 in fig. 3 to the second server 112 directly connected to the first server 111, the data traffic of the first server 111 and the second server 112 communicating with each other may be referred to as internal traffic; a direct connection is also understood herein to be a connection that does not pass through a network device, such as: bridges, switches, routers, and the like.
Please refer to fig. 4, which is a schematic flow chart of a traffic auditing method at a server according to an embodiment of the present application; the flow auditing method can comprise the following steps:
step S210: the server obtains configuration information for obtaining traffic.
The configuration information is information for configuring the server when acquiring the traffic on the server; the configuration information is, for example: source port, mirror port, compression switch state, compression information, encryption switch state, encryption information and the like; as explained above, the mirror port is the destination port, i.e. the destination port for forwarding traffic. In addition, the configuration information can also be set according to actual conditions, such as: the configuration information can also comprise a start switch and a stop switch of the packet capturing and forwarding program, namely, whether the packet capturing and forwarding program starts to acquire the traffic data is controlled, and whether the packet capturing and forwarding program stops acquiring the traffic data is controlled after the start; another example is: the configuration information may further include packet capture filtering condition information, specifically, for example, condition information that a source address in the capture TCP protocol is a preset IP address, where the preset IP address may be, for example, 10.0.0.1 or 127.0.0.1.
There are many cases in which the server obtains configuration information for acquiring traffic: in the first case, the configuration information is copied to the server offline, or the configuration information is directly written or edited on the server; in the second case, the server downloads the configuration information from the configuration information management device; in the third situation, the configuration information management equipment actively pushes the configuration information to the server; here, the configuration information management device is, for example: a management server different from the server and the auditing device, or the auditing device; for ease of understanding and explanation, the configuration information is downloaded from the auditing device, and then step S210 may include the following steps:
step S211: the server receives the configuration information sent by the auditing equipment by using a console service program.
Wherein, a console service program in the traffic probe may run on the server, and as described above, the traffic probe may include: a console service program, a packet capturing and forwarding program and an audit management program; the system comprises a console service program, a packet capturing and forwarding program, an audit management program and audit equipment, wherein the console service program and the packet capturing and forwarding program run on a server, and the audit management program runs in the audit equipment. Of course, the console service and the packet capturing forwarding function are separated into two programs for operation, and in a specific implementation process or development process, the console service and the packet capturing forwarding function may also be made into one program, for example: the control forwarding program comprises a console service and a packet capturing forwarding function, the control forwarding program runs on the server, and the audit management program runs in the audit equipment; the flow probe comprises the control forwarding program and the audit management program.
The console service program is mainly introduced here, and the packet capturing forwarding program and the audit management program are introduced below, where the console service program can send a request to the audit device to download configuration information, that is, can also send detailed information of the server to the audit device at regular time, where the detailed information is, for example: the number of ports of the server, the size of the memory, a Central Processing Unit (CPU), a disk, the number of network interfaces, the running state of the packet capturing and forwarding program, and other information, for example: when the console service program is started, the console service program sends detailed information of the server to the auditing equipment at regular time; the console service program may of course also be responsible for starting and stopping the packet capture forwarding procedure.
The server uses the console service program to receive the configuration information sent by the auditing equipment, for example: the audit device runs an audit management program, the audit management program and the console service program keep communication by using a get method or a post method in a hypertext Transfer Protocol (HTTP), that is, the console service program can receive configuration information sent by the audit device by using the get method or the post method in the HTTP, and the console service program can also process the configuration information by using a delete method or a put method and the like.
Step S212: the server stores the configuration information in a local cache.
Local caching, which may refer to a local caching mechanism of a browser, for example: cookies and stores; it may also refer to a memory database or a cache database, for example: memcached and Redis, etc.; it may also refer to a Random Access Memory (RAM) or a hard disk in the device.
Embodiments in which the server stores configuration information in a local cache, for example: and after receiving the configuration information, storing the configuration information into a RAM of the server or a Memcached database of the server. In the implementation process, the configuration information sent by the auditing equipment is received by using the console service program, so that the analysis of the configuration information is more accurate, and the storage and reading speed of the configuration information is accelerated by using the local cache.
After step S210, step S220 is performed: and the server acquires the internal flow generated by the server according to the configuration information.
Wherein, the internal traffic does not pass through the network device, specifically for example: in the flow auditing system under the first condition, the server sends the data flow to the server; another example is: in the traffic auditing system in the second case, the first server communicates with the second server for data traffic. Acquiring the internal traffic generated by the server according to the configuration information, i.e., step S220, may include the steps of:
step S221: the server reads the configuration information from the local cache.
The server reads the configuration information from the local cache in an embodiment, for example: if the configuration information is stored in the RAM of the server, the server is from the local RAM. Another example is: and if the configuration information is stored in the Memcached database of the server, reading the configuration information from the Memcached database.
Step S222: and the server acquires the internal flow generated by the server according to the configuration information by using a packet capturing and forwarding program.
As described above, the server also runs a packet capture forwarding program, and the traffic probe may include: a console service program, a packet capturing and forwarding program and an audit management program; the packet capturing and forwarding program can acquire the internal traffic generated by the server according to the configuration information, and also can acquire the data traffic of a preset interface according to the configuration information, then encapsulate, encrypt or/and compress the data traffic, and then send the encapsulated, encrypted or/and compressed data traffic to the auditing equipment through a TCP Protocol or a User Datagram Protocol (UDP).
Wherein the configuration information may include: at least one source port and one mirror image port, where the mirror image port is connected to the auditing device, and then the server uses a packet capture forwarding program to obtain the internal traffic generated by the server according to the configuration information, for example: obtaining internal flow of at least one source port by using a packet capturing and forwarding program; specifically, for example: a pcap library may be used to grab internal traffic of at least one source port; another example is: the IP address of the server is 10.0.0.11, the source IP address in a TCP protocol using a packet capturing and forwarding program is 10.0.0.11, the target IP address is 10.0.0.11 and the target port number is 3306; or a data message with a target IP address of 127.0.0.1 in a TCP protocol of a packet capturing and forwarding program is used. Of course, in a specific implementation, tcpdump, scapy or libpcap library may be used to capture the internal traffic of at least one source port.
In the implementation process, the internal flow is obtained by using the packet capturing and forwarding program, so that the performance of obtaining the internal flow is greatly improved, and the load pressure of the server is reduced. The internal flow of the source port is obtained by using the packet capturing and forwarding program, and the internal flow is forwarded to the destination port so as to send the internal flow to the auditing equipment through the port, so that the performance of obtaining the internal flow is greatly improved, and the load pressure of the server is reduced.
After step S220, step S230 is performed: and the server sends the internal flow to the auditing equipment so that the auditing equipment audits the internal flow.
The implementation manner in which the server sends the internal traffic to the auditing device is, for example: and sending the internal traffic to a mirror image port by using a packet capturing and forwarding program so as to send the internal traffic to the auditing equipment through the mirror image port, wherein the mirror image port can be a physical port connected with the auditing equipment. Of course, in a specific implementation process, the communication may also be performed in an asynchronous manner, for example: the server uses a front-end and back-end separation architecture condition, and uses a packet capturing and forwarding program to send internal traffic to the auditing equipment in an asynchronous mode, specifically, the front end uses a framework with a control layer and a view layer separated, and the frameworks are, for example: knockout, Angular, React or Vue; the back-end uses a framework that separates the control layer and the data access layer, such as: RESTful interface, etc.
In the implementation process, the internal flow of the server is obtained inside the server, then the internal flow is forwarded to the auditing equipment, and the auditing equipment performs auditing operation on the internal flow, so that the problem that the auditing operation on the internal flow of the server is difficult when the internal flow of the server does not pass through the switch is effectively solved.
Optionally, in this embodiment of the present application, the configuration information may include: compressing the information; then the internal traffic is sent to the auditing device, i.e. step S230 may include the steps of:
step S231: and the server compresses the internal flow according to the compression information.
The compression information is information on how to compress the internal traffic, and specifically includes, for example: information such as a compression algorithm, a compression target file name, a compression temporary directory, and a compression target file name, where the common compression algorithms are, for example: a snap compression algorithm, a zip compression algorithm, and the like.
The server compresses the internal traffic according to the compression information, for example: the server compresses the internal traffic by using a snapshot compression algorithm or a zip compression algorithm; another example is: the method comprises the steps that a snapshot compression algorithm is used for compressing internal flow to obtain first compressed data, then a zip compression algorithm is used for compressing a first compressed file to obtain second compressed data, and the second compressed data are determined to be compressed internal flow; another example is: and firstly, compressing the internal flow by using a zip compression algorithm to obtain third compressed data, then compressing the third compressed file by using a snap compression algorithm to obtain fourth compressed data, and determining the fourth compressed data as the compressed internal flow.
After step S231, step S232 is performed: and the server sends the compressed internal flow to the auditing equipment.
The server sends the compressed internal traffic to the auditing device in an embodiment, for example: the server sends the compressed internal traffic to the auditing device using a packet Transfer Mode (ATM), which is to divide the information to be transmitted in the communication network into a short information unit, add the call control signal and check information required for switching to each information unit, arrange the information into a packet according to a prescribed format, and transmit the packet as a whole in the network. In the implementation process, the compression switch is determined to be on, the internal flow is compressed according to the compression information, and the compressed internal flow is sent to the auditing equipment, so that the network load is reduced, namely the data flow required to be transmitted by the network is reduced.
Optionally, the configuration information may further include: compressing the switch state; that is, before the server compresses the internal traffic according to the compression information, when the server determines that the server is on according to the state of the compression switch, the server further performs compression on the internal traffic according to the compression information, and then sends the internal traffic to the auditing equipment, that is, step S230 may include the following steps:
step S233: and if the compression switch is determined to be on, the server compresses the internal flow according to the compression information.
The compression switch state is a switch state of whether to start the compression of the internal flow, and if the compression switch state is on, the internal flow is compressed; accordingly, if the compression switch is off, the internal flow is not compressed.
If the compression switch state is determined to be on, the server compresses the internal traffic according to the compression information, for example: the compression switch state is expressed as a compression status, the compression status has two values of on and off, the on represents that the compression switch state is on, and the off represents that the compression switch state is off; and if the status of the compressStatus is on, compressing the internal traffic by using a snappy compression algorithm to obtain the compressed internal traffic. In the implementation process, the internal flow is compressed according to the compression information, and the compressed internal flow is sent to the auditing equipment, so that the network load is reduced, namely the data flow required to be transmitted by the network is reduced. Here, the implementation principle and implementation manner of the step of compressing the internal traffic according to the compression information by the server are similar to those of step S231, and therefore, the implementation principle and implementation manner of the step are not described here, and if it is not clear, reference may be made to the description of step S231.
After step S233, step S234 is executed: and the server sends the compressed internal flow to the auditing equipment.
The implementation principle and implementation manner of this step are similar to those of step S232, and therefore, the implementation manner and implementation principle of this step are not described here, and if it is not clear, reference may be made to the description of step S232.
Optionally, in this embodiment of the present application, the configuration information further includes: encrypting the information; then the internal traffic is sent to the auditing device, i.e. step S230 may include the steps of:
step S235: and the server encrypts the internal flow according to the encryption information.
The encryption information is information on how to encrypt the internal traffic, and the specific encryption information includes, for example: encryption algorithm, encryption key or encryption password, etc., wherein the encryption algorithm comprises: a symmetric encryption algorithm and an asymmetric encryption algorithm; common symmetric encryption algorithms: DES, 3DES, RC4, RC5, RC6, AES, etc.; common asymmetric encryption algorithms: RSA, Diffie-Hellman, DSA, etc.
The server encrypts the internal traffic according to the encryption information, for example: the server encrypts the internal flow by using a DES algorithm or an AES algorithm; another example is: the server encrypts the internal traffic using, an algorithm or a DSA algorithm, etc. Of course, in a specific implementation process, the internal traffic may also be encrypted by combining a symmetric encryption algorithm and an asymmetric encryption algorithm, for example: establishing communication by using an asymmetric encryption algorithm and exchanging a key of the symmetric encryption algorithm, encrypting internal flow by using the key of the symmetric encryption algorithm, and sending the encrypted internal flow; specifically, the RSA encryption algorithm may be used to exchange public keys of the RSA with each other, establish a communication connection, negotiate a cipher of the symmetric algorithm AES using the communication connection, encrypt internal traffic according to the cipher, and so on.
After step S235, step S236 is performed: and the server sends the encrypted internal flow to the auditing equipment.
The implementation principle and implementation of this step are similar to those of step S232, except that encrypted internal traffic is sent here, and compressed internal traffic is sent in step S232. Therefore, the implementation and implementation principle of sending the encrypted internal traffic to the auditing device by the server will not be described here, and reference may be made to the description of step S232 if it is not clear.
Optionally, the configuration information may further include: encrypting the switch state; that is, before the server encrypts the internal traffic according to the encryption information, when the encryption switch is on, the server may be executed to encrypt the internal traffic according to the encryption information, and then send the internal traffic to the auditing device, that is, step S230 may include the following steps:
step S237: and if the encryption switch is on, the server encrypts the internal flow according to the encryption information.
The encryption switch state is a switch state of whether to start encryption on the internal flow, and if the encryption switch state is on, the internal flow is encrypted; accordingly, if the encryption switch state is off, the internal traffic is not encrypted.
If the encryption switch is on, the server encrypts the internal traffic according to the encryption information, for example: the encryption switch state is represented as encryptStatus, the encryptStatus has two values of on and off, the on represents that the encryption switch state is on, and the off represents that the encryption switch state is off; and if the encryptStatus is in an on state, encrypting the internal flow by using an AES encryption algorithm or a DES encryption algorithm to obtain the encrypted internal flow. In the implementation process, the internal flow is encrypted according to the encryption information, and the encrypted internal flow is sent to the auditing equipment, so that the safety of the internal flow in transmission is enhanced. Here, the implementation principle and implementation manner of the step of encrypting the internal traffic according to the encryption information by the server are similar to those of step S235, and therefore, the implementation principle and implementation manner of the step are not described here, and if it is not clear, reference may be made to the description of step S235.
After step S237, step S238 is executed: and the server sends the encrypted internal flow to the auditing equipment.
The implementation principle and implementation manner of this step are similar to those of step S236, and therefore, the implementation manner and implementation principle of sending the encrypted internal traffic to the audit device by the server are not described here, and if it is not clear, reference may be made to the description of step S236.
In the implementation process, the encryption switch is determined to be on, the internal flow is encrypted according to the encryption information, and the encrypted internal flow is sent to the auditing equipment, so that the safety of the internal flow in transmission is enhanced.
Please refer to fig. 5, which is a schematic flow chart of a flow auditing method provided in the embodiment of the present application; the flow auditing method can comprise the following steps:
step S310: and the auditing equipment sends configuration information to the server.
Wherein, as described above, the flow probe may comprise: a console service program, a packet capturing and forwarding program and an audit management program; an audit management program runs in the audit equipment. The auditing equipment can send the configuration information to the server through the auditing management program, so that the server can acquire and send the internal flow of the server according to the configuration information. Certainly, the auditing device can also receive the internal traffic sent by the server through an auditing management program and audit the internal traffic; of course, the audit management program may also receive detailed information of server configuration sent by the server at regular time, and the audit management program may also provide services for remote installation, upgrade and uninstallation of the traffic probe based on a Secure Shell (SSH) protocol, specifically, for example: and receiving a remote connection command input by a user by using an audit management program, and remotely installing, upgrading and uninstalling the flow probe according to the remote connection command. The SSH protocol refers to a security protocol established on the basis of an application layer; SSH is a protocol that is currently relatively reliable and capable of providing security for telnet sessions and other web services.
The auditing device sends configuration information to the server according to the following implementation modes: the auditing equipment receives an information request sent by a server, wherein the information request is used for requesting to obtain configuration information; and the auditing equipment sends configuration information to the server through an HTTP (hyper text transport protocol) according to the information request. Of course, in a specific implementation process, the configuration information may also be sent to the server using a File Transfer Protocol (FTP); the FTP protocol is a standard protocol for file transfer over a network, and is the fourth layer of a transmission control protocol model, namely an application layer, and uses a transmission control protocol transmission rather than a user datagram protocol, and a client needs to go through a three-way handshake process before establishing a connection with a server, so that the connection between the client and the server is ensured to be reliable, and the FTP protocol is connection-oriented, and reliable guarantee is provided for data transmission.
Step S320: and the server receives the configuration information sent by the auditing equipment.
The implementation principle and implementation manner of this step are similar to those of step S210, and therefore, the implementation manner and implementation principle of this step are not explained here, and if it is not clear, reference may be made to the description of step S210.
Step S330: and the server acquires the internal flow generated by the server according to the configuration information.
The implementation principle and implementation manner of this step are similar to those of step S220, and therefore, the implementation manner and implementation principle of this step are not explained here, and if it is not clear, reference may be made to the description of step S220.
Step S340: the server sends the internal traffic to the auditing device.
The implementation principle and implementation manner of this step are similar to those of step S230, and therefore, the implementation principle and implementation manner of this step are not described here, and if it is not clear, reference may be made to the description of step S230, and the purpose of sending the internal traffic to the auditing device by the server is to enable the auditing device to audit the internal traffic.
Step S350: and the auditing equipment receives the internal flow sent by the server and audits the internal flow.
The implementation principle and implementation manner of the internal traffic sent by the audit device receiving server in this step are similar to those of step S211, and therefore, the implementation principle and implementation manner of this step are not described here, and if it is not clear, reference may be made to the description of step S211. Here, the following description focuses on the implementation of auditing the internal traffic: if the condition that the service system has unauthorized access is detected from the internal flow, the information of the potential safety hazard level, the emergency degree and the like of the unauthorized access is immediately displayed on the auditing equipment; in a specific implementation process, besides the unauthorized access, the method further comprises the following steps: the system comprises actions such as access authorization, illegal intrusion, illegal operation and the like, and can generate an audit report for the actions so that an audit worker can read the audit report and know the security protection condition of the whole network system or the server and the like.
In the implementation process, the internal flow of the server is obtained inside the server, the internal flow is forwarded to the auditing equipment, and the auditing equipment performs auditing operation on the internal flow, so that the problem that the auditing operation on the internal flow of the server is difficult when the internal flow of the server does not pass through the switch is effectively solved.
Please refer to fig. 6, which is a schematic structural diagram of a traffic auditing apparatus applied to a server according to an embodiment of the present application; the embodiment of the present application provides a flow auditing apparatus 400, which is applied to a server 110, and includes:
a configuration information obtaining module 410, configured to obtain configuration information for obtaining traffic.
The internal traffic obtaining module 420 is configured to obtain, according to the configuration information, internal traffic generated by the server, where the internal traffic does not pass through the network device.
And an internal traffic sending module 430, configured to send the internal traffic to the auditing device, so that the auditing device audits the internal traffic.
Optionally, in this embodiment of the present application, the server runs a console service program, and the configuration information obtaining module includes:
and the configuration information receiving module is used for receiving the configuration information sent by the auditing equipment by using the console service program.
And the configuration information storage module is used for storing the configuration information into the local cache.
Optionally, in this embodiment of the present application, the packet capturing and forwarding program runs on a server, and the internal traffic obtaining module includes:
and the configuration information reading module is used for reading the configuration information from the local cache.
And the first flow acquisition module is used for acquiring the internal flow generated by the server according to the configuration information by using the packet capturing and forwarding program.
Optionally, in an embodiment of the present application, the configuration information includes: at least one source port and a mirror image port, mirror image port is connected with audit equipment, and the packet module is grabbed to inside flow includes:
and the second flow acquisition module is used for acquiring the internal flow of at least one source port by using the packet capturing and forwarding program.
An internal traffic sending module comprising:
and the first flow sending module is used for sending the internal flow to the mirror image port by using a packet capturing and forwarding program so as to send the internal flow to the auditing equipment through the mirror image port.
Optionally, in an embodiment of the present application, the configuration information includes: compressing the information; an internal traffic sending module comprising:
and the internal flow compression module is used for compressing the internal flow according to the compression information.
And the second flow sending module is used for sending the compressed internal flow to the auditing equipment.
Optionally, in an embodiment of the present application, the configuration information includes: compressing the switch state; the flow audit device also comprises:
the first state determination module is used for determining that the compression switch state is on.
Optionally, in an embodiment of the present application, the configuration information includes: encrypting the information; an internal traffic sending module comprising:
and the internal flow encryption module is used for encrypting the internal flow according to the encryption information.
And the third flow sending module is used for sending the encrypted internal flow to the auditing equipment.
Optionally, in an embodiment of the present application, the configuration information includes: encrypting the switch state; the flow audit device also comprises:
and the second state determining module is used for determining that the encryption switch is in an on state.
The embodiment of the application further provides a flow auditing device, which is applied to auditing equipment and comprises:
and the configuration information sending module is used for sending the configuration information to the server so that the server acquires and sends the internal flow of the server according to the configuration information.
And the internal flow receiving module is used for receiving the internal flow sent by the server and auditing the internal flow.
Please refer to fig. 7, which is a schematic structural diagram of a server provided in the embodiment of the present application; the embodiment of the present application provides a server 110, including: a first processor 113, a first memory 114, a storage medium 115 and a first network interface 116, the first memory 114 storing machine readable instructions executable by the first processor 113, the machine readable instructions when executed by the first processor 113 performing the method of steps S210 to S230, the first network interface 116 being for communicating with the auditing device 120. The storage medium 115 has stored thereon a computer program that executes the methods of steps S210 to S230, and steps S320 to S340 when the computer program is executed by the first processor 113.
The storage medium 115 may be implemented by any type of volatile or nonvolatile storage device or combination thereof, such as a Static Random Access Memory (SRAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), an Erasable Programmable Read-Only Memory (EPROM), a Programmable Read-Only Memory (PROM), a Read-Only Memory (ROM), a magnetic Memory, a flash Memory, a magnetic disk, or an optical disk.
Please refer to fig. 8, which illustrates a schematic structural diagram of an audit device provided in an embodiment of the present application. An embodiment of the present application provides an audit device 120, including: a second processor 121, a second memory 122 and a second network interface 123, the second network interface 123 being used for communicating with the server 110, the second memory 122 storing machine-readable instructions executable by the second processor 121, the machine-readable instructions, when executed by the second processor 121, performing the method of steps S310 and S350.
It should be understood that the apparatus corresponds to the above method embodiment, and can perform the steps related to the above method embodiment, the specific functions of the apparatus can be referred to the above description, and the detailed description is appropriately omitted here to avoid redundancy. The device includes at least one software function that can be stored in memory in the form of software or firmware (firmware) or solidified in the Operating System (OS) of the device.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an alternative embodiment of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the embodiments of the present application, and all the changes or substitutions should be covered by the scope of the embodiments of the present application.
Claims (9)
1. A flow auditing method is applied to a server and comprises the following steps:
obtaining configuration information for acquiring flow;
acquiring internal traffic generated by the server according to the configuration information, wherein the internal traffic does not pass through network equipment;
sending the internal flow to auditing equipment so that the auditing equipment audits the internal flow;
the configuration information includes: compressing the information; the sending the internal traffic to an auditing device includes:
compressing the internal flow according to the compression information;
dividing the compressed internal flow into multiple sections of information units, adding the call control signal and check information needed in exchange to each section of information unit, and arranging the information into a packet according to a specified format;
and sending the message packet to the auditing equipment.
2. The method of claim 1, wherein the server runs a console service, and the obtaining configuration information for obtaining traffic comprises:
receiving the configuration information sent by the auditing equipment by using the console service program;
and storing the configuration information into a local cache.
3. The method according to claim 2, wherein a packet capturing and forwarding program runs on the server, and the obtaining the internal traffic generated by the server according to the configuration information comprises:
reading the configuration information from the local cache;
and acquiring the internal flow generated by the server according to the configuration information by using the packet capturing and forwarding program.
4. The method of claim 3, wherein the configuration information comprises: at least one source port and a mirror image port, where the mirror image port is connected with the auditing device, and the using of the packet capturing and forwarding program to obtain the internal flow generated by the server according to the configuration information includes:
obtaining internal flow of the at least one source port by using the packet grabbing and forwarding program;
the sending the internal traffic to an auditing device includes:
and sending the internal flow to the mirror image port by using the packet capturing and forwarding program so as to send the internal flow to the auditing equipment through the mirror image port.
5. The method of claim 1, wherein the configuration information further comprises: compressing the switch state; before the compressing the internal traffic according to the compression information, the method further includes:
determining that the compression switch state is on.
6. The method of claim 1, wherein the configuration information comprises: encrypting the information; the sending the internal traffic to an auditing device includes:
encrypting the internal flow according to the encryption information;
and sending the encrypted internal flow to the audit equipment.
7. The method of claim 6, wherein the configuration information further comprises: encrypting the switch state; before encrypting the internal traffic according to the encryption information, the method further includes:
determining that the encryption switch state is on.
8. A flow audit device is applied to a server and comprises:
the configuration information acquisition module is used for acquiring configuration information used for acquiring flow;
an internal traffic obtaining module, configured to obtain, according to the configuration information, internal traffic generated by the server, where the internal traffic does not pass through a network device;
the internal flow sending module is used for sending the internal flow to auditing equipment so that the auditing equipment audits the internal flow;
the configuration information includes: compressing the information; the internal traffic sending module is specifically configured to:
compressing the internal flow according to the compression information;
dividing the compressed internal flow into multiple sections of information units, adding the call control signal and check information needed in exchange to each section of information unit, and arranging the information into a packet according to a specified format;
and sending the message packet to the auditing equipment.
9. A server, comprising: a first processor and a first memory, the first memory storing machine-readable instructions executable by the first processor, the machine-readable instructions when executed by the first processor performing the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911138606.0A CN110855699B (en) | 2019-11-18 | 2019-11-18 | Flow auditing method and device, server and auditing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911138606.0A CN110855699B (en) | 2019-11-18 | 2019-11-18 | Flow auditing method and device, server and auditing equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110855699A CN110855699A (en) | 2020-02-28 |
| CN110855699B true CN110855699B (en) | 2022-03-11 |
Family
ID=69602427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911138606.0A Active CN110855699B (en) | 2019-11-18 | 2019-11-18 | Flow auditing method and device, server and auditing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855699B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111556066A (en) * | 2020-05-08 | 2020-08-18 | 国家计算机网络与信息安全管理中心 | Network behavior detection method and device |
| CN114050935A (en) * | 2021-11-16 | 2022-02-15 | 北京网深科技有限公司 | Method and device for monitoring and analyzing encrypted flow in real time |
| CN114138810B (en) * | 2022-01-27 | 2022-04-12 | 中国民航信息网络股份有限公司 | Access flow statistical method and system |
| CN114629828B (en) * | 2022-05-12 | 2022-08-09 | 杭州玖玖盾信息科技有限公司 | Network access detection method and electronic equipment |
| CN115118640B (en) * | 2022-07-26 | 2022-11-01 | 北京安华金和科技有限公司 | Database auditing processing method and system in presence of proxy equipment |
| CN116471125B (en) * | 2023-06-19 | 2023-09-08 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106713415B (en) * | 2016-11-14 | 2019-11-22 | 北京邮电大学 | A kind of data transmission method and system |
| CN107592636A (en) * | 2017-08-17 | 2018-01-16 | 深圳市诚壹科技有限公司 | A kind of method of processing information, terminal and server |
| CN107612768B (en) * | 2017-08-24 | 2020-09-25 | 杭州安恒信息技术股份有限公司 | Windows-based local database access flow acquisition method and system |
| CN107566218B (en) * | 2017-09-20 | 2021-01-29 | 杭州安恒信息技术股份有限公司 | Flow auditing method suitable for cloud environment |
| CN107995168A (en) * | 2017-11-21 | 2018-05-04 | 江苏神州信源系统工程有限公司 | A kind of method and apparatus based on Google's browser internet behavior audit |
-
2019
- 2019-11-18 CN CN201911138606.0A patent/CN110855699B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110855699A (en) | 2020-02-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855699B (en) | Flow auditing method and device, server and auditing equipment | |
| CN111935169B (en) | Business data access method, device, equipment and storage medium | |
| US8732462B2 (en) | Methods and apparatus for secure data sharing | |
| US8955091B2 (en) | Systems and methods for integrating cloud services with information management systems | |
| US10728216B2 (en) | Web application security architecture | |
| Trenwith et al. | Digital forensic readiness in the cloud | |
| CN107347047B (en) | Attack protection method and device | |
| KR20180120157A (en) | Data set extraction based pattern matching | |
| TW201642135A (en) | Detecting malicious files | |
| CN111428225A (en) | Data interaction method and device, computer equipment and storage medium | |
| US12113833B2 (en) | Distributed network and security operations platform | |
| CN113992328B (en) | Zero trust transport layer stream authentication method, device and storage medium | |
| CN112235266A (en) | Data processing method, device, equipment and storage medium | |
| EP3350744B1 (en) | Digital data locker system providing enhanced security and protection for data storage and retrieval | |
| KR101909957B1 (en) | Web traffic logging system and method for detecting web hacking in real time | |
| CN115552844A (en) | Time stamping of industrial one-way communication devices with data integrity management | |
| CN114760083B (en) | Method, device and storage medium for issuing attack detection file | |
| KR101996044B1 (en) | ICAP protocol extension method for providing network forensic service of encrypted traffic, network forensic device supporting it and web proxy | |
| CN116248328A (en) | Information security protection method, system, terminal and medium based on Internet of things | |
| CN105959147B (en) | Command storage method, client and central server | |
| CN112929357A (en) | Virtual machine data analysis method, device, equipment and storage medium | |
| CN114301802A (en) | Confidential evaluation detection method and device and electronic equipment | |
| CN107066874B (en) | Method and device for interactively verifying information between container systems | |
| KR102657165B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program | |
| CN114629671B (en) | Data detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |