CN113114636A - Process flow auditing method and system of controlled host - Google Patents
Process flow auditing method and system of controlled host Download PDFInfo
- Publication number
- CN113114636A CN113114636A CN202110325022.5A CN202110325022A CN113114636A CN 113114636 A CN113114636 A CN 113114636A CN 202110325022 A CN202110325022 A CN 202110325022A CN 113114636 A CN113114636 A CN 113114636A
- Authority
- CN
- China
- Prior art keywords
- message
- flow
- auditing
- flow information
- information table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 191
- 238000012550 audit Methods 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 5
- 230000004083 survival effect Effects 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The invention discloses a process flow auditing method and system of a controlled host, which record all IP message flows uploaded and downloaded in the process full life cycle to realize more comprehensive auditing on the process flow according to strategy configuration, and store and search are carried out in a user mode, thereby avoiding the performance problem caused by frequently traversing an array in a kernel mode; meanwhile, the flow information of the non-survival process is eliminated, the recording of redundant data is avoided, and the utilization efficiency of system resources is improved.
Description
Technical Field
The invention belongs to the technical field of host security monitoring and auditing, and particularly relates to a method and a system for auditing process flow of a controlled host.
Background
With the further development of communication and network technologies, network security becomes increasingly important. From the perspective of network operation and managers, it is desirable to protect and control the operations of accessing, reading and writing information of local network, avoid the threats of 'trapdoor', virus, illegal access, denial of service, illegal occupation and illegal control of network resources, and prevent and defend the attack of network hackers.
In order to find out problems in a network, network data generally needs to be analyzed, and most of common network analysis is directed to data packets, addresses, sessions, protocols and the like, and although the analysis can determine information such as types, sizes and the like of the data packets, the analysis cannot determine the sources of the data packets, namely what software generates the data packets, so that further more targeted security detection cannot be performed.
The process flow audit of the current host monitoring system can effectively determine the data generation source. However, there are many disadvantages, such as difficulty in implementing flow auditing in the whole life cycle of the process, complex data searching and processing process, and large amount of redundant data in the flow information, which is not favorable for system resource utilization.
Disclosure of Invention
Based on the above background, the present invention is directed to a process flow auditing method and system for a controlled host, so as to perform complete auditing on the process flow of the controlled host, reduce redundant data, and improve the resource utilization efficiency of the system. The specific technical scheme is as follows:
in a first aspect, a method for auditing process traffic of a controlled host is provided, which includes:
capturing a host message, acquiring a host process for sending or receiving the message, and analyzing and determining the size of a data part of the message;
judging whether the process exists in a process flow information table or not: if the process exists, adding the value of the size of the message data part to the accumulated flow value of the process in the table; if the process does not exist, establishing a corresponding relation between the process, the message direction and the data part size;
and auditing the flow information of each process in the process flow information table according to a preset strategy.
Preferably, the auditing the flow information of each process in the process flow information table includes: and regularly judging whether the accumulated recording time of the flow information corresponding to the process in the process flow information table is greater than a threshold value of strategy configuration, and clearing the flow information of the process if the accumulated recording time is greater than the threshold value.
Further, the auditing the flow information of each process in the process flow information table further includes: and judging whether the total flow value of the process in the specified time exceeds a threshold value of the strategy configuration, and if so, generating an audit log and giving an alarm.
And, the auditing the flow information of each process in the process flow information table further comprises: and in a specified period, if the average sending flow or receiving flow of the process in every 5 seconds exceeds a threshold value configured by the strategy, generating an audit log and giving an alarm.
Preferably, if the process does not exist in the process traffic information table, the process traffic information table is created and the creation time is saved.
Further, before the correspondence between the process, the message direction, and the size of the data part of the application layer is newly created, if the data size of the process flow information table has reached the maximum capacity, the new data is overlaid on the old data according to the time sequence of the creation of the correspondence.
Preferably, the process ID, the message direction and the message data part size of the message are assembled into a structural body and sent to the user mode, and the user mode stores the process traffic information table by using a map; the process flow information table comprises: the method comprises the steps of process ID, process name, data direction and accumulated flow in the corresponding direction, wherein the data direction comprises message sending and message receiving.
Further, the flow information of the process includes the sending and receiving flows of the TCP, UDP and ICMP messages of the statistical process.
In a second aspect, a process traffic auditing system is provided, comprising:
the packet capturing module is used for capturing IP messages of a LOCAL _ INPUT chain and a LOCAL _ OUTPUT chain of the controlled host through netfilter;
the analysis module is used for analyzing the captured message, counting the size of the data part of the message, and sending the process ID, the message direction and the size of the data part of the message to the search module;
the searching module is used for searching whether a corresponding process name exists in the process flow information table in the storage module according to the received process ID; if the flow value exists, adding the size of the message data part to the corresponding flow value in the table; otherwise, establishing a corresponding relation between the process, the message direction and the data part size;
the storage module is used for storing the process flow information table;
and the auditing module is used for auditing the flow information of each process in the process flow information table according to a preset strategy.
The audit module comprises:
regularly judging whether the accumulated recording time of the flow information corresponding to the process in the process flow information table is greater than a threshold value of strategy configuration or not, and if so, clearing the flow information of the process;
judging whether the total flow value of the process in the specified time exceeds a threshold value of strategy configuration, if so, generating an audit log and giving an alarm;
and in a specified period, if the average sending flow or receiving flow of the process in every 5 seconds exceeds a threshold value configured by the strategy, generating an audit log and giving an alarm.
By adopting the technical scheme, the invention has the beneficial effects that: recording all IP message flows uploaded and downloaded in the process full life cycle to realize more comprehensive audit on the process flow according to strategy configuration, and storing and searching are carried out in a user mode, so that the performance problem caused by frequent traversing of arrays in a kernel mode is avoided; meanwhile, the flow information of the non-survival process is eliminated, the recording of redundant data is avoided, and the utilization efficiency of system resources is improved.
Drawings
FIG. 1 is a schematic diagram of a process flow auditing method of a controlled host according to an embodiment of the present invention;
FIG. 2 is a block diagram of an embodiment of a process traffic auditing system of a controlled host according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.
As shown in fig. 1, a process traffic auditing method of a controlled host includes:
step 1: capturing a host message, acquiring a host process for sending or receiving the message, and analyzing and determining the size of a data part of the message;
step 2: judging whether the process exists in a process flow information table or not:
and if the process already exists, adding the value of the size of the message data part to the accumulated flow value of the process in the table.
If the process does not exist, the corresponding relation of the process, the message direction and the data part size is established, and meanwhile, the establishing time is saved. Before the corresponding relation between the process, the message direction and the data part size of the application layer is newly created, if the data quantity of the process flow information table reaches the maximum capacity, the time sequence is created according to the corresponding relation, and the new data is covered with the old data.
The process ID, the message direction and the message data part of the message are assembled into a structural body and sent to a user mode, and the user mode stores the process flow information table by using a map; the process flow information table comprises: the method comprises the steps of process ID, process name, data direction and accumulated flow in the corresponding direction, wherein the data direction comprises message sending and message receiving.
Further, the flow information of the process includes the sending and receiving flows of the TCP, UDP and ICMP messages of the statistical process.
And step 3: auditing the flow information of each process in the process flow information table according to a preset strategy, wherein the auditing comprises the following steps:
regularly judging whether the accumulated recording time of the flow information corresponding to the process in the process flow information table is greater than a threshold value of strategy configuration or not, and if so, clearing the flow information of the process;
judging whether the total flow value of the process in the specified time exceeds a threshold value of strategy configuration, if so, generating an audit log and giving an alarm;
and in a specified period, if the average sending flow or receiving flow of the process in every 5 seconds exceeds a threshold value configured by the strategy, generating an audit log and giving an alarm.
As shown in fig. 2, a process traffic auditing system includes:
the packet capturing module is used for capturing IP messages of a LOCAL _ INPUT chain and a LOCAL _ OUTPUT chain of the controlled host through netfilter;
the analysis module is used for analyzing the captured message, counting the size of the data part of the message, and sending the process ID, the message direction and the size of the data part of the message to the search module;
the searching module is used for searching whether a corresponding process name exists in the process flow information table in the storage module according to the received process ID; if the flow value exists, adding the size of the message data part to the corresponding flow value in the table; otherwise, establishing a corresponding relation between the process, the message direction and the data part size;
the storage module is used for storing the process flow information table;
and the auditing module is used for auditing the flow information of each process in the process flow information table according to a preset strategy.
The audit module comprises:
regularly judging whether the accumulated recording time of the flow information corresponding to the process in the process flow information table is greater than a threshold value of strategy configuration or not, and if so, clearing the flow information of the process;
judging whether the total flow value of the process in the specified time exceeds a threshold value of strategy configuration, if so, generating an audit log and giving an alarm;
and in a specified period, if the average sending flow or receiving flow of the process in every 5 seconds exceeds a threshold value configured by the strategy, generating an audit log and giving an alarm.
The auditing system realizes the specific process of process flow auditing, and comprises the following steps:
and capturing IP messages of the LOCAL _ INPUT chain and the LOCAL _ OUTPUT chain by utilizing netfilter. An INPUT type refers to a packet sent by another host on the network to a Local Process (Local Process), which occurs, for example, when other uses on the network access native HTTP services. The OUTPUT type is a data packet generated by the local Process, namely the data packet of the OUTPUT type; this type of packet may be generated, for example, when a user locally enables Firefox to access other hosts on the network.
Analyzing and screening messages with a specified protocol, counting the size of a data part of the messages, and performing the following steps: the message direction, the data part size and the corresponding process ID form a structural body and send the structural body to a user state;
and the user mode uses a map to store a process flow information table, when receiving data from the kernel mode, searches a process name corresponding to the process ID in the data, and then uses the map.
Searching corresponding flow information from a user-mode process flow information table according to the process ID in the structure body: if the data is found, adding the recorded uploading (sending) or downloading (receiving) flow to the size of the data part according to the data direction; and if the data is not found, inserting the data received from the kernel state into the map according to the process name.
The process flow auditing method and the system embodiment of the controlled host can record all IP message flows uploaded and downloaded in the whole life cycle of the process, and place the search in the user mode, thereby avoiding the performance problem caused by frequently traversing the array in the kernel mode, clearing the flow information of the non-survival process and avoiding recording redundant data; the method is favorable for improving the utilization efficiency of system resources.
Those skilled in the art will appreciate that all or part of the steps in the method according to the above embodiments may be implemented by a program, which is stored in a computer-readable storage medium, and the program may be configured to: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and principles disclosed herein.
Claims (10)
1. The process flow auditing method of the controlled host is characterized by comprising the following steps:
capturing a host message, acquiring a host process for sending or receiving the message, and analyzing and determining the size of a data part of the message;
judging whether the process exists in a process flow information table: if the process exists, adding the value of the size of the message data part to the accumulated flow value of the process in the table; if the process does not exist, establishing a corresponding relation between the process, the message direction and the data part size;
and auditing the flow information of each process in the process flow information table according to a preset strategy.
2. The process traffic auditing method according to claim 1, where said auditing the traffic information of each process in the process traffic information table includes: and regularly judging whether the accumulated recording time of the flow information corresponding to the process in the process flow information table is greater than a threshold value of strategy configuration, and clearing the flow information of the process if the accumulated recording time is greater than the threshold value.
3. The process traffic auditing method according to claim 1 where auditing the traffic information for each process in the process traffic information table further comprises: and judging whether the total flow value of the process in the specified time exceeds a threshold value of the strategy configuration, and if so, generating an audit log and giving an alarm.
4. The process traffic auditing method according to claim 1 where auditing the traffic information for each process in the process traffic information table further comprises: and in a specified period, if the average sending flow or receiving flow of the process in every 5 seconds exceeds a threshold value configured by the strategy, generating an audit log and giving an alarm.
5. The method according to claim 1, wherein if the process does not exist in the process traffic information table, the creating time is saved while the corresponding relationship is created.
6. The process flow auditing method according to claim 5, where before the creating of the correspondence between the process, the message direction, and the size of the data part of the application layer, if the data size of the process flow information table has reached the maximum capacity, the new data is overwritten over the old data according to the order of the creation time sequence of the correspondence.
7. The process traffic auditing method according to any one of claims 1-6, where the process ID, message direction and message data portion size of the message are assembled into a structure and sent to a user state, which uses a map to store the process traffic information; the process traffic information includes: the method comprises the steps of process ID, process name, data direction and accumulated flow in the corresponding direction, wherein the data direction comprises message sending and message receiving.
8. The method of claim 7, wherein the accumulated traffic of the process includes the sending and receiving traffic of TCP, UDP and ICMP messages of the statistical process.
9. The process flow auditing system is characterized by comprising:
the packet capturing module is used for capturing IP messages of a LOCAL _ INPUT chain and a LOCAL _ OUTPUT chain of the controlled host through netfilter;
the analysis module is used for analyzing the captured message, counting the size of the data part of the message, and sending the process ID, the message direction and the size of the data part of the message to the search module;
the searching module is used for searching whether a corresponding process name exists in the process flow information table in the storage module according to the received process ID; if the flow value exists, adding the size of the message data part to the corresponding flow value in the table; otherwise, establishing a corresponding relation between the process, the message direction and the data part size;
the storage module is used for storing the process flow information table;
and the auditing module is used for auditing the flow information of each process in the process flow information table according to a preset strategy.
10. The process traffic auditing system of claim 9, where the auditing module comprises:
regularly judging whether the accumulated recording time of the flow information corresponding to the process in the process flow information table is greater than a threshold value of strategy configuration or not, and if so, clearing the flow information of the process;
judging whether the total flow value of the process in the specified time exceeds a threshold value of strategy configuration, if so, generating an audit log and giving an alarm;
and in a specified period, if the average sending flow or the receiving amount of the process in every 5 seconds exceeds the threshold value configured by the strategy, generating an audit log and giving an alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110325022.5A CN113114636A (en) | 2021-03-26 | 2021-03-26 | Process flow auditing method and system of controlled host |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110325022.5A CN113114636A (en) | 2021-03-26 | 2021-03-26 | Process flow auditing method and system of controlled host |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113114636A true CN113114636A (en) | 2021-07-13 |
Family
ID=76712273
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110325022.5A Pending CN113114636A (en) | 2021-03-26 | 2021-03-26 | Process flow auditing method and system of controlled host |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113114636A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500115A (en) * | 2022-04-14 | 2022-05-13 | 浙江齐安信息科技有限公司 | Auditing device, system and method for flow data packet |
| CN115580657A (en) * | 2022-12-08 | 2023-01-06 | 北京亿赛通科技发展有限责任公司 | Method and device for auditing and protecting tandem flow based on process separation |
-
2021
- 2021-03-26 CN CN202110325022.5A patent/CN113114636A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114500115A (en) * | 2022-04-14 | 2022-05-13 | 浙江齐安信息科技有限公司 | Auditing device, system and method for flow data packet |
| CN115580657A (en) * | 2022-12-08 | 2023-01-06 | 北京亿赛通科技发展有限责任公司 | Method and device for auditing and protecting tandem flow based on process separation |
| CN115580657B (en) * | 2022-12-08 | 2023-03-10 | 北京亿赛通科技发展有限责任公司 | Method and device for auditing and protecting serial flow based on process separation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8006304B2 (en) | System and method for ARP anti-spoofing security | |
| US11570212B2 (en) | Method and apparatus for defending against network attack | |
| US9071576B1 (en) | Application rate limiting without overhead | |
| CN113328992B (en) | Dynamic honey net system based on flow analysis | |
| CN101094236B (en) | Method for processing message in address resolution protocol, communication system, and forwarding planar process portion | |
| Berk et al. | Designing a framework for active worm detection on global networks | |
| CN101800668B (en) | Method and device for merging logs | |
| US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
| CN110650128A (en) | System and method for detecting digital currency stealing attack of Etheng | |
| CN113114636A (en) | Process flow auditing method and system of controlled host | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN1574790A (en) | Method and apparatus for controlling packet transmission and generating packet billing data | |
| CN114205126A (en) | Method, device and medium for attack detection in industrial system | |
| Al-Duwairi et al. | ISDSDN: mitigating SYN flood attacks in software defined networks | |
| CN111641589A (en) | Advanced sustainable threat detection method, system, computer and storage medium | |
| CN112087532B (en) | Information acquisition method, device, equipment and storage medium | |
| Xiang et al. | Trace IP packets by flexible deterministic packet marking (FDPM) | |
| Chen et al. | An IP traceback technique against denial-of-service attacks | |
| CN101582880A (en) | Method and system for filtering messages based on audited object | |
| Zhong et al. | Research on DDoS Attacks in IPv6 | |
| CN104348785A (en) | Method for preventing host PMTU attack in IPv6 network and device and system thereof | |
| CN116366503B (en) | Data processing method and related device | |
| CN113608741B (en) | Network security service integration method and device | |
| Muraleedharan et al. | A flow-based anomaly detection system for slow DDoS attack on HTTP | |
| CN117201202B (en) | Reflection amplification Flood attack flow storage method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |