CN113760642A - Monitoring processing method and device - Google Patents
Monitoring processing method and device Download PDFInfo
- Publication number
- CN113760642A CN113760642A CN202110185187.7A CN202110185187A CN113760642A CN 113760642 A CN113760642 A CN 113760642A CN 202110185187 A CN202110185187 A CN 202110185187A CN 113760642 A CN113760642 A CN 113760642A
- Authority
- CN
- China
- Prior art keywords
- host
- monitoring
- index
- monitoring index
- acquisition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 227
- 238000003672 processing method Methods 0.000 title claims abstract description 17
- 238000004458 analytical method Methods 0.000 claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000004044 response Effects 0.000 claims abstract description 19
- 239000011159 matrix material Substances 0.000 claims description 52
- 238000012545 processing Methods 0.000 claims description 27
- 238000011156 evaluation Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 8
- 238000013210 evaluation model Methods 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 5
- 238000007726 management method Methods 0.000 description 25
- 238000010586 diagram Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 11
- 230000008569 process Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004083 survival effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
- G06F11/3072—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
- G06F11/3075—Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting the data filtering being achieved in order to maintain consistency among the monitored data, e.g. ensuring that the monitored data belong to the same timeframe, to the same system or component
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3409—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a monitoring processing method and device, and relates to the technical field of computers. One specific implementation mode of the method comprises the steps of inquiring a security event analysis library at regular time, and acquiring the number of security events and the level of the security events corresponding to each index in a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host; receiving heartbeat uploaded by a host, and returning the acquisition time intervals of all monitoring indexes corresponding to the host along with heartbeat response so as to adjust the acquisition time intervals of all monitoring indexes of the host. Therefore, the method and the device can solve the problems of lack of pertinence and long safety response time of monitoring in the existing big data scene.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a monitoring processing method and a monitoring processing device.
Background
With the development of computer networks and the improvement of informatization degree, the number of users is continuously increased, and the requirements of the users on computer information security are higher and higher. At present, the industry has realized remote monitoring of host security, and can monitor behavior information such as host processes, networks, files and the like, collect and collect information collected on the end for analysis, and lock an infected range and trigger an alarm once malicious attack behaviors are found.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
at present, monitoring can only be carried out in a normalized mode, for example, under the condition that available resources are limited, data of each monitoring index are collected in a fixed periodic mode, the collection period is set by safety operators subjectively, the data are not targeted, when the monitoring host range is too large, as millions of hosts monitor, the collection amount of logs on the end is huge, most of data are redundant data, gateway pressure is too large, and storage resources are wasted. Moreover, background data analysis is high in pressure, delay is generated, timely and safe response cannot be achieved, meanwhile, the analysis result is not accurate, and the output effect is very little.
Disclosure of Invention
In view of this, embodiments of the present invention provide a monitoring processing method and apparatus, which can solve the problems of lack of pertinence and long safety response time in monitoring in the existing big data scenario.
In order to achieve the above object, according to an aspect of the embodiments of the present invention, a monitoring processing method is provided, including querying a security event analysis library at regular time, and obtaining the number of security events and the level of the security events corresponding to each index in a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host; receiving heartbeat uploaded by a host, and returning the acquisition time intervals of all monitoring indexes corresponding to the host along with heartbeat response so as to adjust the acquisition time intervals of all monitoring indexes of the host.
Optionally, after the adjusting the collection time interval of each monitoring index of the host, the method includes:
and receiving monitoring index acquisition data uploaded by the host computer, acquiring host computer information with safety risk, and further locking the host computer.
Optionally, after receiving the heartbeat uploaded by the host, the method includes:
acquiring the use condition of host resources and the running version number of the host in the heartbeat, judging whether the host survives, and if so, returning the acquisition time interval of each monitoring index corresponding to the host along with the heartbeat response; if not, the client is pushed again to be deployed on the host to monitor the host.
Optionally, comprising:
acquiring a preset acquisition weight of each index, and generating an acquisition index weight matrix;
and calculating a monitoring index weight coefficient of each host based on the importance degree grade of each host and the collection index weight matrix according to the number of the safety events and the grade of the safety events.
Optionally, before calculating the monitoring index weight coefficient of each host based on the importance level of each host and the collection index weight matrix, the method includes:
generating a security event number matrix of the security event level corresponding to each monitoring index according to the number of the security events and the level of the security events;
calling a preset preprocessing model, carrying out standardization processing on the safety event number matrix, and calculating the information entropy of each monitoring index based on the safety event number matrix after standardization processing;
and calculating to obtain the safety event evaluation weight coefficient of each monitoring index through a preset evaluation model according to the information entropy of each monitoring index.
Optionally, calculating a monitoring index weight coefficient of each host based on the importance level of each host and the collection index weight matrix, including:
acquiring the importance degree grade of a host to obtain a corresponding grade acquisition coefficient;
calling a preset weight model to calculate and obtain the acquisition weight of each monitoring index of the host according to the grade acquisition coefficient, the safety event evaluation weight coefficient and the acquisition index weight matrix;
and obtaining the monitoring index weight coefficient of each monitoring index of the host machine based on the collection weight of each monitoring index of the host machine.
Optionally, obtaining the weight coefficient of each monitoring index of the host based on the collection weight of each monitoring index of the host includes:
arranging the collection weights of all monitoring indexes of the host machine from small to large, and symmetrically exchanging numerical values of the left side and the right side by taking the middle number as an axis to obtain the monitoring index weight coefficients of all monitoring indexes of the host machine;
obtaining the acquisition time interval of each monitoring index of each host, comprising:
and acquiring the acquisition time interval based on the monitoring index weight coefficient of each monitoring index according to a preset acquisition period.
In addition, the invention also provides a monitoring processing device, which comprises a configuration management module, a security event analysis module and a monitoring processing module, wherein the configuration management module is used for inquiring the security event analysis library at regular time and acquiring the number of security events and the level of the security events corresponding to each index in a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host; and the heartbeat management module is used for receiving the heartbeat uploaded by the host, and returning the acquisition time intervals of the monitoring indexes corresponding to the host along with heartbeat response so as to adjust the acquisition time intervals of the monitoring indexes of the host.
One embodiment of the above invention has the following advantages or benefits: the method comprises the steps of inquiring a security event analysis library at regular time to obtain the number of security events and the level of the security events corresponding to each index in a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host; the heartbeat uploaded by the host is received, the collection time interval of each monitoring index corresponding to the host is returned along with the heartbeat response, and the technical means for adjusting the collection time interval of each monitoring index of the host is adopted, so that the problems that the gateway pressure is too large and the service background is untimely in tracing when the host is huge in quantity are solved, the host monitoring index coefficient of the client on the client side is dynamically adjusted while the host business service is not influenced under the condition that available resources are limited, the targeted safety monitoring is realized, the effective information is collected, the information collection redundancy is avoided, and the gateway resources and the background analysis resources are saved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic view of a main flow of a monitoring processing method according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a main flow of a monitoring processing method according to a second embodiment of the present invention;
fig. 3 is a schematic diagram of a main flow of a monitoring processing method according to a third embodiment of the present invention;
fig. 4 is a schematic diagram of main blocks of a monitoring processing apparatus according to a first embodiment of the present invention;
fig. 5 is a schematic diagram of the main blocks of a monitoring processing device according to a second embodiment of the present invention;
FIG. 6 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 7 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 is a schematic diagram of a main flow of a monitoring processing method according to a first embodiment of the present invention, as shown in fig. 1, the monitoring processing method includes:
step S101, inquiring a security event analysis library at regular time, and acquiring the number of security events and the level of the security events corresponding to each index in a preset time period.
In some embodiments, the security events stored in the security event analysis repository mainly have two sources, one is derived from the security event analysis in the industry, and the behavior characteristics are associated with the monitoring index and stored in the security event analysis repository. And the other one is obtained by analyzing according to host monitoring information in the enterprise, namely, data of each monitoring index reported by each host is obtained, and security analysis is carried out by combining a threat information library, an abnormal behavior rule library, a security vulnerability library and the like to obtain security analysis results, such as vulnerability risk level, vulnerability type and the like.
Step S102, calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host.
In some embodiments, step S102 may further obtain a preset acquisition weight of each index, and generate an acquisition index weight matrix. And calculating a monitoring index weight coefficient of each host based on the importance degree grade of each host and the collection index weight matrix according to the number of the safety events and the grade of the safety events.
It should be noted that the collection weight of each index may be configured in advance, and assuming that n indexes are collected in total by monitoring, each collection index weight matrix is represented by a 1 × n order matrix B:
B=[b1 b2 … bn]
wherein 0 < biIs < 1, and
in a further embodiment, before calculating the monitoring index weight coefficient of each host based on the importance level of each host and the collected index weight matrix, the method includes:
and generating a security event number matrix of the security event level corresponding to each monitoring index according to the number of the security events and the level of the security events. And calling a preset preprocessing model, and carrying out standardization processing on the safety event number matrix so as to calculate the information entropy of each monitoring index based on the safety event number matrix after standardization processing. And then, according to the information entropy of each monitoring index, calculating by a preset evaluation model to obtain a safety event evaluation weight coefficient of each monitoring index. The specific implementation process comprises the following steps:
assume that the level of security events is divided into 5 levels, each of which is designated by P1,P2,P3,P4,P5Representing that the importance degree is reduced in sequence and respectively represents serious, general, slight and not serious, n indexes are collected in the monitoring process, the number of the safety events of each collected index corresponding to the safety event grade is represented by a 5X n order matrix X, such as:
wherein x isijIndicates a correspondence P under a certain indexi(i is more than or equal to 0 and less than or equal to 5) number of level security events.
The security event number matrix X is then normalized, and the normalized matrix is recorded as
Each element of (a) is:
wherein, min (x)i) Denotes the minimum value in the matrix X at the i-th index, max (X)i) Represents the maximum value under the ith index in the X matrix.
Then, the information entropy of each index is calculated:
finally, calculating to obtain a safety event evaluation weight coefficient C of each monitoring index through a preset evaluation modeli:
Wherein, 0 < ciIs < 1, and
in a further embodiment, calculating the monitoring index weight coefficient of each host based on the importance level of each host and the collected index weight matrix includes: and acquiring the importance degree grade of the host to obtain a corresponding grade acquisition coefficient. And calling a preset weight model to calculate and obtain the acquisition weight of each monitoring index of the host according to the level acquisition coefficient, the safety event evaluation weight coefficient and the acquisition index weight matrix. And obtaining the monitoring index weight coefficient of each monitoring index of the host machine based on the collection weight of each monitoring index of the host machine. The specific implementation process comprises the following steps:
suppose a hostThe importance degree is divided into 4 grades, and P is used for each grade0,P1,P2,P3Indicating that the importance level is reduced in turn, and the collection coefficient is alpha in turn0,α1,α2,α3Denotes that α is satisfied0>α1>α2>α3And is and
with P0The level system calls a preset weight model to calculate the collection weight of each monitoring index:
wherein d is more than 0iIs < 1, and
it is worth to be noted that, obtaining the weight coefficient of each monitoring index of the host based on the collection weight of each monitoring index of the host includes: and arranging the collection weights of all monitoring indexes of the host machine from small to large, and symmetrically exchanging numerical values of the left side and the right side by taking the middle number as an axis to obtain the monitoring index weight coefficients of all monitoring indexes of the host machine. That is, the larger the collection weight is, the shorter the collection time interval is, and the faster the collection frequency is, the collection weights are sorted from small to large, the middle number is used as an axis, the left and right numerical values are symmetrically exchanged, and the weight coefficient of the obtained monitoring index is wi。
In addition, according to a preset acquisition period, acquiring time intervals are obtained based on the monitoring index weight coefficients of all monitoring indexes. Specifically, assuming that the acquisition period is fixed to T, the acquisition interval time of each acquisition monitoring index is:
ti=T×wi
step S103, receiving the heartbeat uploaded by the host, and returning the acquisition time interval of each monitoring index corresponding to the host along with the heartbeat response so as to adjust the acquisition time interval of each monitoring index of the host.
In some embodiments, after receiving a heartbeat uploaded by a host, the method can obtain the host resource usage and the host running version number in the heartbeat, determine whether the host is alive, and if so, return the acquisition time interval of each monitoring index corresponding to the host along with the heartbeat response; and if not, pushing the client to be deployed on the host again to monitor the host.
Therefore, the invention monitors the survival condition of the client on all the hosts, re-pushes the client to the monitoring host on the client for the machine which does not survive, and acquires the acquisition time interval of each monitoring index corresponding to the host for the host which normally survives, and dynamically adjusts the acquisition interval of the monitoring index.
In addition, the invention can also receive monitoring index acquisition data uploaded by the host computer, acquire host computer information with safety risk and further lock the host computer. That is to say, the influence range of the security event, that is, the host information with security risk, can be obtained by analyzing the received monitoring index collected data uploaded by the host, for example: IP, device ID information, etc. Therefore, the infected host is locked, and the loss is stopped and the alarm is given in time in an emergency.
In summary, the present invention mainly analyzes the related data of the security event and each security monitoring index in the near period of time under the condition of limited available resources, calculates the acquisition weight of each monitoring index by combining the subjective acquisition index weight and the host importance level, and counteracts the adjustment of the acquisition time interval of each monitoring index on the host, so as to dynamically adjust the acquisition time interval of each monitoring index, thereby achieving effective monitoring and reducing the analysis pressure of the gateway and the background.
Fig. 2 is a schematic diagram of a main flow of data storage according to a second embodiment of the present invention, and the monitoring processing method may include:
step S201, a security event analysis library is queried regularly, and the number of security events and the level of the security events corresponding to each index in a preset time period are obtained.
Step S202, according to the number of the safety events and the level of the safety events, a safety event number matrix of the safety event level corresponding to each monitoring index is generated.
And step S203, calling a preset preprocessing model, and carrying out standardization processing on the security event number matrix.
And step S204, calculating the information entropy of each monitoring index based on the safety event number matrix after the standardization processing.
Step S205, according to the information entropy of each monitoring index, calculating to obtain the safety event evaluation weight coefficient of each monitoring index through a preset evaluation model.
Step S206, acquiring the preset acquisition weight of each index, and generating an acquisition index weight matrix.
And step S207, acquiring the importance degree grade of the host to obtain a corresponding grade acquisition coefficient.
And S208, calling a preset weight model to calculate and obtain the acquisition weight of each monitoring index of the host according to the grade acquisition coefficient, the safety event evaluation weight coefficient and the acquisition index weight matrix.
Step S209, the collection weights of all monitoring indexes of the host are respectively arranged from small to large, the numerical values of the left side and the right side are symmetrically exchanged by taking the middle number as an axis, and the monitoring index weight coefficients of all monitoring indexes of the host are obtained.
Step S210, acquiring an acquisition time interval based on the monitoring index weight coefficients of each monitoring index according to a preset acquisition period.
And step S211, receiving the heartbeat uploaded by the host, and acquiring the host resource use condition and the host running version number in the heartbeat.
Step S212, determining whether the host is alive, if so, performing step S213, otherwise, performing step S214.
Step S213, returning the collection time interval of each monitoring index corresponding to the host along with the heartbeat response to adjust the collection time interval of each monitoring index of the host.
Step S214, the client is pushed again to be deployed on the host to monitor the host.
Fig. 3 is a schematic diagram of a main flow of data query according to a third embodiment of the present invention, where the monitoring processing method is based on a design mode in which a remote monitoring system, that is, a client monitors and a master control server analyzes collected data, the client is deployed on each host, the collection interval time of each monitoring index of the client on the host is provided by the master control service, and the master control service stores collection configuration (e.g., collection interval time) for each type of host. The security event library associates security events with monitoring indexes, queries the security event library at regular time, obtains the number of samples in a preset time period, namely the number of security events occurring in the indexes and the levels of the security events, and analyzes the number of the security events of different security event levels of each monitoring index. The collection interval time (i.e. frequency) of each index on each host is adjusted by combining the importance degree grade of the host, the preset collection weight of each index and the like.
In addition, the client transmits a heartbeat to the master control service at regular time, the heartbeat comprises the use condition of client resources (namely the use condition of host resources) and the running version number of the client (namely the running version number of the host), the survival condition of the client on all the hosts is monitored, the client is pushed to the client to monitor the host behavior again for the machine which does not survive on the client, the corresponding strategy configuration (namely the acquisition time interval of each monitoring index) of the host is obtained for the host which normally survives on the client, and the acquisition interval of the monitoring indexes is dynamically adjusted.
Fig. 4 is a schematic diagram of main modules of a monitoring processing apparatus according to a first embodiment of the present invention, as shown in fig. 4, the monitoring processing apparatus 400 includes a configuration management module 401 that queries a security event analysis library at regular time, and obtains the number of security events occurring and the level of the security events corresponding to each index within a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host; the heartbeat management module 402 receives heartbeats uploaded by the host, and returns the acquisition time intervals of the monitoring indexes corresponding to the host along with heartbeat response, so as to adjust the acquisition time intervals of the monitoring indexes of the host.
In some embodiments, the configuration management module 401 is further configured to:
and receiving monitoring index acquisition data uploaded by the host computer, acquiring host computer information with safety risk, and further locking the host computer.
In some embodiments, after receiving the heartbeat uploaded by the host, the heartbeat management module 402 includes:
acquiring the use condition of host resources and the running version number of the host in the heartbeat, judging whether the host survives, and if so, returning the acquisition time interval of each monitoring index corresponding to the host along with the heartbeat response; if not, the client is pushed again to be deployed on the host to monitor the host.
In some embodiments, the configuration management module 401 is further configured to:
acquiring a preset acquisition weight of each index, and generating an acquisition index weight matrix;
and calculating a monitoring index weight coefficient of each host based on the importance degree grade of each host and the collection index weight matrix according to the number of the safety events and the grade of the safety events.
In some embodiments, before the configuration management module 401 calculates the monitoring index weight coefficient of each host based on the importance level of each host and the collection index weight matrix, the method includes:
generating a security event number matrix of the security event level corresponding to each monitoring index according to the number of the security events and the level of the security events;
calling a preset preprocessing model, carrying out standardization processing on the safety event number matrix, and calculating the information entropy of each monitoring index based on the safety event number matrix after standardization processing;
and calculating to obtain the safety event evaluation weight coefficient of each monitoring index through a preset evaluation model according to the information entropy of each monitoring index.
In some embodiments, the configuration management module 401 calculates a monitoring index weight coefficient for each host based on the importance level of each host and the collection index weight matrix, including:
acquiring the importance degree grade of a host to obtain a corresponding grade acquisition coefficient;
calling a preset weight model to calculate and obtain the acquisition weight of each monitoring index of the host according to the grade acquisition coefficient, the safety event evaluation weight coefficient and the acquisition index weight matrix;
and obtaining the monitoring index weight coefficient of each monitoring index of the host machine based on the collection weight of each monitoring index of the host machine.
In some embodiments, the obtaining, by the configuration management module 401, a monitoring index weight coefficient of each monitoring index of the host based on the collection weight of each monitoring index of the host includes: arranging the collection weights of all monitoring indexes of the host machine from small to large, and symmetrically exchanging numerical values of the left side and the right side by taking the middle number as an axis to obtain the monitoring index weight coefficients of all monitoring indexes of the host machine;
the configuration management module 401 obtains the collection time interval of each monitoring index of each host, including: and acquiring the acquisition time interval based on the monitoring index weight coefficient of each monitoring index according to a preset acquisition period.
It should be noted that the monitoring processing method and the monitoring processing apparatus of the present invention have corresponding relation in the specific implementation content, and therefore, the repeated content is not described again.
Fig. 5 is a schematic diagram of main modules of a monitoring processing device according to a second embodiment of the present invention, which includes a design mode of the present invention based on a remote monitoring system, i.e., a client monitoring and a general control server analyzing collected data. And the master control server side calculates a monitoring index weight coefficient by combining the weight of the acquisition index, the weight evaluation of the safety event, the importance degree grade of the host and the like, so that the acquisition time interval of each monitoring index is obtained. The client is deployed on each host and comprises an IDC host (including a physical machine, a Docker and a cloud host) and an OA host, the server is regularly used for obtaining the weight coefficient of the monitoring index, and the acquisition time interval of monitoring each index of the host is adjusted according to the weight coefficient of the monitoring index.
The client side adopts light Agent monitoring (Agent is a piece of system monitoring software), available resources are limited, the client side works under the condition that a user does not feel, and host business is not influenced. The functions of the client are mainly divided into 3: the system comprises a collection function, a log uploading function and a self-monitoring degradation function (for example, adjusting collection time intervals for monitoring various indexes). Wherein, the collection function is responsible for gathering following several kinds of control index: host basic information (including hardware asset information, operating system information, user group information, host importance level, etc.), network information (including connection information, open port information), file operation information, process information, security log information, startup item information, timing task information, history execution command information, user login information, etc.
It should be noted that the master control service may include a configuration management module, a security event analysis library, an acquisition analysis module, an alarm module, a heartbeat management module, and an Agent management module. The configuration management module is used for calculating a monitoring index weight coefficient of each host according to the importance degree level of the host, the preset collection weight of each index, the number of the safety events and the level of the safety events, further obtaining the collection time interval of each monitoring index of each host, and storing the collection time interval into the configuration library according to the importance degrees of different hosts. When the client uploads the heartbeat, the acquisition time interval of the monitoring index is returned to the client along with the heartbeat response, and the acquisition time interval of each monitoring index on the host is dynamically adjusted.
The heartbeat management module is used for the client side to transmit heartbeat to the master control service at regular time, the heartbeat comprises client side resource use condition (namely host machine resource use condition) and client side running version number (namely host machine running version number), the client side survival condition on all the host machines is monitored, the client side is pushed to the client side to monitor the host machine behavior again for the machine which does not survive on the client side, for the host machine which normally survives on the client side, the strategy configuration (namely the acquisition time interval of each monitoring index) corresponding to the host machine is obtained from the configuration management module, and the monitoring index acquisition interval is dynamically adjusted. In addition, the resource use condition of the client on each host can be monitored, and the normal service use of the host is not influenced.
The acquisition and analysis module is used for carrying out security analysis on the acquired data reported by each host by combining a threat information library, an abnormal behavior rule library, a security vulnerability library and the like to obtain security analysis results, including vulnerability risk level, vulnerability type and the like. Therefore, the number of the safety events and the level of the safety events can be associated with the related acquisition monitoring indexes and stored in a safety event analysis library. And host information with security risk, such as IP (Internet protocol), equipment ID (identity) and the like can be recorded and transmitted to the alarm module. Preferably, the host reports the collected data in a preset format (for example, the collected data in the Json format) to the collection and analysis module of the master control service through the data gateway.
The alarm module is used for informing operators of the influence range of a certain safety event, locking an infected host according to IP (Internet protocol), equipment ID (identity) information and the like obtained by the acquisition and analysis module, and timely performing emergency loss stopping.
The security events stored in the security event analysis library mainly have two sources, one is from security event analysis in the industry, and behavior characteristics and monitoring indexes are associated and stored in the security event analysis library. And the other one is obtained from the acquisition and analysis module according to the analysis of the host monitoring information in the enterprise, namely, the data of each monitoring index reported by each host is obtained, and the security analysis is carried out by combining the threat information library, the abnormal behavior rule library, the security vulnerability library and the like to obtain the security analysis result, such as vulnerability risk level, vulnerability type and the like.
In addition, the Agent management module is used for maintaining Agent version management and Agent upgrading on the host computer.
As a further embodiment, the specific calculation process of calculating, by the configuration management module, the monitoring index weight coefficient of each host based on the importance level of each host and the collection index weight matrix according to the number of the security events and the level of the security events, and further obtaining the collection time interval of each monitoring index of each host includes:
the collection weight of each index can be configured in advance, assuming that the monitored collection has n indexes, each collection index weight matrix is represented by a 1 × n order matrix B:
B=[b1 b2 … bn]
wherein 0 < biIs < 1, and
assume that the level of security events is divided into 5 levels, each of which is designated by P1,P2,P3,P4,P5Representing that the importance degree is reduced in sequence and respectively represents serious, general, slight and not serious, n indexes are collected in the monitoring process, the number of the safety events of each collected index corresponding to the safety event grade is represented by a 5X n order matrix X, such as:
wherein x isijIndicates a correspondence P under a certain indexi(i is more than or equal to 0 and less than or equal to 5) number of level security events.
The security event number matrix X is then normalized, and the normalized matrix is recorded as
Each element of (a) is:
wherein, min (x)i) Denotes the minimum value in the matrix X at the i-th index, max (X)i) Represents the maximum value under the ith index in the X matrix.
Then, the information entropy of each index is calculated:
finally, calculating to obtain a safety event evaluation weight coefficient C of each monitoring index through a preset evaluation modeli:
Wherein, 0 < ciIs < 1, and
suppose the importance level of the host is divided into 4 levels, which are respectively P0,P1,P2,P3Indicating that the importance level is reduced in turn, and the collection coefficient is alpha in turn0,α1,α2,α3Denotes that α is satisfied0>α1>α2>α3And is and
with P0The level system calls a preset weight model to calculate the collection weight of each monitoring index:
wherein d is more than 0iIs < 1, and
arranging the collection weights of all monitoring indexes of the host computer from small to large, taking the middle number as an axis, and symmetrically exchanging values on the left side and the right side to obtain a weight coefficient w of the monitoring indexesi. Assuming that the acquisition period is fixed to T, thenThe acquisition interval time of each acquisition monitoring index is as follows:
ti=T×wi
and finally, storing the acquisition configuration (including the weight coefficient of the monitoring index, the acquisition interval time for acquiring the monitoring index and the like) corresponding to the hosts with different importance degrees in a configuration library of the master control server.
Fig. 6 shows an exemplary system architecture 600 of a monitoring processing method or a monitoring processing device to which embodiments of the invention may be applied.
As shown in fig. 6, the system architecture 600 may include terminal devices 601, 602, 603, a network 604, and a server 605. The network 604 serves to provide a medium for communication links between the terminal devices 601, 602, 603 and the server 605. Network 604 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use the terminal devices 601, 602, 603 to interact with the server 605 via the network 604 to receive or send messages or the like. Various communication client applications can be installed on the terminal devices 601, 602, 603.
The terminal devices 601, 602, 603 may be various electronic devices having a monitoring processing screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 605 may be a server providing various services, such as a background management server (for example only) providing support for users utilizing the terminal devices 601, 602, 603. The backend management server may analyze and perform other processing on the received data such as the product information query request, and feed back a processing result (for example, target push information, product information — just an example) to the terminal device.
It should be noted that the monitoring processing method provided by the embodiment of the present invention is generally executed by the server 605, and accordingly, the computing device is generally disposed in the server 605.
It should be understood that the number of terminal devices, networks, and servers in fig. 6 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 7, shown is a block diagram of a computer system 700 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. In the RAM703, various programs and data necessary for the operation of the computer system 700 are also stored. The CPU701, the ROM702, and the RAM703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input section 705 including a keyboard, a mouse, and the like; an output section 706 including a display such as a Cathode Ray Tube (CRT), a liquid crystal monitor processor (LCD), and the like, and a speaker and the like; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 701.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a configuration management module and a heartbeat management module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs, and when the one or more programs are executed by one device, the device comprises a timing query security event analysis library, and acquires the number of security events and the level of the security events corresponding to each index in a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host; receiving heartbeat uploaded by a host, and returning the acquisition time intervals of all monitoring indexes corresponding to the host along with heartbeat response so as to adjust the acquisition time intervals of all monitoring indexes of the host.
According to the technical scheme of the embodiment of the invention, the problems of lack of pertinence and long safety response time of monitoring in the existing big data scene can be solved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A monitoring processing method, comprising:
inquiring a security event analysis library at regular time, and acquiring the number of security events and the level of the security events corresponding to each index in a preset time period;
calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host;
receiving heartbeat uploaded by a host, and returning the acquisition time intervals of all monitoring indexes corresponding to the host along with heartbeat response so as to adjust the acquisition time intervals of all monitoring indexes of the host.
2. The method of claim 1, wherein adjusting the collection time interval of the monitoring metrics of the host comprises:
and receiving monitoring index acquisition data uploaded by the host computer, acquiring host computer information with safety risk, and further locking the host computer.
3. The method of claim 1, wherein receiving a heartbeat uploaded by a host comprises:
acquiring the use condition of host resources and the running version number of the host in the heartbeat, judging whether the host survives, and if so, returning the acquisition time interval of each monitoring index corresponding to the host along with the heartbeat response; if not, the client is pushed again to be deployed on the host to monitor the host.
4. The method of claim 1, comprising:
acquiring a preset acquisition weight of each index, and generating an acquisition index weight matrix;
and calculating a monitoring index weight coefficient of each host based on the importance degree grade of each host and the collection index weight matrix according to the number of the safety events and the grade of the safety events.
5. The method of claim 4, wherein before calculating the monitoring index weight coefficient for each host based on the importance level of each host and the collection index weight matrix, the method comprises:
generating a security event number matrix of the security event level corresponding to each monitoring index according to the number of the security events and the level of the security events;
calling a preset preprocessing model, carrying out standardization processing on the safety event number matrix, and calculating the information entropy of each monitoring index based on the safety event number matrix after standardization processing;
and calculating to obtain the safety event evaluation weight coefficient of each monitoring index through a preset evaluation model according to the information entropy of each monitoring index.
6. The method of claim 5, wherein calculating the monitoring index weight coefficient for each host based on the importance level of each host and the collection index weight matrix comprises:
acquiring the importance degree grade of a host to obtain a corresponding grade acquisition coefficient;
calling a preset weight model to calculate and obtain the acquisition weight of each monitoring index of the host according to the grade acquisition coefficient, the safety event evaluation weight coefficient and the acquisition index weight matrix;
and obtaining the monitoring index weight coefficient of each monitoring index of the host machine based on the collection weight of each monitoring index of the host machine.
7. The method according to claim 6, wherein obtaining the monitoring index weight coefficients of the monitoring indexes of the host based on the collection weights of the monitoring indexes of the host comprises:
arranging the collection weights of all monitoring indexes of the host machine from small to large, and symmetrically exchanging numerical values of the left side and the right side by taking the middle number as an axis to obtain the monitoring index weight coefficients of all monitoring indexes of the host machine;
obtaining the acquisition time interval of each monitoring index of each host, comprising:
and acquiring the acquisition time interval based on the monitoring index weight coefficient of each monitoring index according to a preset acquisition period.
8. A monitoring processing apparatus, comprising:
the configuration management module is used for inquiring the security event analysis library at regular time and acquiring the number of security events and the level of the security events corresponding to each index in a preset time period; calculating a monitoring index weight coefficient of each host based on the importance degree level of each host according to the number of the safety events and the level of the safety events, and further obtaining the acquisition time interval of each monitoring index of each host;
and the heartbeat management module is used for receiving the heartbeat uploaded by the host, and returning the acquisition time intervals of the monitoring indexes corresponding to the host along with heartbeat response so as to adjust the acquisition time intervals of the monitoring indexes of the host.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110185187.7A CN113760642A (en) | 2021-02-10 | 2021-02-10 | Monitoring processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110185187.7A CN113760642A (en) | 2021-02-10 | 2021-02-10 | Monitoring processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113760642A true CN113760642A (en) | 2021-12-07 |
Family
ID=78786640
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110185187.7A Pending CN113760642A (en) | 2021-02-10 | 2021-02-10 | Monitoring processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113760642A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114821882A (en) * | 2022-04-12 | 2022-07-29 | 云南天上人间茶业有限公司 | Safety monitoring system based on block chain |
| CN116050715A (en) * | 2023-03-31 | 2023-05-02 | 山东联腾电子科技有限公司 | Forest protection fireproof safety supervision system |
| CN117724937A (en) * | 2024-02-07 | 2024-03-19 | 荣耀终端有限公司 | Log resource management method and related device |
| CN118445157A (en) * | 2024-07-08 | 2024-08-06 | 陕西数图行信息科技有限公司 | Method and system for dynamically adjusting monitoring index based on data analysis |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040260947A1 (en) * | 2002-10-21 | 2004-12-23 | Brady Gerard Anthony | Methods and systems for analyzing security events |
| CN102123149A (en) * | 2011-03-04 | 2011-07-13 | 哈尔滨工程大学 | Service-oriented large-scale network security situational assessment device and method |
| US20150106867A1 (en) * | 2013-10-12 | 2015-04-16 | Fortinet, Inc. | Security information and event management |
| CN105072120A (en) * | 2015-08-14 | 2015-11-18 | 中国传媒大学 | Method and device for malicious domain name detection based on domain name service state analysis |
| CN105493502A (en) * | 2015-04-29 | 2016-04-13 | 北京旷视科技有限公司 | Video monitoring method, video monitoring system, and computer program product |
| CN111415102A (en) * | 2020-04-17 | 2020-07-14 | 华北电力大学 | Electric power monitoring system toughness evaluation method based on entropy method |
| CN111835873A (en) * | 2020-09-17 | 2020-10-27 | 杭州博采网络科技股份有限公司 | Smart city big data analysis and monitoring system |
-
2021
- 2021-02-10 CN CN202110185187.7A patent/CN113760642A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040260947A1 (en) * | 2002-10-21 | 2004-12-23 | Brady Gerard Anthony | Methods and systems for analyzing security events |
| CN102123149A (en) * | 2011-03-04 | 2011-07-13 | 哈尔滨工程大学 | Service-oriented large-scale network security situational assessment device and method |
| US20150106867A1 (en) * | 2013-10-12 | 2015-04-16 | Fortinet, Inc. | Security information and event management |
| CN105493502A (en) * | 2015-04-29 | 2016-04-13 | 北京旷视科技有限公司 | Video monitoring method, video monitoring system, and computer program product |
| CN105072120A (en) * | 2015-08-14 | 2015-11-18 | 中国传媒大学 | Method and device for malicious domain name detection based on domain name service state analysis |
| CN111415102A (en) * | 2020-04-17 | 2020-07-14 | 华北电力大学 | Electric power monitoring system toughness evaluation method based on entropy method |
| CN111835873A (en) * | 2020-09-17 | 2020-10-27 | 杭州博采网络科技股份有限公司 | Smart city big data analysis and monitoring system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114821882A (en) * | 2022-04-12 | 2022-07-29 | 云南天上人间茶业有限公司 | Safety monitoring system based on block chain |
| CN114821882B (en) * | 2022-04-12 | 2023-10-20 | 云南天上人间茶业有限公司 | Block chain-based safety monitoring system |
| CN116050715A (en) * | 2023-03-31 | 2023-05-02 | 山东联腾电子科技有限公司 | Forest protection fireproof safety supervision system |
| CN116050715B (en) * | 2023-03-31 | 2024-01-05 | 山东联腾电子科技有限公司 | Forest protection fireproof safety supervision system |
| CN117724937A (en) * | 2024-02-07 | 2024-03-19 | 荣耀终端有限公司 | Log resource management method and related device |
| CN118445157A (en) * | 2024-07-08 | 2024-08-06 | 陕西数图行信息科技有限公司 | Method and system for dynamically adjusting monitoring index based on data analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113760642A (en) | Monitoring processing method and device | |
| CN108874640B (en) | Cluster performance evaluation method and device | |
| US10048996B1 (en) | Predicting infrastructure failures in a data center for hosted service mitigation actions | |
| CN111124819B (en) | Method and device for full link monitoring | |
| CN107480277B (en) | Method and device for collecting website logs | |
| CN109257200A (en) | The method and apparatus of big data platform monitoring | |
| CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
| CN114091704B (en) | Alarm suppression method and device | |
| CN107819745B (en) | Method and device for defending against abnormal traffic | |
| CN111831503B (en) | Monitoring method based on monitoring agent and monitoring agent device | |
| US10116522B2 (en) | Utilizing social media for information technology capacity planning | |
| WO2017092661A1 (en) | Subscription service for monitoring changes in remote content | |
| US20100111094A1 (en) | Relay device, access analysis device, method of controlling relay device, and storage medium for the same | |
| CN113778780B (en) | Application stability determining method and device, electronic equipment and storage medium | |
| CN112131077B (en) | Positioning method and positioning device for fault node and database cluster system | |
| KR20220055661A (en) | Edge service processing system and control method thereof | |
| CN109388546B (en) | Method, device and system for processing faults of application program | |
| CN117397218A (en) | Analysis device, analysis method, and analysis program | |
| CN110852537A (en) | Service quality detection method and device | |
| CN115412359B (en) | Web application security protection method and device, electronic equipment and storage medium | |
| CN113094332B (en) | File management method and device | |
| CN116361112B (en) | Alarm convergence method and device | |
| CN114710354B (en) | Abnormal event detection method and device, storage medium and electronic equipment | |
| CN117176613B (en) | Data acquisition method and device | |
| CN109327329B (en) | Data model updating method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |