CN115712544B - Monitoring system - Google Patents
Monitoring system Download PDFInfo
- Publication number
- CN115712544B CN115712544B CN202211483754.8A CN202211483754A CN115712544B CN 115712544 B CN115712544 B CN 115712544B CN 202211483754 A CN202211483754 A CN 202211483754A CN 115712544 B CN115712544 B CN 115712544B
- Authority
- CN
- China
- Prior art keywords
- initial
- time interval
- set time
- value
- upgrade
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 185
- 230000002159 abnormal effect Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 6
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 239000013256 coordination polymer Substances 0.000 description 9
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 239000003999 initiator Substances 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a monitoring system which is in communication connection with m initial devices, and when an agent packet needing to be upgraded is detected, the following steps are executed: s300, acquiring a size list A of a transmission data packet; s310, acquiring an upgrade information table corresponding to the set time period based on the A, the current network bandwidth K and the size of the agent packet required by each initial device upgrade. When the method detects that the initial equipment needs to be upgraded, the maximum equipment quantity which can be upgraded in each time interval in the set time period is obtained based on the network bandwidth, the agent packet size and the single data packet size sent by the initial equipment, and then corresponding upgrading operation is executed based on the corresponding upgrading instruction identification.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a monitoring system.
Background
Currently, an industrial control system can realize interconnection and interworking in an industrial control network environment. Under the industrial control network environment, a plurality of monitored devices are in communication connection with the master control device of the network monitoring platform, and the master control device monitors the monitored devices through agent packets installed on the devices so as to ensure that network data in the industrial control network environment is safe and stable and does not leak. Each monitored device in the network monitoring platform can play a corresponding role in the working condition environment. To ensure the safe implementation of role functions, each monitored device will set the identity of the role execution program, i.e. the process, and only trusted white list processes are allowed to execute. The current white list process setting mode is to manually select and set through a preset white list process table. In the setting mode, each device selects and generates the corresponding white list process according to the established white list process table, and the white list process table is not verified by time, so that some white list processes are not applicable to some devices and potential safety hazards exist. In addition, in the existing industrial control network environment, when the agent packet needs to be updated, a time is randomly selected for updating, and the problem that network congestion causes abnormal data transmission due to limited network bandwidth and large data flow is solved.
Disclosure of Invention
In view of the above technical problems, an embodiment of the present invention provides a monitoring system for at least solving one of the technical problems.
The invention adopts the technical scheme that:
the embodiment of the invention provides a monitoring system, which comprises a processor in communication connection and a storage medium storing a computer program, wherein the processor is in communication connection with m initial devices, and when an agent packet needing to be upgraded is detected, the processor is used for executing the computer program to realize the following steps:
s300, acquiring a transmitted data packet size list A= (A1, A2, …, ai, … and Am), wherein Ai is the size of a single data packet transmitted by an initial device i, and the value of i is 1 to m;
s310, acquiring an upgrade information table corresponding to a set time period based on A, a current network bandwidth K and the size of a proxy packet required by each initial device upgrade;
s310 specifically comprises:
s312, acquiring the total amount R of data packets to be transmitted in the current working condition environment within a set time period T0;
s314, if (TS 0 x K-R) is equal to or greater than m x A0, executing S316; TS0 is the duration corresponding to T0, and the unit is seconds; a0 is the size of the proxy packet which is required to be sent to each initial device for upgrading to the version corresponding to the proxy packet;
s316, obtaining any set time interval T0 within the set time interval T0 sc Number NC of initial devices that can be upgraded in sc =max(NC sc 1,NC sc 2,…,NC sc H,…,NC sc X); s318 is performed; wherein sc has a value of 1 TO sq, sq is the number of set time intervals in TO, TS0 sc The first set time interval, TS0, is = - Δt1, = - Δt1 sc Is T0 sc The corresponding time length is expressed in seconds; NCscH is T0 sc The H TH sub-time interval TH sc An initial number of devices that can be upgraded, wherein,THS0 sc is TH sc Corresponding duration, THS0 sc = Δt2×60×h in seconds, H has a value of 1 to X, X is T0 sc Dividing the number of the obtained sub-time intervals according to a second set time interval delta t 2;
s318, obtaining an upgrade information table corresponding to the set time period T0, wherein the hc-th row of the upgrade information table comprises (T0) sc ,NC sc ). S320 is performed.
S320, based on the current upgrading instruction identification, corresponding upgrading operation is executed according to the upgrading information table.
The invention has at least the following beneficial effects:
according to the monitoring system provided by the embodiment of the invention, when the need of upgrading the initial equipment is detected, the maximum equipment quantity which can be upgraded in each time interval in the set time period is obtained based on the network bandwidth, the proxy packet size and the single data packet size sent by the initial equipment, and then the corresponding upgrading operation is executed based on the corresponding upgrading instruction mark.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method implemented by a monitoring system executing a computer program according to an embodiment of the present invention.
Fig. 2 is a flowchart of a method implemented by a monitoring system executing a computer program according to another embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
The embodiment of the invention provides a monitoring system which comprises a processor in communication connection and a storage medium storing a computer program, wherein the processor is in communication connection with m initial devices. In the embodiment of the invention, the initial equipment can be monitored equipment connected with the monitoring system in the working condition network environment.
Wherein upon detecting a proxy package requiring upgrade, the processor is configured to execute a computer program to implement the steps shown in fig. 1:
s200, a transmitted data packet size list a= (A1, A2, …, ai, …, am) and a version list v= (V1, V2, …, vi, …, vm) are obtained, ai is the size of a single data packet transmitted by the initial device i, vi is the current version corresponding to the initial device i, and the value of i is 1 to m.
The size of the single data packet sent by the initiator device may be pre-stored in memory. Typically, each initiator device will send packets of the same size in a set period.
S210, acquiring an upgrade information table corresponding to the set time period based on A, B, the current network bandwidth K and the size of the agent packet required by each initial device upgrade. K is in units of bit/s.
Further, S210 may specifically include:
s212, acquiring the total quantity R of data packets to be transmitted in the current working condition environment and the size C of the proxy packet required by the upgrade of the initial equipment i in a set time period T0 i = (Bi x A0); bi is the number of versions between Vi and the version corresponding to the proxy package to be upgraded, for example, vi is v.0, and the version corresponding to the proxy package to be upgraded is v.1, bi=1.
In the embodiment of the present invention, the set period of time may be set based on actual needs, for example, may be 1 hour or 1 day.
In an embodiment of the present invention, in the present invention,ΔTi is the time interval in seconds for the initial device i to send a packet, ++>The term "TS 0" means the duration in seconds corresponding to T0, rounded down.
In the embodiment of the present invention, A0 is the size of the proxy packet that needs to be sent to each initial device to upgrade to the version corresponding to the proxy packet. In the present embodiment, if the current version of each initial device is the same, a0 is equal to the size of the proxy packet required for any device upgrade, and if there is a difference in the current versions of the initial devices, a0=max (C 1 ,C 2 ,…,C i ,…,C m ) I.e. the maximum of the size of the proxy package required for all device upgrades.
S214, ifOutputting a sixth identifier, where the sixth identifier is used to characterize that traffic in T0, except traffic of the transmission packet, can upgrade m initial devices, and performing S216. The sixth identifier may be represented by, for example, 000 or 0001.
S216, obtaining any set time interval T0 in the set time interval T0 sc Any time slice TH of (a) sc Number of initial devices that can be upgraded inS218 is performed.
Wherein T0 sc ∈(T0 1 ,T0 2 ,…,T0 sc ,…,T0 sq ) Sc has a value of 1 TO sq, sq is the number of set time intervals in TO, TS0 1 =TS0 2 =…=TS0 sc =…=TS0 sq =△t1, deltat 1 is a first set time interval, TS0 sc Is T0 sc The corresponding time length is expressed in seconds. THP0 sc Is TH sc The included duration, THP0 s c= delta T2, the unit is seconds, the value of H is 1 to X, and X is T0 sc The number of time slices obtained by dividing according to the second set time interval delta t 2. n (sc, H) is the number of initial devices that are not currently upgraded.
In the embodiment of the present invention, Δt1 and Δt2 may be set based on actual needs. In one example, Δt1 may be equal to 0.5 hours, or equal to 1 hour, etc., Δt2= Δt1/J, J is an integer greater than 1. Preferably, Δt2= Δt max -△T min ,△T max =max(△T 1 ,△T 2 ,…,△T i ,…,△T m ),△T min =min(△T 1 ,△T 2 ,…,△T i ,…,△T m )。
Those skilled in the art know that when n (sc, H) =0, the current upgrade control program is exited.
S218, obtain T0 sc A corresponding upgrade information table, the H-TH row of the upgrade information table including (TH sc NCscH). S220 is performed.
S220, based on the current upgrading instruction identification, corresponding upgrading operation is executed according to the upgrading information table.
In the embodiment of the invention, the upgrade instruction may include a first upgrade instruction and a second upgrade instruction, and different identification identifiers may be used, where the first upgrade instruction is used to indicate that an automatic upgrade operation is performed, and the second upgrade instruction is used to indicate that a manual upgrade operation is performed. The first upgrade instruction identification may be represented, for example, using an AT, and the second upgrade instruction identification may be represented, for example, using H0.
Further, S220 may specifically include:
s2201, if the current upgrading instruction identifier is the first upgrading instruction identifier, upgrading operation is performed on a corresponding number of devices in each time slice of each time interval of the set time period according to the upgrading information table in sequence.
In the embodiment of the present invention, the corresponding upgrade operation may be performed at a fixed time in each time slice, for example, the corresponding upgrade operation may be performed at a start time or an end time or an intermediate time of each time slice.
In the embodiment of the invention, the upgrading operation can be sequentially carried out from small to large according to the equipment number of the initial equipment. Each initial device will be provided with a corresponding device number.
S2202, if the current upgrade instruction identifier is the second upgrade instruction identifier, generating, in sequence, a prompt message for prompting that a corresponding number of devices are upgraded in the sub-time slot in each time slot of the set time slot according to the upgrade information table, for example, a prompt message similar to "during XXX-YYY, you can upgrade X devices" may be generated. Preferably, a similar "during XXX-YYY, you can upgrade X devices, device number includes …".
In the embodiment of the present invention, the corresponding prompt information may be generated at a fixed time in each sub-time slice, for example, the corresponding upgrade operation may be performed at a start time or an end time or an intermediate time of each time slice.
In this embodiment, when it is detected that an initial device needs to be upgraded, the number of devices that can be upgraded in each sub-time interval of each time interval in a set time period is obtained based on a network bandwidth, a proxy packet size, a single data packet size and a version sent by the initial device, and then a corresponding upgrade operation is performed based on a corresponding upgrade instruction identifier.
In another embodiment of the present invention, a monitoring system is provided, and when an agent package that needs to be upgraded is detected, the processor is configured to execute a computer program to implement the steps shown in fig. 2:
s300, a transmission packet size list a= (A1, A2, …, ai, …, am) is acquired, ai being a single packet size transmitted by the initial device i.
The size of the single data packet sent by the initiator device may be pre-stored in memory. Typically, each initiator device will send packets of the same size in a set period.
S310, acquiring an upgrade information table corresponding to the set time period based on the A, the current network bandwidth K and the size of the agent packet required by each initial device upgrade.
Further, S310 may specifically include:
s312, acquiring the total amount R of data packets to be transmitted in the current working condition environment within a set time period T0.
In the embodiment of the present invention, the set period of time may be set based on actual needs, for example, may be 1 hour or 1 day.
In an embodiment of the present invention, in the present invention,ΔTi is the time interval in seconds for the initial device i to send a packet, ++>The term "TS 0" means the duration in seconds corresponding to T0, rounded down.
S314, if (TS 0 x K-R) is not less than m x A0, outputting a sixth identifier, wherein the sixth identifier is used for representing that the traffic except the traffic of the sent data packet in the T0 can upgrade m initial devices, and executing S216. The sixth identifier may be represented by, for example, 000 or 0001.
In this embodiment, A0 is the size of the proxy packet that needs to be sent to each initial device to upgrade to the version corresponding to the proxy packet. In this embodiment, the current version of each initial device is the same, i.e., the size of the proxy packet sent to each device is A0.
S316, obtaining any set time interval T0 within the set time interval T0 sc Number NC of initial devices that can be upgraded in sc =max(NC sc 1,NC sc 2,…,NC sc H,…,NC sc X). S318 is performed.
Wherein T0 sc ∈(T0 1 ,T0 2 ,…,T0 sc ,…,T0 sq ) Sc has a value of 1 TO sq, sq is the number of set time intervals in TO, TS0 1 =TS0 2 =…=TS0 sc =…=TS0 sq The first set time interval, TS0, is = - Δt1, = - Δt1 sc Is T0 sc The corresponding time length is expressed in seconds. NCscH is T0 sc The H TH sub-time interval TH sc An initial number of devices that can be upgraded, wherein,THS0 sc is TH sc Corresponding duration, THS0 sc = Δt2×60×h in seconds, H has a value of 1 to X, X is T0 sc And dividing the number of the obtained sub-time intervals according to the second set time interval delta t 2. max (NC) sc 1,NC sc 2,…,NC sc H,…,NC sc X) represents NC sc 1,NC sc 2,…,NC sc H,…,NC sc Maximum value in X.
In the embodiment of the present invention, Δt1 and Δt2 may be set based on actual needs. In one example, Δt1 may be equal to 0.5 hours, or equal to 1 hour, etc., Δt2= Δt1/J, J is an integer greater than 1. Preferably, Δt2= Δt max -△T min ,△T max =max(△T 1 ,△T 2 ,…,△T i ,…,△T m ),△T min =min(△T 1 ,△T 2 ,…,△T i ,…,△T m )。
S318, obtaining an upgrade information table corresponding to the set time period T0, wherein the hc-th row of the upgrade information table comprises (T0) sc ,NC sc ). S320 is performed.
S320, based on the current upgrading instruction identification, corresponding upgrading operation is executed according to the upgrading information table.
In the embodiment of the invention, the upgrade instruction may include a first upgrade instruction and a second upgrade instruction, and different identification identifiers may be used, where the first upgrade instruction is used to indicate that an automatic upgrade operation is performed, and the second upgrade instruction is used to indicate that a manual upgrade operation is performed. The first upgrade instruction identification may be represented, for example, using an AT, and the second upgrade instruction identification may be represented, for example, using H0.
Further, S320 may specifically include:
s3201, if the current upgrading instruction identifier is the first upgrading instruction identifier, upgrading operation is carried out on a corresponding number of devices in each time interval of a set time period according to the upgrading information table.
In the embodiment of the present invention, the corresponding upgrade operation may be performed at a fixed time in each time interval, for example, the corresponding upgrade operation may be performed at a start time or an end time or an intermediate time of each time interval.
In the embodiment of the invention, the upgrading operation can be sequentially carried out from small to large according to the equipment number of the initial equipment. Each initial device will be provided with a corresponding device number.
S3202, if the current upgrade instruction identifier is the second upgrade instruction identifier, generating, in sequence, a prompt message for prompting to upgrade a corresponding number of devices in the time interval according to the upgrade information table in each time interval of the set time interval, for example, a prompt message similar to "during XXX-yyyy, you can upgrade X devices" may be generated. Preferably, a similar "during XXX-YYY, you can upgrade X devices, device number includes …".
In the embodiment of the present invention, the corresponding prompt information may be generated at a fixed time in each time interval, for example, the corresponding upgrade operation may be performed at a start time or an end time or an intermediate time of each time interval.
Further, in the embodiment of the present invention, the following steps are further included after S314:
s315, if (TS 0 xK-R) < mA 0, outputting seventh identification, and obtaining the number of the set time periods needing to be upgraded Representing an upward rounding; s317 is performed. The seventh identifier, which may be a different identifier from the sixth identifier and may be denoted by 001 or 000, is used to characterize that traffic within T0 other than the traffic of the transmitted data packet is insufficient to upgrade all m initial devices.
S317, obtaining any set time interval T0 in S set time intervals sc Number NC of initial devices that can be upgraded in sc =max(NC sc 1,NC sc 2,…,NC sc H,…,NC sc X). S319 is performed.
S319, obtaining an upgrade information table corresponding to each set time period T0, wherein the hc-th row of the upgrade information table comprises (T0) sc ,NC sc ). S320 is performed.
In this embodiment, when it is detected that an initial device needs to be upgraded, the maximum number of devices that can be upgraded in each time interval in a set time period is obtained based on the network bandwidth, the proxy packet size and the size of a single data packet sent by the initial device, and then a corresponding upgrade operation is performed based on a corresponding upgrade instruction identifier. Since the time zone is used as the upgrade reference time, the upgrade operation can be reduced as compared with the case where the sub-time zone is used as the upgrade reference time in the foregoing embodiment.
Further, in the embodiment of the present invention, the processor is further configured to obtain a whitelist process of each initial device in a first preset period of time, and specifically may include the following steps:
s1, acquiring an initial process list group P= (P1, P2, …, pi, …, pm) corresponding to initial equipment in a working condition environment, wherein the initial process list Pi= (P) of any initial equipment i i1 ,P i2 ,…,P ij ,…,P if(i) ),P ij The j-th initial process corresponding to the initial equipment i; j has the values of 1 to f (i), and f (i) is the number of initial processes corresponding to the initial device iAmount of the components.
The initial process is all processes in the initial device, including a trustworthy normal process and an untrustworthy abnormal process.
S2, for Pi, obtain P ij Corresponding initial process state list PS ij =(PS 1 ij ,PS 2 ij ,…,PS r ij ,…,PS n ij ),PS r ij P corresponding to the (r) th time interval in the first preset time period ij The value of r is 1 to n, and n is the number of time intervals in a first preset time period.
In the embodiment of the invention, the initial process state may include a normal state and an abnormal state, and a certain process in the normal state means that the execution of the process does not threaten the security of the working condition network environment, and a certain process in the abnormal state means that the execution of the process threatens the security of the working condition network environment or causes a potential threat.
In an embodiment of the present invention, the state of each process may be obtained based on existing means. The time period set for acquiring the white list process in the first preset time period can be set based on actual needs. In one non-limiting exemplary embodiment, the first preset time period may be 7 days to 30 days, and preferably, may be 30 days, so that the process running time is as long as possible, thereby making the acquired whitelist process more accurate. The time interval may also be set based on actual needs, and in one exemplary embodiment, the time interval may be 1 day in units.
S3, traversing PS ij If PS is ij PS in (B-C) r ij If the PS is in the abnormal state, acquiring that PS occurs in a first preset time period r ij Number of time intervals C in abnormal state ij And C ij The occurrence times corresponding to each time interval is the occurrence times of abnormal states in each time interval; s4 is performed.
In an exemplary embodiment of the invention, the time interval may be 1 day, such that C ij For PS within a first preset time period r ij Days in abnormal state. At C ij For 1 time interval, d ij For the number of occurrences in this 1 time interval, when at C ij D is greater than 1 time interval ij Is C ij The number of occurrences in each time interval. In the embodiment of the invention, whether the state of the process is an abnormal state can be obtained based on the existing process abnormal state detection method.
S4, if C ij More than or equal to C0, outputting a first identifier, wherein the first identifier is used for representing PS r ij The number of days in abnormal state is relatively large, and PS can be determined r ij For an abnormal process, the first identifier may be, for example, 0 or 1, and S5 is executed; otherwise, outputting a second identifier for characterizing the PS r ij The number of days in abnormal state is relatively small, and the abnormal state may belong to accidental events, and S6 is executed; c0 is a preset threshold value of the number of abnormal time intervals. The second flag may be set to a different value than the first flag, e.g., when the first flag is 1, the second flag may be 0, and vice versa.
S5, if PS is in the first preset time period ij PS occurrence r ij Is the total number of times D of (2) ij < D1, execute S6; otherwise, executing S7;d s ij is C ij The occurrence times corresponding to the s-th time interval in the (a); d1 is a preset first anomaly threshold.
S6, PS is processed ij As a white list process; obtaining a white list process table of the ith initial equipment;
s7, PS is processed ij As a non-whitelist process, i.e. a blacklist process.
In this embodiment, since the number of times of obtaining the abnormal state of a certain process in the initial device in the set time period is greater than the set number of times threshold, the process is set as the blacklist, otherwise, the process is set as the whitelist, that is, all whitelist processes are obtained through actual operation, that is, obtained through time verification, so that the whitelist process is more accurate, and the potential safety hazard can be reduced.
In another embodiment of the present invention, S4 is replaced with:
s42, if C is satisfied ij The number of initial devices not less than C0 is less than C1, and a third identifier is output, wherein the third identifier is used for representing that PS only appears in a few initial devices r ij In the case of abnormal state, it is insufficient to determine PS r ij If the process is abnormal, executing S6, otherwise, outputting a fourth identification, wherein the fourth identification is used for representing that PS appears in a large number of initial devices r ij In the case of an abnormal state, the PS can be determined at this time r ij S7, executing S7 for the abnormal process; c1 is a first set threshold. The third flag may be set to, for example, 00 or 11, the fourth flag may be set to a different value than the third flag, for example, when the third flag is 11, the fourth flag may be 00, and vice versa.
Compared with the foregoing embodiment, in this embodiment, if the number of days of the process in the same abnormal state is greater than the number of devices for which the number of days is greater than the set number of days threshold, the process is set to be a blacklist, otherwise, the process is set to be a whitelist, which can also make the whitelist process more accurate, and can reduce the potential safety hazard.
In another embodiment of the present invention, further comprising:
s8, based on S6, obtaining a white list process list PW= (PW 1, PW2, …, PWI, …, PWm) of the initial device, wherein PWI= (PWI) 1 ,PWi 2 ,…,PWi u ,…,PWi h(i) ),PWi u For the ith white list process in the white list process table PWI corresponding to the ith initial equipment, the value of u is 1 to h (i), and h (i) is the number of processes in PWI.
And S9, recommending a corresponding white list process to the target equipment based on PW when the new target equipment is added under the current working condition environment is detected.
Further, S9 specifically includes:
s91, a target process list PB= (PB 1, PB2, …, PBv, …, PBx) corresponding to the target device is obtained, PBv is a v-th target process corresponding to the target device, v is 1 to x, and x is the number of target processes corresponding to the target device.
S92, based on PW, obtaining a similarity list f= (F1, F2, …, fi, …, fm) corresponding to PB, where Fi is a similarity between the target device and the i-th initial device.
S92 may specifically include:
s921, obtaining a process feature vector CPBv= (CPBv) of PBv 1 ,CPBv 2 ,…,CPBv h ,…,CPBv z ) And P ij Is a process feature vector CP of (1) ij =(CP ij1 ,CP ij2 ,…,CP ijh ,…,CP ijz ),CPBv h And CP ijh CPB and CP respectively ij The value of h is 1 z, and z is the number of the process features.
In an embodiment of the present invention, the process characteristics may include at least one of an MD5 value, a digital signature, and an address of the process. Preferably, the MD5 value, digital signature, and address of the process may be included.
S922 based on CPB and CP ij Acquisition PBv and P ij Similarity betweenF h v-ij Is CPBv h And CP ijh Similarity between w h v-ij Is the weight of the h process feature.
In the embodiment of the invention, the similarity between the two process features can be obtained by adopting the existing similarity algorithm, for example, the existing character string similarity calculation method and the like.
In the embodiment of the invention, the weight of the process characteristic can be set based on the actual situation. In one example, the MD5 value of a process may be weighted more than the digital signature of the process, which may be weighted more than the address of the process.
S923 if max (F v-i1 ,F v-i2 ,…,F v-ij ,…,F v-if(i) (S) 2, setting a counter c=c+1, and performing S924; otherwise the first set of parameters is selected,s925; the initial value of C is 0, S2 is a second preset similarity threshold, and can be set based on practical situations, for example, 1 > S2 is more than or equal to 0.95.
S924, setting v=v+1, if v is less than or equal to x, executing S922; otherwise, S925 is performed.
S925, fi=c/f (i) is acquired.
S93, if maxF is greater than or equal to S1, recommending the white list process corresponding to maxF to the target device, marking the corresponding process in PB based on the recommended white list process, wherein S1 is a first preset similarity threshold, and can be set based on actual conditions, and S1 can be larger than S2.
The technical effects of S91 to S93 are that since the corresponding whitelist process is recommended based on the similarity between the target device and the initial device, the recommended whitelist process is verified by time, so that the recommended whitelist process is more suitable for the target device, and the potential safety hazard can be reduced.
Further, in another embodiment of the present invention, the processor is further configured to execute the computer program to implement the following steps:
s94, processes except the process marked as the white list in the PB are obtained as candidate processes.
S95, respectively intersecting any candidate process with a white list process table of each initial device, and if the number of the intersections is not Null and is larger than C2, outputting a fifth identifier, wherein the fifth identifier is used for representing that the candidate process exists in more devices and is trustworthy, recommending the candidate process as a white list process to a target device; c2 is a second set threshold, which may be set based on actual needs. The fifth identifier may be 01 or 10.
The technical effect of S94 to S95 is that the recommended whitelist process can be made more accurate than S91 to S93.
In the embodiment of the invention, the MD5 value of any process of any device is obtained through the following steps:
s9220, for any process P of any initial equipment, if the size G of P is smaller than G0, the MD5 value of A is obtained; if G is more than or equal to G0, storing A into a to-be-processed process list L; g0 is a preset byte threshold, which can be set based on actual needs, for example, 1KB to 2KB.
S9221, based on L, acquires the number of processes in each of N intervals, wherein N intervals are obtained by equally dividing the process size N between the minimum process size and the maximum process size in L, namely, the range of the 1 st interval is [ G ] min ,G min A + [ delta ] G1), the N-th interval being in the range of [ G min +(N-1)*△G1,G max ]The k-th interval ranges from [ G min +(k-1)*△G1,G max ),G min And G max The minimum process size and the maximum process size in L are respectively, deltaG 1 is the first set step size, and k is 1 to N-1.Δg1 may be set based on actual needs, preferably Δg1=g0.
S9222, for any section c, respectively acquiring data with the size of q from all processes in the section c, and performing MD5 processing on the acquired data to obtain a corresponding MD5 value; c has a value of 1 to N, q has an initial value of R1, R1 is a preset initial process size, and may be set based on actual needs, in one example, R1 may be equal to G0.
S9223, obtaining the similarity of any two MD5 values in the MD5 values corresponding to the data with the size q in the interval c, and if the similarity of any two MD5 values is smaller than a third preset similarity threshold value, taking q as the reference size of the process data in the interval c, and executing S9225; otherwise, S9225 is performed. The third preset similarity threshold may be set based on actual needs, for example, greater than 95%.
S9224, set q=q+Δg2, if q < Rg, execute S9222; otherwise, S9225 is performed; Δg2 is a second set step size, which may be set based on actual needs, in one example g2=g0; rg is a set process size threshold, rg=R1+E is ΔG2, and E is an integer not less than 2.
S9225 acquires max (Q1, Q2, …, qf, …, Q E+1 ) Namely Q1, Q2, …, qf, …, Q E+1 The maximum process size of the data is taken as the reference size of the process data in the acquired interval c, wherein Qf is formed by the similarity of any two MD5 values in the data with the size of R1+ (f-1) delta G2 corresponding to the MD5 values in the acquired interval cThe number of the similarities in the similarity set is smaller than a third preset similarity threshold, and the value of f is 1 to E+1; s9226 is performed.
S9226, set c=c+1, if c is less than or equal to N, execute S9222; otherwise, the control program is exited.
The technical effect of S9220 to S9226 is that for a process with a larger process size, process data with a suitable size can be selected for MD5 processing, instead of MD5 processing of the whole process data, so that the computing time can be reduced and the computing resources can be saved.
Further, in another embodiment of the present invention, the processor is further configured to execute the computer program to implement the steps of
S10, when a new target device is added under the current working condition environment, if a parent-child process exists in a target process corresponding to the target device, and when the parent process belongs to PW, judging whether the child process of the target device is a white list process or not.
Further, S10 specifically includes: the target device only executes all the child processes corresponding to the parent process of the white list process in a second preset time period, and obtains the abnormal times of each child process in an abnormal state during the execution period; if the number of anomalies corresponding to a certain sub-process is less than D2, the sub-process is used as a white list process, D2 is a preset second threshold of anomalies, and may be set based on actual needs, in an exemplary embodiment, d2=d1. The second preset time period has a duration less than the duration of the first preset time period, for example, may be 7 days.
Further, S10 further includes:
when the parent process does not belong to the PW, judging that the child process corresponding to the parent process is a process except the white list process.
The technical effect of the S10 is that when a parent process exists in a certain device, and when the parent process is a process in the white list, whether the child process is a process in the white list needs to be determined, so that the white list process can be ensured to be more accurate.
Further, in another embodiment of the present invention, the processor is further configured to execute the computer program to implement the steps of
S11, if the white list process tables of the designated devices with the same setting function labels in the initial device are different, setting each white list process table of the designated devices as a reference white list process table.
In the embodiment of the present invention, the same set function tag refers to a tag that represents that the same function is performed. Each function may be provided with a corresponding tag.
Further, S11 specifically includes:
s111, acquiring a whitelist process list H= (H1, H2, …, he, … and Hg) of a whitelist process list of the designated device, wherein the whitelist process list He= (He) of the e-th device 1 ,He 2 ,…,He b ,…,He n(e) ) E has a value of 1 to g, g is the number of specified devices, he b A b-th process for an e-th device;
s112, ifDetermination of He b Is an isolated process; h1 is an intermediate whitelist process list formed by whitelist process lists except for He.
S113, if He is included b The number of the white list process tables of the reference equipment is larger than a set number threshold, the He is added b Determining as a white list process; otherwise, S114 is performed; the reference device is a device other than the specified device in the initial device. The set number threshold may be set based on actual needs, for example, may be more than 60% of the number of reference devices.
S114, deleting He from the white list process union HC b ,HC=(H1∪H2∪…∪He∪…∪Hg)。
And S115, taking the HC with the isolated process deleted as a reference white list process table.
The technical effect of S111 to S115 is to ensure that the whitelist of processes in devices playing the same role (i.e. performing the same function) is the same, so that more appropriate and accurate whitelist processes can be recommended when joining devices playing the same role.
Embodiments of the present invention also provide a non-transitory computer readable storage medium that may be disposed in an electronic device to store at least one instruction or at least one program for implementing one of the methods embodiments, the at least one instruction or the at least one program being loaded and executed by the processor to implement the methods provided by the embodiments described above.
Embodiments of the present invention also provide an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
Embodiments of the present invention also provide a computer program product comprising program code for causing an electronic device to carry out the steps of the method according to the various exemplary embodiments of the invention as described in the specification, when said program product is run on the electronic device.
While certain specific embodiments of the invention have been described in detail by way of example, it will be appreciated by those skilled in the art that the above examples are for illustration only and are not intended to limit the scope of the invention. Those skilled in the art will also appreciate that many modifications may be made to the embodiments without departing from the scope and spirit of the invention. The scope of the present disclosure is defined by the appended claims.
Claims (10)
1. A monitoring system comprising a communicatively coupled processor and a storage medium storing a computer program, the processor being communicatively coupled to m initial devices, wherein upon detection of a proxy package requiring upgrade, the processor is configured to execute the computer program to implement the steps of:
s300, acquiring a transmitted data packet size list A= (A1, A2, …, ai, … and Am), wherein Ai is the size of a single data packet transmitted by an initial device i, and the value of i is 1 to m;
s310, acquiring an upgrade information table corresponding to a set time period based on A, a current network bandwidth K and the size of a proxy packet required by each initial device upgrade;
s310 specifically comprises:
s312, acquiring the total amount R of data packets to be transmitted in the current working condition environment within a set time period T0;
s314, if (TS 0 x K-R) is equal to or greater than m x A0, executing S316; TS0 is the duration corresponding to T0, and the unit is seconds; a0 is the size of the proxy packet which is required to be sent to each initial device for upgrading to the version corresponding to the proxy packet;
s316, obtaining any set time interval T0 within the set time interval T0 sc Number NC of initial devices that can be upgraded in sc =max(NC sc 1,NC sc 2,…,NC sc H,…,NC sc X); s318 is performed; wherein sc has a value of 1 TO sq, sq is the number of set time intervals in TO, T0 sc The first set time interval, TS0, is = - Δt1, = - Δt1 sc Is T0 sc The corresponding time length is expressed in seconds; NC (numerical control) sc H is T0 sc The H TH sub-time interval TH sc An initial number of devices that can be upgraded, wherein,THS0 sc is TH sc Corresponding duration, THS0 sc = Δt2×60×h in seconds, H has a value of 1 to X, X is T0 sc Dividing the number of the obtained sub-time intervals according to a second set time interval delta t 2;
s318, obtaining an upgrade information table corresponding to the set time period T0, wherein the sc-th row of the upgrade information table comprises (T0) sc ,NC sc ) The method comprises the steps of carrying out a first treatment on the surface of the S320 is performed;
s320, based on the current upgrading instruction identification, corresponding upgrading operation is executed according to the upgrading information table.
2. The monitoring system according to claim 1, wherein S320 specifically comprises:
s3201, if the current upgrading instruction identifier is a first upgrading instruction identifier, upgrading operation is carried out on a corresponding number of devices in each time interval of a set time period in sequence according to the upgrading information table;
s3202, if the current upgrading instruction identifier is the second upgrading instruction identifier, generating prompt information for prompting upgrading of the corresponding number of devices in each time interval of the set time interval according to the upgrading information table.
3. The monitoring system according to claim 1, wherein S315, if (TS 0 x K-R) < m x A0, S317 is performed;
s317, obtaining any set time interval T0 in S set time intervals sc Number NC of initial devices that can be upgraded in sc =max(NC sc 1,NC sc 2,…,NC sc H,…,NC sc X); s319 is performed;
s319, obtaining an upgrade information table corresponding to each set time period T0, wherein the sc-th row of the upgrade information table comprises (T0) sc ,NC sc ) The method comprises the steps of carrying out a first treatment on the surface of the S320 is performed.
4. The monitoring system of claim 1, wherein the processor is further configured to obtain a whitelist process for each initial device for a first preset period of time, comprising the steps of:
s1, acquiring an initial process list group P= (P1, P2, …, pi, …, pm) corresponding to initial equipment in a working condition environment, wherein the initial process list Pi= (P) of any initial equipment i i1 ,P i2 ,…,P ij ,…,P if(i) ),P ij The value of i is 1 to m for the j-th initial process corresponding to the initial equipment i, and m is the number of the initial equipment; the value of j is 1 to f (i), and f (i) is the number of initial processes corresponding to the initial equipment i;
s2, for Pi, obtain P ij Corresponding initial process state list PS ij =(PS 1 ij ,PS 2 ij ,…,PS r ij ,…,PS n ij ),PS r ij P corresponding to the (r) th time interval in the first preset time period ij Is to be used in the initial process of (a)The state, wherein the value of r is 1 to n, and n is the number of time intervals in a first preset time period;
s3, traversing PS ij If PS is ij PS in (B-C) r ij If the state is abnormal, acquiring PS in a first preset time period ij PS occurrence r ij Number of time intervals C of (2) ij And C ij The corresponding occurrence times of each time interval; s4, executing;
s4, if C ij C0 or more, executing S5; otherwise, executing S6; c0 is a preset threshold value of the number of abnormal time intervals;
s5, if PS is in the first preset time period ij PS occurrence r ij Is the total number of times D of (2) ij < D1, execute S6; otherwise, executing S7;d s ij is C ij The occurrence times corresponding to the s-th time interval in the system are D1 which is a preset first abnormal times threshold;
s6, PS is processed ij As a white list process; obtaining a white list process table of the ith initial equipment;
s7, PS is processed ij As a non-whitelist process.
5. The monitoring system of claim 1, wherein S4 is replaced with:
s42, if C is satisfied ij If the number of the initial devices which are not less than C0 is less than C1, executing S6, otherwise, executing S7; c1 is a first set threshold.
6. The monitoring system of claim 4, wherein the processor is further configured to execute a computing program to perform the steps of:
s8, based on S6, obtaining a white list process list PW= (PW 1, PW2, …, PWI, …, PWm) of the initial device, wherein PWI= (PWI) 1 ,PWi 2 ,…,PWi u ,…,PWi h(i) ),PWi u For the ith initial device pairThe value of u is 1 to h (i), h (i) is the number of processes in PWI;
and S9, recommending a corresponding white list process to the target equipment based on PW when the new target equipment is added under the current working condition environment is detected.
7. The monitoring system according to claim 6, wherein S9 specifically comprises:
s91, a target process list PB= (PB 1, PB2, …, PBv, …, PBx) corresponding to target equipment is obtained, PBv is a v-th target process corresponding to the target equipment, the value of v is 1 to x, and x is the number of target processes corresponding to the target equipment;
s92, based on PW, obtaining a similarity list F= (F1, F2, …, fi, …, fm) corresponding to PB, wherein Fi is the similarity between the target device and the ith initial device;
s93, if maxF is more than or equal to S1, recommending the white list process corresponding to maxF to the target equipment, marking the corresponding process in PB based on the recommended white list process, and S1 is a first preset similarity threshold.
8. The monitoring system of claim 7, further configured to execute a computing program to perform the steps of:
s94, processes except the process marked as the white list in the PB are obtained as candidate processes;
s95, respectively intersecting any candidate process with a white list process table of each initial device, and recommending the candidate process as a white list process to the target device if the number of the intersecting sets which are not 0 is larger than C2; c2 is a second set threshold.
9. The monitoring system of claim 7, wherein S92 specifically comprises:
s921, obtaining a process feature vector CPBv= (CPBv) of PBv 1 ,CPBv 2 ,…,CPBv h ,…,CPBv z(v) ) And P ij Is a process feature vector CP of (1) ij =(CP ij1 ,CP ij2 ,…,CP ijh1 ,…,CP ijz(i,j) ),CPBv h For the h process characteristics in the CPBv, h takes a value of 1 to z (v), and z (v) is the number of the process characteristics in the CPBv; CP (control program) ijh1 Is CP ij The h1 process feature of (2), h1 has a value of 1 to z (i, j), z (i, j) being CP ij The number of process features in (a);
s922 based on CPBv and CP ij Acquisition PBv and P ij Similarity betweenF h v-ij Is CPBv h And P ij Similarity between w h v-ij The weight of the h process characteristic; if CPBv h ∈P ij F is then h v-ij =1, otherwise, F h v-ij =0;
S923 if max (F v-i1 ,F v-i2 ,…,F v-ij ,…,F v-if(i) (S) 2, setting a counter c=c+1, and performing S924; otherwise, S925 is performed; the initial value of C is 0; s2 is a second preset similarity threshold;
s924, setting v=v+1, if v is less than or equal to x, executing S922; otherwise, S925 is performed;
s925, fi=c/f (i) is acquired.
10. The monitoring system of claim 1, wherein the processor is further configured to execute a computing program to perform the steps of:
s10, when a new target device is added under the current working condition environment, if a parent-child process exists in a target process corresponding to the target device, and when the parent process belongs to PW, judging whether the child process of the target device is a white list process or not.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211483754.8A CN115712544B (en) | 2022-11-24 | 2022-11-24 | Monitoring system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211483754.8A CN115712544B (en) | 2022-11-24 | 2022-11-24 | Monitoring system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115712544A CN115712544A (en) | 2023-02-24 |
CN115712544B true CN115712544B (en) | 2024-04-12 |
Family
ID=85234545
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211483754.8A Active CN115712544B (en) | 2022-11-24 | 2022-11-24 | Monitoring system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115712544B (en) |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013078951A1 (en) * | 2011-12-01 | 2013-06-06 | 腾讯科技(深圳)有限公司 | Method and system for upgrading software |
WO2014101451A1 (en) * | 2012-12-27 | 2014-07-03 | 广州市动景计算机科技有限公司 | Incremental upgrade method, apparatus for applying method and storage medium |
CN104407877A (en) * | 2014-10-16 | 2015-03-11 | 北京京东尚科信息技术有限公司 | Method and system for upgrading terminal |
WO2015070412A1 (en) * | 2013-11-14 | 2015-05-21 | 华为技术有限公司 | Method for upgrading network device version and network device |
JP2017208757A (en) * | 2016-05-20 | 2017-11-24 | 日本電信電話株式会社 | Device and method for traffic prediction |
JP2018527668A (en) * | 2015-07-27 | 2018-09-20 | アリババ グループ ホウルディング リミテッド | Method and system for limiting data traffic |
CN111092791A (en) * | 2019-12-31 | 2020-05-01 | 上海掌门科技有限公司 | Method and equipment for determining available network bandwidth from application to server |
CN114124917A (en) * | 2021-11-23 | 2022-03-01 | 四川易智停科技有限公司 | Remote upgrading method, equipment, system and medium for ground lock firmware |
CN114895940A (en) * | 2022-05-23 | 2022-08-12 | 珠海格力电器股份有限公司 | Upgrading method, device, equipment and storage medium |
CN115268976A (en) * | 2022-07-28 | 2022-11-01 | 合肥城市云数据中心股份有限公司 | Automatic upgrading method and system for multi-data center collection Agent version |
CN116112270A (en) * | 2023-02-13 | 2023-05-12 | 山东云天安全技术有限公司 | Data processing system for determining abnormal flow |
-
2022
- 2022-11-24 CN CN202211483754.8A patent/CN115712544B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013078951A1 (en) * | 2011-12-01 | 2013-06-06 | 腾讯科技(深圳)有限公司 | Method and system for upgrading software |
WO2014101451A1 (en) * | 2012-12-27 | 2014-07-03 | 广州市动景计算机科技有限公司 | Incremental upgrade method, apparatus for applying method and storage medium |
WO2015070412A1 (en) * | 2013-11-14 | 2015-05-21 | 华为技术有限公司 | Method for upgrading network device version and network device |
CN104407877A (en) * | 2014-10-16 | 2015-03-11 | 北京京东尚科信息技术有限公司 | Method and system for upgrading terminal |
JP2018527668A (en) * | 2015-07-27 | 2018-09-20 | アリババ グループ ホウルディング リミテッド | Method and system for limiting data traffic |
JP2017208757A (en) * | 2016-05-20 | 2017-11-24 | 日本電信電話株式会社 | Device and method for traffic prediction |
CN111092791A (en) * | 2019-12-31 | 2020-05-01 | 上海掌门科技有限公司 | Method and equipment for determining available network bandwidth from application to server |
CN114124917A (en) * | 2021-11-23 | 2022-03-01 | 四川易智停科技有限公司 | Remote upgrading method, equipment, system and medium for ground lock firmware |
CN114895940A (en) * | 2022-05-23 | 2022-08-12 | 珠海格力电器股份有限公司 | Upgrading method, device, equipment and storage medium |
CN115268976A (en) * | 2022-07-28 | 2022-11-01 | 合肥城市云数据中心股份有限公司 | Automatic upgrading method and system for multi-data center collection Agent version |
CN116112270A (en) * | 2023-02-13 | 2023-05-12 | 山东云天安全技术有限公司 | Data processing system for determining abnormal flow |
Also Published As
Publication number | Publication date |
---|---|
CN115712544A (en) | 2023-02-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10171252B2 (en) | Data determination apparatus, data determination method, and computer readable medium | |
CN108718298B (en) | Malicious external connection flow detection method and device | |
CN110178137B (en) | Data determination device, data determination method, and computer-readable storage medium | |
CN108989468B (en) | Trust network construction method and device | |
US20220156367A1 (en) | System and method for detection of anomalous controller area network (can) messages | |
CN111160624B (en) | User intention prediction method, user intention prediction device and terminal equipment | |
CN111970229B (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
CN115712544B (en) | Monitoring system | |
CN110569509A (en) | risk group identification method and device | |
CN109697117B (en) | Terminal control method, terminal control device and computer-readable storage medium | |
CN114218577A (en) | API risk determination method, device, equipment and medium | |
CN115712543B (en) | Monitoring server | |
CN114363212A (en) | Equipment detection method, device, equipment and storage medium | |
CN116436627A (en) | Process white list generation method | |
CN115913728A (en) | Process white list recommendation method, electronic device and storage medium | |
CN110192196B (en) | Attack/anomaly detection device, attack/anomaly detection method, and storage medium | |
CN109639639B (en) | Fusion control method and device for multi-platform monitoring system | |
CN110830474B (en) | Network attack protection system and method, and flow control device | |
CN111447118B (en) | Data transmission method and device based on data transmission stream | |
CN110598472B (en) | Equipment identification method, device, server and storage medium | |
WO2022153410A1 (en) | Falsification detection device, falsification detection method, and falsification detection program | |
CN112087482B (en) | Method for managing multiple devices by using cloud system | |
CN112115591B (en) | Working state analysis method, device and equipment | |
CN111949363B (en) | Service access management method, computer equipment, storage medium and system | |
CN117061312A (en) | Message current limiting method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |