CN1175350C - Host computer performance monitoring and automatic reacting system - Google Patents
Host computer performance monitoring and automatic reacting system Download PDFInfo
- Publication number
- CN1175350C CN1175350C CNB011390336A CN01139033A CN1175350C CN 1175350 C CN1175350 C CN 1175350C CN B011390336 A CNB011390336 A CN B011390336A CN 01139033 A CN01139033 A CN 01139033A CN 1175350 C CN1175350 C CN 1175350C
- Authority
- CN
- China
- Prior art keywords
- emergency response
- rule
- event collection
- host computer
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present invention relates to a system for monitoring the performance of a host computer and making response automatically. The system adopts a concentrated rule configuration mode. An emergency response central as a configuration management center is connected with a monitored host computer via a network; a system performance monitoring module, an event collection module and a command execution module are installed in the monitored host computer; the emergency response center transmits rules to the event collection module; the system performance monitoring module monitors the change of the system performance and reports the change to the event collection module; the event collection module submits discovered abnormal events to the emergency response center; the emergency response center determines actions needing adopting according to the properties of the events; and a command execution unit controls a protected host computer to complete the automatic protection action. The system fully monitors the host computer and network information connected to the host computer, provides automatic reaction capability according to the preset rules after discovering abnormality, processes the abnormal events in time and lowers the possible loss of users to minimum.
Description
Technical field
The present invention relates to a kind of host computer performance monitoring and automatic reacting system of computer network, be used for computer network security, belong to computing machine and automatic control technology field.
Background technology
In today that network technology develops rapidly, more and more enterprises joins among the Internet, and nearly 1,000,000 information sources of Internet provide the bulk information resource to exchange and shared space for netizen all over the world.But enterprise is enjoying quick with simultaneously easily that Internet brings, also have to face the negative effect that information sharing brings, along with the continuous increase of inside data of enterprise being visited by Internet, each visit all might become the hacker and enter the point of attack that network obtains unauthorized access.Enterprise no doubt can select technology such as fire wall to provide protection to the internal network of whole enterprise; but if in a single day flame enters main frame inside; these outside safeguard procedures are also just powerless; this just requires main frame; especially the main frame that stores sensitive data possesses certain automatic monitoring function; can before potential danger takes place, detect dangerous existence and also in time take measures, possible loss be dropped to minimum.
The monitoring that main frame can carry out comprises network monitor and the monitoring of this machine.
Network monitor is analyzed the data that arrive at main frame and is attempted to confirm which is potential threat, whether monitoring has is attempted the connection undertaken by some TCP or udp port without permission, if someone attempts to connect by the port of not open any service, just often meaning has the people seeking system vulnerability.
The monitoring of this machine comes the clues and traces of unusual circumstance by file system, CPU usage, memory usage and the audit log file that monitors this machine.The system manager also can therefrom find relevant vestige, can also judge whether invaded by the activity of monitoring the superuser on this machine.In general after in a single day a main frame is configured, only need carry out a spot of maintenance work that needs superuser to carry out, and these maintenance work majorities are mapped out, certain hour is arranged, carry out suspicious operation if find the privileged trading user a nonspecific time, then should the reporting system maintainer whether invaded to confirm.
Present existing main frame monitoring technology is based on mainly that above-mentioned several respects content carries out, in case monitor out unusually then cause that by forms such as sound and light alarms the keeper notes, and take further action by the keeper.
Two classes below the resident position of existing main frame monitoring of software can be divided into again:
Monitoring based on server end: at present, most monitoring of software all is based on server end, after promptly the user buys this software, it is installed on the home server, and the runnability of software and hardwares such as the server of this locality, database is monitored.The benefit of this monitoring of software is that the user can understand the service efficiency of own local machine, can also understand local network connection and some electronic commerce procedures implementation status in this locality.But shortcoming is the real experiences that can not directly reflect terminal user's Website login and use the E-business service that the website provides.
Monitoring based on user side:, a kind of novel Monitoring Service occurred along with the development of Internet technology and the transformation of management philosophy idea.This Monitoring Service be with software distribution at user side, rather than be installed on the server of Virtual network operator this locality.Network performance is monitored and carry out performance diagnogtics, Network Search bottleneck from terminal user's angle from terminal user's angle.The use principle of this Monitoring Service has fundamentally embodied the management philosophy of customer-centric, because concerning the terminal user, when logging in network, they and that is indifferent to that Virtual network operator uses be HP or the server of IBM, be NT or Unix operating platform, what be indifferent to also that they use is the Oracle or the database of Microsoft.The unique care of user be that own surfing at network is experienced, can promptly login a page or finish an online transaction successful, how long the time is.
More than these main frame monitoring technology mainly provide the function of monitoring, and in case also need the intervention of keeper's craft after noting abnormalities, if abnormal conditions occur in the late into the night or other unattended time periods, will inevitably cause handling untimely, and might cause damage.
Summary of the invention
The objective of the invention is at the deficiencies in the prior art, a kind of host computer performance monitoring and automatic reacting system of computer network are provided, except comprising CPU usage, memory usage, disk occupancy etc., the performance to main frame itself provides the comprehensive monitoring, also the port of main frame, possible malicious attack are monitored, and can react automatically according to the rule that sets in advance, guarantee in time to handle abnormal conditions, possible loss is dropped to minimum.
For realizing such purpose, in the technical scheme of the present invention, emergency response centers links to each other with monitored main frame by network as the configuration management center, installation system performance monitoring module, event collection module and command execution module on monitored main frame; Emergency response centers adopts the regular configuration mode of concentrating, the keeper is passed to the event collection module by rule configuration and automatic configuration of reacting action that operation interface carries out, the level that disposes of emergency response centers rule is distinguished, the rule that priority is followed successively by rule that specific individual host is set from high to low, set the combination of several main frames, the rule that total system is set, carry out data acquisition in the event collection module and form in the process of alarm, mate successively from high to low according to the priority of rule; The variation of system performance monitoring module monitors system performance and reporting event collection module; the event collection module is used for collecting host's duty; comprise the collection of stability data and data of safety; by the event collection module anomalous event of finding is submitted to emergency response centers; the emergency response centers action that decision should be taked according to event property; and order issued command execution module; finish automatic protection action by the monitored main frame of command execution module control; to the incident that is difficult to handle automatically, then notify the keeper to carry out manual intervention.
The platform that the present invention uses is WINDOWS NT/UNIX, collect various information and analyzed by event collection agency operation on main frame, and whether take place unusually according to predetermined rule judgment, then repair main frame if find to have abnormal conditions by the emergency measure executive software, make it return to normal condition, can also pass through Email, modes such as BP are notified the keeper.
The said anomalous event of the present invention refers to that system or equipment is subjected to attack or the services request received too much can't provide service normally; Comprise that also this machine CPU usage, memory usage, disk space occupancy or process number too much cause system performance seriously to descend the degradation incident.The host is that the state of being responsible for is collected and Long-distance Control agency's program at implanting therein, is shielded main frame and equipment in the monitoring system.The event collection agency is the duty that is used for collecting the host, comprises the collection of stability data and data of safety.The emergency measure executive software is to repair the host, the host is returned to the software of operative condition.
For the configurability of implementation rule, the invention provides a kind of concentrated regular configuration mode, the user carries out the configuration of rule and is sent to each monitored main frame monitoring by the configuration management center.The user can set and the kind of reporting to the police, the disposal route of system occur, sets the logical relation between them then.System sends to the user with warning message (the perhaps details of the specific Agent of customer requirements) by graphical interfaces (or unified microsoft management console MMC interface).In order to increase the dirigibility of system, the user can also manually carry out specific action except can being handled warning automatically by system by laying down a regulation, control monitored main frame of far-end or network.Because monitoring system can be recorded in any incident in the system journal, whether normally the user can also determine system's operation by watching daily record.
Whole monitoring system can also be connected with outside auditing system, and the security log of system is preserved by auditing system, and outside together interface is realized by http protocol and adopted XML to carry out communication.This monitoring system can also be set up interface with firewall system, by reading the system journal of fire wall, analyzes wherein potential hidden danger, and by the TELNET agreement configuration of fire wall is made amendment, and does not allow potential danger enter main frame.
This monitoring system inside has mainly comprised the configuration management center and has resided in information communication interface between event collection agency of main frame with each, and different according to the information content and implementation can be divided into two classes:
1) system data (warning message and the response message that comprise the event collection agency) transmits by SNMP (MIB), SNMP is in advance with a series of position of the data structure definition of data representation, certain quantity of state of each bit representation whether surpasses the warning limit or whether certain execution element needs to carry out, because the information that is transmitted seldom, therefore can in an IP bag, transmit the response time that to accelerate system.
2) system control information (execution information is acted on behalf of in policy control information that send at the configuration management center and event collection) realizes by direct communication interface.
Native system also provides the ability of artificial treatment simultaneously except the automatic reaction action that is configured by the configuration management center is provided, notify the keeper by forms such as Email or BP when noting abnormalities; System provides the keeper except can manually sending exectorial function to command executing unit, and the keeper also can under any circumstance can both directly manually control, and gets rid of hidden danger.If server generation problem (as crashing), and can not carry out from dynamic response problem by system, need provide the prompting back and restart system by administrator hand.
For the setting of the various data collecting rule of system be have levels branch other, the user can set rule to total system, also can set rule to the combination of a main frame, also can set rule to specific individual host, carry out data acquisition at execution unit and form in the process of alarm, mate, that is to say according to different priority, if this machine is had the special rules requirement, then mates according to this rule; If not, then check the main frame combination that whether belongs to certain regular qualification, if then mate according to the rule of combination; If, just mate according to the rule of total system neither special main frame is not again the member in the main frame combination.
For individual equipment in the system or packaged subsystem, owing to do not have the situation of combination and set, all by default.
The present invention not only comprehensively monitors the main frame and the network information that is connected to main frame, allow the invaded possibility of system drop to minimum, the ability that also provides the back that notes abnormalities to react automatically according to preset rule, simplified system manager's burden greatly, and can provide processing the most timely anomalous event; Only very complicated in situation, system is difficult to judge when taking what measure, just needs system manager's intervention; And no matter under any circumstance, the system manager can carry out manual intervention by the configuration management center, monitoring system also can be with the fastest mode reporting system keeper after the incident of noting abnormalities, and the loyal every act and every move with system is recorded into daily record for analysis.
Concentrating the configuration management center that is provided with is the center that the system manager is provided with rule and system response action, and the keeper can monitor the situation of All hosts by this center comprehensively, can also revise the variation of rule with adaptive system easily.Rule definition which system information should be acted on behalf of collected by event collection, these information corresponding threshold have also been defined, in case the information of collecting has exceeded preset threshold, just think anomalous event taken place that the keeper be handled and in time be notified to monitoring system will automatically according to the action of setting.All these makes native system provide configuration the most flexibly for the user and handles the most timely, drops to user's possible loss minimum.
Description of drawings
Fig. 1 is a system architecture synoptic diagram of the present invention.
Embodiment
As shown in Figure 1, the present invention has adopted the regular configuration mode of concentrating, and whole monitoring system only need dispose an emergency response centers, simultaneously again as the configuration management center, links to each other the realization centralized control by network with monitored main frame.The keeper is by the emergency response centers configuration rule, and observing system is moved and network state, and takes corresponding measure; Installation system performance monitoring module, event collection module and command execution module on monitored main frame, the function of finish the main frame monitoring, analyzing and react automatically.
The keeper operates emergency response centers by operation interface, both can configure host monitoring rule move with corresponding automatic reaction, also can intervene by manual control mode, to solve some relatively more urgent and be difficult to handle automatically incidents.
Emergency response centers is passed to the event collection module with rule after the keeper has carried out the configuration of regular configuration and reaction action automatically.The conduct of system performance monitoring module is installed in the software module on the monitored main frame, the variation of monitor system performance, and reporting event collection module constantly.According to preset rule, the event collection module will be submitted to emergency response centers with corresponding event in case discovery has anomalous event to take place.
The action that emergency response centers should be taked according to event property decision, and the corresponding command issued command executing unit, finish automatic protection action by the monitored main frame of command executing unit control.Simultaneously, emergency response centers is presented at current network state and suspicious event on the terminal in eye-catching mode, if incident is difficult to automatic processing, can also pass through Email, and modes such as BP notify the keeper to carry out manual intervention.Emergency response centers also can be used during for keeper's analytic system state with all suspicious event of taking place in the system and processing mode and outcome record in system journal.
Emergency response centers can also be connected with fire wall, by analyzing its daily record, detects whether there is hidden danger; Emergency response centers can also be preserved the security log of system by connecting with auditing system by auditing system.
In order to guarantee timely processing to anomalous event, certain requirement should be arranged to automatic reaction time of monitoring system, every time index of native system is as follows:
1. response time:
" the event collection agency " of native system notifies the response time at emergency reaction center at host's something unexpected happened is<5 seconds.When the emergency reaction center of native system receives the anomalous event that event collection agency reflection comes up, and corresponding corresponding operating be during from dynamic response in emergent rule, and automatic response component sends out time<1 second of instruction.The emergency measure executive software receives response instruction, and the response time that begins to handle is<1 second.
2. upgrade the processing time:
The duty that the timed sending host is acted on behalf of in event collection to the update cycle of the control desk at emergency reaction center be 1-10 second (program controlled refreshes frequency).
3. the conversion of data and delivery time:
Communication primitive and the switching time between the communication information based on XML are<1 second.The data transfer time of emergency reaction center and peripheral assistant software or equipment room is determined by network performance at that time.Require network to satisfy delivery time<1 second at least.
4. problem time:
Event collection the agency mate according to rule of formulating and host's duty, to determine whether and will report " dangerous situation " to the emergency reaction center that the processing time of this coupling is<1 second.
Other is to the requirement of time:
Because the emergency reaction that the emergency reaction center needle carries out certain host may rely on the situation of audit center report simultaneously and the situation of event collection agency collection is carried out the method that synthetic determination goes out to handle.The priority that data are reported on both sides all can have different to the method handled and result, therefore just necessarily require audit center, event collection agency and emergency reaction center fully synchronously in time.This can realize by systime.
Claims (1)
1, a kind of host computer performance monitoring and automatic reacting system, it is characterized in that emergency response centers is as the configuration management center, link to each other installation system performance monitoring module, event collection module and command execution module on monitored main frame with monitored main frame by network; Emergency response centers adopts the regular configuration mode of concentrating, the keeper is passed to the event collection module by rule configuration and automatic configuration of reacting action that operation interface carries out, the level that disposes of emergency response centers rule is distinguished, the rule that priority is followed successively by rule that specific individual host is set from high to low, set the combination of several main frames, the rule that total system is set, carry out data acquisition in the event collection module and form in the process of alarm, mate successively from high to low according to the priority of rule; The variation of system performance monitoring module monitors system performance and reporting event collection module; the event collection module is used for collecting host's duty; comprise the collection of stability data and data of safety; by the event collection module anomalous event of finding is submitted to emergency response centers; the emergency response centers action that decision should be taked according to event property; and order issued command execution module; finish automatic protection action by the monitored main frame of command execution module control; to the incident that is difficult to handle automatically, then notify the keeper to carry out manual intervention.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011390336A CN1175350C (en) | 2001-12-04 | 2001-12-04 | Host computer performance monitoring and automatic reacting system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011390336A CN1175350C (en) | 2001-12-04 | 2001-12-04 | Host computer performance monitoring and automatic reacting system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1349164A CN1349164A (en) | 2002-05-15 |
| CN1175350C true CN1175350C (en) | 2004-11-10 |
Family
ID=4674964
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011390336A Expired - Fee Related CN1175350C (en) | 2001-12-04 | 2001-12-04 | Host computer performance monitoring and automatic reacting system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1175350C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100403273C (en) * | 2003-07-10 | 2008-07-16 | 中国科学院计算技术研究所 | Distributed monitoring method based on bidirectional information flow |
| CN1321509C (en) * | 2004-02-19 | 2007-06-13 | 上海复旦光华信息科技股份有限公司 | Universal safety audit strategies customing method based on mapping table |
| US7502961B2 (en) | 2004-09-09 | 2009-03-10 | Microsoft Corporation | Method, system, and apparatus for providing alert synthesis in a data protection system |
| US20110022736A1 (en) * | 2009-07-21 | 2011-01-27 | Lsi Corporation | Methods and apparatus dynamic management of multiplexed phys in a serial attached scsi domain |
| CN103532760B (en) * | 2013-10-18 | 2018-11-09 | 北京奇安信科技有限公司 | Analytical equipment, system and method for analyzing the order executed on each host |
| CN107797875A (en) * | 2017-04-17 | 2018-03-13 | 平安科技(深圳)有限公司 | A kind of big data management method, terminal and equipment |
-
2001
- 2001-12-04 CN CNB011390336A patent/CN1175350C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1349164A (en) | 2002-05-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2526759C (en) | Event monitoring and management | |
| US20030084328A1 (en) | Method and computer-readable medium for integrating a decode engine with an intrusion detection system | |
| US20020078381A1 (en) | Method and System for Managing Computer Security Information | |
| CN113032710A (en) | Comprehensive audit supervisory system | |
| JP2004021549A (en) | Network monitoring system and program | |
| KR20000057209A (en) | Method and apparatus for automated network-wide surveillance and security breach intervention | |
| CN1415099A (en) | System and method for blocking harmful information online, and computer readable medium therefor | |
| WO2023216641A1 (en) | Security protection method and system for power terminal | |
| White et al. | Cooperating security managers: Distributed intrusion detection systems | |
| Hegazy et al. | A multi-agent based system for intrusion detection | |
| CN117155625A (en) | Computer network monitoring system | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| KR100401088B1 (en) | Union security service system using internet | |
| EP1894443A2 (en) | Duration of alerts and scanning of large data stores | |
| CN1175350C (en) | Host computer performance monitoring and automatic reacting system | |
| US20060053021A1 (en) | Method for monitoring and managing an information system | |
| CN1196296C (en) | Easy-to-expand network invasion detecting and safety auditing system | |
| KR100657851B1 (en) | Method and system for managing network resource | |
| Sen et al. | An architecture of a distributed intrusion detection system using cooperating agents | |
| CN113132389A (en) | Network security monitoring system | |
| TWM652740U (en) | computer protection device | |
| CN113193977A (en) | Safe and trusted system based on block chain technology | |
| Zhang et al. | The integration and analysis on the intrusion data in the Cooperation work | |
| CN116781409A (en) | Analysis method based on combination of equipment network security access and artificial intelligence operation and maintenance | |
| CN117914512A (en) | Network security event monitoring method, device and rail transit weak current system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20041110 Termination date: 20131204 |