TW201225581A - Network monitoring method and system thereof - Google Patents

Network monitoring method and system thereof Download PDF

Info

Publication number
TW201225581A
TW201225581A TW99143007A TW99143007A TW201225581A TW 201225581 A TW201225581 A TW 201225581A TW 99143007 A TW99143007 A TW 99143007A TW 99143007 A TW99143007 A TW 99143007A TW 201225581 A TW201225581 A TW 201225581A
Authority
TW
Taiwan
Prior art keywords
group
identity
record
instant
correspondence table
Prior art date
Application number
TW99143007A
Other languages
Chinese (zh)
Other versions
TWI411263B (en
Inventor
Zi-Lun Qiu
Jian-Tong Bi
Original Assignee
Softnext Technologies Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Softnext Technologies Corp filed Critical Softnext Technologies Corp
Priority to TW99143007A priority Critical patent/TWI411263B/en
Publication of TW201225581A publication Critical patent/TW201225581A/en
Application granted granted Critical
Publication of TWI411263B publication Critical patent/TWI411263B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a network monitoring method and the system thereof. The system comprises a packet analyzing module, a real-time connection record processing module, and a record rearrangement update module. The packet analyzing module is for obtaining analyzed packet information according to a packet. The real-time connection record processing module generates a real-time connection record including an identification column according to the analyzed packet information. The record rearrangement update module is for rearranging and updating the real-time connection record whose identification column is recorded as void; and if there doesn't exist any data at least partially corresponding to a group of member relation tables, a new identification code will be generated and used to update the identification column of the real-time connection record; meanwhile, the updated real-time connection record will be added to the group of member relation tables.

Description

201225581 六、發明說明: 囑 【發明所屬之技術領域】 本發明是有關於一種網路監測系統’特別是指一種對 於不限特定對象的網路行為進行監測之網路監測系統。 、【先前技術】 隨著企業網路化之推廣’員工可利用網路進行各項工 作,因此如何有效掌控企業内部所有員工上網情況,以避 ^ 免員工在勤務時間瀏覽不必要之網頁或利用即時通訊聊天 以影響工作效能,便成為大型企業中一門很重要的課題。 目前已見許多關於網路監控之技術,除可將封包進行 即時分析之外,還可對網路行為進行連線記錄,以利於管 理者掌握企業内部人員使用網路的情況。網路封包分析技 術主要根據國際標準組織提出的開放式通訊系統互連參考 模型(Open System Interconnection Reference Model,簡稱 〇SI)中定義的通訊協定來進行分析。於第三層網路層中取得 • 使用者之網際網路通訊協定(Internet Protocol,簡稱IP)位址 及媒體存取控制(Media Access Control,簡稱MAC)位址。 .於第四層傳輸層控制網路設備及資料流量的監督與管理, 以確保通訊順利。在第七層應用層中,根據不同的應用程 式,網路封包也有不同型態,例如在簡單郵件傳輸協定 (Simple Mail Transfer Protocol,簡稱 SMTP)中,封包具有 郵件帳號及郵件位址等資訊。 一習知的網路監控技術,如台灣專利1313993揭露一種 網路監聽系統,係在一代理伺服器及複數個分別具有一網 201225581 ……戶端之間設置一監控飼服器,該 存有具有至少一監控位址的一監控位址名單1中: 端透過網路並經由該代理健器通知相對應之-受話端, ,該發話端與該受話端開始傳輸複數封包資料,當該發話 知之位址符合該監控位址名單中的監控位址時’則該監控 伺服器立即進行監聽及記錄。 —以上所4習知之網路監控技術,健對某些預設的特 =對象(例如’其網路位址存在於該監控位址名單的用戶 鈿)進行I控,對於其網路位址未預設於該監控位址名單 中的用戶端並不會進行即時監控。 【發明内容】 因此,本發明之目的,即在提供一種網路監測方法。 於疋,本發明網路監測方法,包含下列步驟:(幻根據 擷取到之至少-封包得到-已分析封包資訊;(b)將該已分 析封包資訊與—組人員對應表進行比對,以產生包括-身 識另!攔位及至少一分析資訊欄位的一即時連線記錄,其 該且人員對應表包括用以作為索引的至少一身分識別 碼,該分析資訊欄位用以記錄該已分析封包資訊,若該組 人員對應表中不存在任一與該已分析封包資訊至少部分相 符的資料,則將該身分識別欄位記錄為一空值,否則,以 該已分析封包資訊對應更新該組人員對應表並將該組人 員對應表中與該至少部分相符的資料對應的該身分識別碼 °己錄於該即時連線記錄的該身分識別欄位;及(c)重複進行 步驟(a)〜(b)至一預定時間後,將該身分識別欄位被記錄為 201225581 該步驟(C)包 空值的該即時連線記錄進行重組更新,其中 括下列子步驟: ⑹)將其中-身分識別欄位被記錄為空值的該即時連 線記錄與該組人員對應表進行比對,若於該組人員對 中比對到任-與該即時連線記錄的分析資訊欄位中所_ 的已分析封包資訊至少部分相符的資料,則以該已分析封 包資Λ對應更新該組人貴對應表,並以該組人貝對應表中201225581 VI. Description of the Invention: 嘱 Technical Field of the Invention The present invention relates to a network monitoring system, particularly to a network monitoring system for monitoring network behavior that is not limited to a specific object. [Previous technology] With the promotion of enterprise networkization, employees can use the Internet to carry out various tasks. Therefore, how to effectively control the online access of all employees in the enterprise, so as to avoid the employees from browsing unnecessary web pages or using during the service hours. Instant messaging chats affect job performance and become a very important topic in large enterprises. At present, many technologies for network monitoring have been seen. In addition to real-time analysis of packets, network behaviors can be recorded to facilitate administrators to grasp the use of the network by internal employees. The network packet analysis technology is mainly analyzed according to the communication protocol defined in the Open System Interconnection Reference Model (〇SI) proposed by the International Standards Organization. Obtained in the third layer of the network layer: the user's Internet Protocol (IP) address and Media Access Control (MAC) address. The fourth layer of the transport layer controls the monitoring and management of network equipment and data traffic to ensure smooth communication. In the seventh layer application layer, the network packet has different types according to different application methods. For example, in the Simple Mail Transfer Protocol (SMTP), the packet has information such as a mail account and a mail address. A conventional network monitoring technology, such as Taiwan Patent No. 1313993, discloses a network monitoring system, which is provided with a monitoring feeding device between a proxy server and a plurality of computers each having a network 201225581... In a monitoring address list 1 having at least one monitoring address: the terminal transmits the plurality of packet data through the network and the corresponding terminal-receiving end, and the calling terminal and the receiving end start transmitting the plurality of packet data, when the calling message When the address is known to match the monitoring address in the monitoring address list, the monitoring server immediately monitors and records. - The above-mentioned 4 conventional network monitoring technologies, for which certain preset special objects (such as 'users whose network addresses exist in the monitoring address list') are controlled by I, for their network addresses Clients that are not preset to this monitoring address list are not monitored on the fly. SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a network monitoring method.于疋, the network monitoring method of the present invention comprises the following steps: (the illusion is based on at least - the packet is obtained - the packet information is analyzed; (b) the analyzed packet information is compared with the group correspondence table, Generating an instant connection record including: an idiom and an at least one analysis information field, wherein the person correspondence table includes at least one identity code for use as an index, and the analysis information field is used for recording The analyzed packet information, if there is no data in the group corresponding to the at least part of the analyzed packet information, the identity identification field is recorded as a null value, otherwise, the analyzed packet information is corresponding to Updating the group personnel correspondence table and the identity identification code corresponding to the at least part of the data in the group correspondence table has been recorded in the identity identification field of the instant connection record; and (c) repeating the steps (a)~(b) After a predetermined period of time, the identity identification field is recorded as 201225581. The instant connection record of the step (C) empty value is reorganized and updated, including the following sub (6): comparing the instant connection record in which the identity identification field is recorded as a null value to the correspondence table of the group, if the pair is aligned with the group - the instant connection record The information of the analyzed packet information in the analysis information field is at least partially matched, and the corresponding person's expensive correspondence table is updated correspondingly to the analyzed package resource, and the corresponding person in the group is corresponding to the table.

與該至少部分相符的資料對應的該身分識別碼更新該即時 連線記錄的身分識別欄位’否則,產生一新的身分識別碼 給其身分識別攔位被記錄為空值的該即時連線記錄,並以 該新的身分識別碼更新該即時連線記錄的身分識別搁位, 同時對應新增已更新的該即時連線記錄至該組人員對應 ;及 (C-2)重複執行子步驟㈣,直到所有該身分識別攔位 皆不為空值為止。 本發明之另一目的,即在提供一種網路監測系統。 於是’本發明網路監測系統,包含一封包分析模址、 一即時連線記錄處理模組’及—記錄重組更新模組。 該封包分析模組,用以接收至少一封包,並根據該封 包得到一已分析封包資訊。 該即時連線記錄處理模組,用以將該已分析封包資訊 與-組人員對應表進行比對,以產生包括—身分識別棚位 及至少一分析資訊攔位的一即時連線記錄,其中,該組人 員對應表包括用以作為索引的至少一身分識別碼,該分析 201225581 資訊欄位用以記錄該已分析封包資訊,若該組人員對應表. 中不存在任一與該已分析封包資訊至少部分相符的資料,· 則將該身分識別欄位記錄為一空值,否則,以該已分析封 包資訊對應更新該組人員對應表,並將該組人員對應表中 與該至少部分相符的資料對應的該身分識別碼記錄於該即 時連線記錄的該身分識別攔位。 8亥δ己錄重組更新模組,用以在每隔一預定時間後將該 身分識別欄位被記錄為空值的該即時連線記錄進行重組更 新,其中,對於其身分識別欄位被記錄為空值的每一即時_ 連線記錄,該記錄重組更新模組係將該即時連線記錄與該 組人員對應表進行比對,若於該組人員對應表中比對到任 -與該即時連線記錄的分析資訊欄位中所紀錄的已分析封 包資訊至少部分相符的資料,則以該已分析封包資訊對應 更新該組人員對應表’並以該組人員對應表中與該至少部 刀相符的資料對應的該身分識別碼更新該即時連線記錄的 身刀識别欄位’否則,產生一新的身分識別碼給其身分識 別棚位被記錄為空值的該即時連線記錄,並以該新的身分♦ 識别碼更新該即時連線記錄的身分識別棚位同時對應新 增已更新的該即時連線記錄至該組人貢對應表。 本發明藉由該即時連線記錄處理模組與該記錄重組更 新模組’對於尚未存在於該組人員對應表中的任一人員的 網路行為亦皆能受到監測,故確實能朗本發明之目的。 【實施方式】 有關本發明之前述及其他技術内容、特點與功效,在 6 201225581 '下配口參考圖式之一個較佳實施例的詳細 清楚的呈現》 將可 參閱圖卜本發明網路監測系統】應用於包含複數個網 即點5之、網路系統架構中;該網路監測系統1可以 體、勃體 '硬體’或其等之組合來實施,其係整合於_電人 子裝置2。在本較佳實施例t,該網路系統架構為—企業 P周路It電子裝置2之實施態樣為設置於該企業内部網The identity identification code corresponding to the at least partially matching data updates the identity identification field of the instant connection record. Otherwise, a new identity identifier is generated for the instant connection whose identity recognition block is recorded as a null value. Recording, and updating the identity identification shelf of the instant connection record with the new identity identifier, and correspondingly adding the updated updated instant connection record to the group of personnel; and (C-2) repeating the substep (4) Until all of the identity recognition blocks are not null. Another object of the present invention is to provide a network monitoring system. Thus, the network monitoring system of the present invention comprises a packet analysis module, an instant connection recording processing module, and a recording reorganization update module. The packet analysis module is configured to receive at least one packet and obtain an analyzed packet information according to the packet. The instant connection record processing module is configured to compare the analyzed packet information with the group correspondence table to generate an instant connection record including an identity identification booth and at least one analysis information block, wherein The group correspondence table includes at least one identity identifier for use as an index, and the analysis 201225581 information field is used to record the analyzed packet information, if any of the analyzed packets are not present in the group correspondence table. If the information is at least partially consistent, the identity identification field is recorded as a null value; otherwise, the group correspondence table is updated corresponding to the analyzed packet information, and the at least part of the group correspondence table is matched. The identity identifier corresponding to the data is recorded in the identity identification block of the instant connection record. The 8H has recorded a reorganization update module for reorganizing the instant connection record in which the identity recognition field is recorded as a null value after every predetermined time, wherein the identification field for the identity is recorded For each instant_connection record of the null value, the record reorganization update module compares the instant connection record with the group correspondence table, and if the pair is matched in the group correspondence table If the information of the analyzed packet information recorded in the analysis information field of the instant connection record is at least partially matched, the corresponding personnel table of the group is updated corresponding to the analyzed packet information and the at least part of the group correspondence table The identity identification code corresponding to the knife-matching data updates the body knife identification field of the instant connection record. Otherwise, a new identity identification code is generated for the instant connection record whose identity recognition booth is recorded as a null value. And updating the identity identification booth of the instant connection record with the new identity ♦ identification code, and correspondingly adding the updated updated instant connection record to the group correspondence table. The present invention can also monitor the network behavior of any person who does not exist in the group correspondence table by the instant connection record processing module and the record reorganization update module. The purpose. [Embodiment] Regarding the foregoing and other technical contents, features and effects of the present invention, a detailed and clear presentation of a preferred embodiment of the reference profile of the following 2012 can be referred to. The system is applied to a network system architecture including a plurality of networks, that is, point 5; the network monitoring system 1 can be implemented by a combination of body, body, or the like, and is integrated in the system. Device 2. In the preferred embodiment t, the network system architecture is - the implementation manner of the enterprise P Zhoulu It electronic device 2 is set on the intranet of the enterprise.

路與對外網際網路之間的—網路行為"與控管伺服^ 用以收集網路上的封包並對其進行分析,以進—步對網路 行為進行控管。 參閱圖2 ’該網路監測系統1包含—封包分析模組U、 一即時連線記錄處理模組12、—記錄重組更13及— 資料庫14。 該封包分析模組η用以接收網路上的一封包,並根據 該封包得到一已分析封包資訊。 該即時連線記錄處理模組12用以將該已分析封包資訊 與存在於該㈣庫14巾的—組人員賴表進行比對,以產 生包括-身分識別欄位及至少—分析資訊攔位的—即時連 線記錄。該組人員對應表包括用以作為索引的至少一身分 識別碼,該分析資訊攔位用以記錄該已分析封包資訊。若 該組人員對應表中不存在任_與該已分析封包資訊相符的 資料,則料時連線記錄處理模組12該將該身分識別棚位 §己錄為-线。若該組人員對應表中存在任—與該已分析 封包負訊相符的資料,則蔣讲廄 貝了叶則將對應之該身分識別碼填入該身 201225581 分識位。該即時連線記錄處理模組 錄儲存在該資料座f。亥即時連線記 的查詢與監控 餘㈣㈣者進行網路行為 -預=ΓΓ模組13與_庫14連接,當經過 時間後,該記錄重組更新模組13收集 位被該即時連線記錄處識別攔 錄却棘 錄為空值的該等即時連 、…,、’且依序地將其中—身分識別攔 該即時連線記錄與該組人員對錄為工值的 員對庙“ 貝f應表進仃比對’若於該組人 Φ ^ 町廷深°己錄的为析資訊欄位 中所記錄的已分析封包資訊至少部分 已分析封包資訊對應更新該组 ’,則以該 員對應表,並以該組人員 新:肖該至少部分相符的資料對應的該身分識別碼更 、〜即時連線記錄的身分識別攔位,否則,產生一新的身 为識別碼給其身分識別欄位被記錄為空值的該即時連線記 錄’並以該新的身分識別瑪更新該即時連線記錄的身分識 ,欄位,同時對應新增已更新的該即時連線記錄至該組人 _^賴㈣”連線記錄之該身分識別攔位皆 不為空值為止。 參閱圖2與圖3,對應上述網路監測系統i之該較佳實 施例’以下配合―網路監測方法以詳述各模組間的運作。 該網路監測方法包含以下步驟。 在步驟S31中,§亥封包分析模組u掏取網路上之至少 一封包,並分析該封包以得到一已分析封包資訊。在本較 實施例中’該已刀析封包資訊包括一認證帳號、一網際 201225581 網路通訊協定位址、一媒體存取控制位址及一通訊協定資 訊之其中至少一者。值得一提的是,根據不同的網路應用 程式’該已分析封包資訊可具有不同的形態。 舉例來說,若認證帳號為jason的員工通過認證並進行 網頁〉劉覽’則該已分析封包資訊如表一所示,該通訊協定 資訊包括一網頁位址;又,若某員工是登入一即時通軟體 ’則該已分析封包資訊如表二所示,該通訊協定資訊包括 一即時通種類及一即時通帳號;又,若某員工是寄發郵件 ’則該已分析封包資訊如表三所示,該通訊協定資訊包括 一郵件帳號。 --- 表一 IP MAC 網頁位址 認證帳 號 192.168.1.2 0 00:17:31:1A:DB:67 http://tw.yaho o.com Jason --- 表二 IP ___mac 種類 即時通帳號 192.168.1.30 -^iii^lA:DD:67 MSN john@hotmail.c〇m --------The "network behavior" and control server between the road and the external Internet are used to collect and analyze the packets on the network to further control the network behavior. Referring to FIG. 2', the network monitoring system 1 includes a packet analysis module U, an instant connection record processing module 12, a record reorganization 13 and a database 14. The packet analysis module η is configured to receive a packet on the network, and obtain an analyzed packet information according to the packet. The instant connection record processing module 12 is configured to compare the analyzed packet information with the group of personnel present in the (four) library 14 to generate an include-identification field and at least an analysis information block. - instant connection record. The group correspondence table includes at least one identity identifier for use as an index, and the analysis information block is used to record the analyzed packet information. If there is no data in the group corresponding to the analyzed packet information, the wire-time recording processing module 12 should record the identity identification site as a line. If there is any data in the corresponding table in the corresponding table that matches the information of the analyzed packet, then Jiang said that the corresponding identification code is filled into the 201225581. The instant connection record processing module is stored in the data frame f. The query and monitoring of the instant connection record (4) (4) perform the network behavior - the pre-= module 13 is connected to the _ library 14, and after the elapse of time, the record reorganization update module 13 is collected by the instant connection record. Identifying the instants, which are randomly selected as the null value, ..., and 'and sequentially identify them - the identity of the instant connection record and the group of personnel recorded as the value of the staff member to the temple" It should be compared with the 'if the group Φ ^ 廷廷深° has recorded the analyzed packet information recorded in the information field, at least part of the analyzed packet information corresponding to update the group', then the member Correspondence table, and the group of personnel new: Xiao at least partially matched data corresponding to the identity identification code, ~ instant connection record identity identification block, otherwise, generate a new identity identification code to identify their identity The field is recorded as a null value of the instant connection record' and the identity identifier of the instant connection record is updated with the new identity, and the updated updated instant connection record is added to the group. The identity of the person _^赖(四)" connection record Don't block any of them. Referring to Figures 2 and 3, corresponding to the preferred embodiment of the network monitoring system i described below, the network monitoring method is used to detail the operation between the modules. The network monitoring method includes the following steps. In step S31, the § hai packet analysis module u extracts at least one packet on the network, and analyzes the packet to obtain an analyzed packet information. In the present embodiment, the processed packet information includes at least one of an authentication account number, an Internet 201225581 network protocol address, a media access control address, and a communication protocol message. It is worth mentioning that the analyzed packet information can have different forms according to different web applications. For example, if the employee whose authentication account is jason is authenticated and the webpage is "Liu Ming", the analyzed packet information is as shown in Table 1. The protocol information includes a web address; and, if an employee is logged in, The instant messaging software's information about the analyzed packet is shown in Table 2. The information of the protocol includes an instant messaging type and an instant messaging account. In addition, if an employee is sending a mail, the information of the analyzed packet is as shown in Table 3. As shown, the protocol information includes a mail account. --- Table 1 IP MAC Web Address Authentication Account 192.168.1.2 0 00:17:31:1A:DB:67 http://tw.yaho o.com Jason --- Table 2 IP ___mac Type Instant Messenger Account 192.168 .1.30 -^iii^lA:DD:67 MSN john@hotmail.c〇m --------

192.168.1.40 郵件帳號 mary@hotmail.com 在步驟S32中,兮'--- '^即時連線記錄處理模組12將該已分 析封包資訊與儲存於兮咨 子於。亥貧枓庫14中之該組人員對應表進 比對。該組人員對庙主 愿表包括利用該身分識別碼作為索引之 201225581 。一人員基本資料對應表、一即時通帳號對應表及一郵件帳 ' ί應表在本較佳實施例中,該即時連線記錄處理模組 12所進仃的比對流程係依照該認證帳號、該郵件帳號、該 即時通帳號、該網際網路通訊協定位址及該媒體存取控^ 位址之順序與該組人員對應表進行比對,當以上其中任一 種比對成功時(即,該組人員對應表中存在與該已分析封 包資訊至少部分相符的資料),則繼續執行步驟印,否則 執行步驟S34。 延續以上範例,假設目前在該資料庫14中的該組人員 對應表如表四〜六所示。對於表—之該已分析封包資訊, 由該認證帳號可於表四之該人員基本資料對應表比對得到 相對應之該身分朗碼2Gimm71_GGG;類似地,對於表 二之該已分析封包資訊’由該即時通帳號可於表五之該即 時通帳號對應表比對到相對應之該身分識別碼 2010072710100002;而對於表三之該已分析封包資訊由 該郵件帳號未能於表六之該郵件帳號對應表比對到任一相 符的資料。 身分識別碼 姓名 IP mac 認證帳 ___________ 號 20100727101 Jason 192.16 00:17:31:1a:DB: jason 00001 8.1.21 67 —~--- 五即時通帳號對施f 身分識別碼 即時通種類 即時通帳號 10 201225581 201225581 2010072710100002 MSN — john(Sh〇tmail.com 表六 ------ 郵件帳號對應表 身分識別碼 郵件帳號 」 在步驟S33巾,該即時連線記錄處理模組i2根據該步 驟S32之比對結果,连绫勹化 ήu 屋生包括一身分識別欄位及至少一分 析資efl欄位之-即時連線記錄,並以該已分析封包資訊對 • 應更新該#料庫14的該組人員對應表;其中,該身分識別 棚位用以記錄該已分析封包資訊與該組人員對應表比對後 得到相對應的該身分識別碼,且該分析資訊搁位用以記錄 該已分析封包資訊。 延續以上I巳例,由表一之該已分析封包資訊對應產 生如表七所示之一網頁即時連線記錄;由表二之該已分析 封包資。il ’對應產生如表八所示之一即時通即時連線記錄 表七網頁即時連線記錄 IP MAC 網頁位址 認證帳號 身分識別碼 192.168.1. 00:17:31: http://tw. jason 20100727101 21 1A:DB:6 7 yahoo.ς〇 m 00001 表八即時通即時連線記錄 IP MAC 種類 IM帳號 認證帳號 身分識別碼 201225581 192.1 00:16:3 MSN john@hot 2010072710 68.1.3 5:1A:D mail.com 100002 0 D:67 在步驟S34中’該即時連線記錄處理模組12根據該步 驟S32之比對結果,產生包括一身分識別攔位及至少一分 析資訊欄位之一即時連線記錄,其中,該身分識別欄位被 記錄為一空值,該分析資訊欄位記錄該已分析封包資訊。 延續以上範例,由表三之該已分析封包資訊,對應產 生如表九所示的該身分識別攔位被記錄為空值之一郵件即 時連線記錄。 表九郵件即時連線記錄 IP 192.16 8.1.40 MAC 00:15:33: 1A:BB:66 郵件帳號 rnary@h〇tm ail.com 認證帳號 身分識別碼 值得-提的是,該即時連線記錄處理模組12根據該已 分析封包資訊中的該通訊協定資訊,所對應產生之不同型 等即時連線記錄(如表七、表人及表九所示)係被 儲存在該資料庫14中’方便網路管理者進行查詢。 一 $步驟S35中’該記錄重組更新模組13判斷是否經過 =疋時間’ ^已達該預㈣間,則進行步驟咖,否則回 預=3卜繼續監聽網路上之封包。在本較佳實施例中, 該預疋時間設定為一小時。 12 201225581 -步驟S36中’該記錄重Μ更新模組13從該資料庫μ H出於該預定時間内’該身分識別欄位分別被記錄為空 值之该等即時連線記錄,並根據至少一關 關聯鍵值,將該等 P時連線記錄進行群組化。例如:在該等即時連線記錄中 ,將具有相同的該網際網路通訊協定位址之該即時連線記 錄’視為同-群組,方便網管人員針對特定群組進行監測 〇192.168.1.40 mail account mary@hotmail.com In step S32, 兮 '--- '^ instant connection record processing module 12 stores and stores the analyzed packet information. The group of people in the poor library 14 correspond to the table. The group's representative list of temples includes 201225581, which uses the identity code as an index. a person basic data correspondence table, an instant messaging account correspondence table, and a mail account. In the preferred embodiment, the comparison process of the instant connection record processing module 12 is performed according to the authentication account. And the order of the mail account, the instant messenger account, the internet protocol address, and the media access control address are compared with the group correspondence table, and when any one of the comparisons is successful (ie, If there is any information in the group corresponding to the at least part of the analyzed packet information, the step printing is continued, otherwise step S34 is performed. Continuing the above example, it is assumed that the current personnel correspondence table in the database 14 is as shown in Tables 4-6. For the analyzed packet information of the table, the authentication account can obtain the corresponding identity code 2Gimm71_GGG in the corresponding basic data correspondence table of Table 4; similarly, for the analyzed packet information of Table 2 The instant messenger account can be compared to the corresponding identity code 2010072710100002 in the instant pass account correspondence table in Table 5; and the analyzed packet information in Table 3 is not in the mail of the sixth account by the mail account. The account correspondence table is compared to any matching data. ID code name IP mac authentication account ___________ No. 20100727101 Jason 192.16 00:17:31:1a:DB: jason 00001 8.1.21 67 —~--- Five instant account number to apply f identity code instant pass type instant messaging Account number 10 201225581 201225581 2010072710100002 MSN — john (Sh〇tmail.com Table 6 ------ mail account correspondence table identity code mail account number) In step S33, the instant connection record processing module i2 according to the step S32 As a result of the comparison, the Lianhuahuau house includes a body identification field and at least one analysis of the efl field-instant connection record, and the information of the analyzed package information should be updated. The group identification table is configured to record the identification information of the analyzed package and the corresponding identification number of the group of personnel, and the analysis information is used to record the identity identifier. Analysis of the packet information. Continuing the above example, the analyzed packet information of Table 1 corresponds to one of the instant connection records of the webpage as shown in Table 7; the analyzed packet of Table 2 Il 'correspond to generate one of the instant instant connection records shown in Table 8. Table 7 Instant connection record IP MAC Web address authentication account identity ID 192.168.1. 00:17:31: http://tw Jason 20100727101 21 1A:DB:6 7 yahoo.ς〇m 00001 Table 8 Instant Messenger Instant Connection Record IP MAC Type IM Account Authentication Account Identity ID 201225581 192.1 00:16:3 MSN john@hot 2010072710 68.1.3 5 :1A:D mail.com 100002 0 D:67 In step S34, the instant connection record processing module 12 generates an identity recognition block and at least one analysis information field according to the comparison result of the step S32. An instant connection record, wherein the identity identification field is recorded as a null value, and the analysis information field records the analyzed packet information. Continuing the above example, the analyzed packet information in Table 3 is generated as shown in Table 9. The identity identification block shown is recorded as one of the null values of the instant connection record. Table 9 Mail instant connection record IP 192.16 8.1.40 MAC 00:15:33: 1A:BB:66 Email account rnary@h 〇tm ail.com certification account identity The code is worth mentioning that the instant connection record processing module 12 generates different types of instant connection records according to the communication protocol information in the analyzed package information (see Table 7, Table and Table 9). Shown) is stored in the database 14 'convenient for network administrators to query. In step S35, the record reorganization update module 13 determines whether the elapsed time has elapsed. If the pre- (four) time has elapsed, the step coffee is performed. Otherwise, the data is returned to the packet on the network. In the preferred embodiment, the pre-twist time is set to one hour. 12 201225581 - in step S36, the record resetting module 13 records, from the database μ H for the predetermined time period, the identity identification fields are recorded as null values, and according to at least Associate the key values and group the P-time connection records. For example, in the instant connection records, the instant connection record having the same Internet Protocol address is regarded as the same-group, so that the network administrator can monitor the specific group.

在步驟S37巾,該記錄重組更新模組13將群組化過後 且該身分識別欄位分別被記錄為空值的該等即時連線記錄 ,根據一比對鍵值依序地與該組人員對應表進行比對。該 比對鍵值可以由管理者自訂’在本較佳實施例中該比對 鍵值可為該認證帳號、該網際網路通訊協定位址或該媒體 存取控制位址的其中任一者。若比對成功則執行步驟S38, 否則,執行步驟S39。 延續以上範例,該記錄重組更新模組13取出如表九所 示的該身分識別攔位分別被記錄為空值之該郵件即時連線 圮錄,並依該認證帳號、該網際網路通訊協定位址或該媒 體存取控制位址的其中任一鍵值與該組人員對應表進行比 對,由於皆不存在相對應之資料,因此會接著進行步驟S39 在步驟S38中,該記錄重組更新模組13將根據該比對 鍵值所得到的該身分識別碼,更新至原本該身分識別欄位 被δ己錄為空值的該即時連線記錄中,即,以對應的該身分 識別碼更新該即時連線記錄的身分識別欄位;並以該即時 13 201225581 連線記錄的已分析封包資訊對應更新該資料庫Μ的該組人 員對應表。 、在步驟S39 +,該記錄重組更新模組13產生一新的身 分識別碼’並以該新的身分識別碼更新該即時連線記錄的 身刀識別欄位同時對應新增已更新的該即時連線記錄至 該資料庫14的該組人員對應表。 延續乂上範例’對於表九所示的該郵件即時連線記錄 ’對應產生—新的身分識別碼2G1GG7271G1G_3後,將該 新的身分識別碼分別更新至表九之該郵件即時連線記錄及 表六之該郵件帳號對應表中,更新過後的該郵件即時連線 記錄及該郵件帳號對應表分別如以下表十〜十一所干。In step S37, the record reorganization update module 13 records the instant connection records after the grouping and the identity recognition fields are respectively recorded as null values, and sequentially and the group of personnel according to a comparison key value. The correspondence table is compared. The comparison key value can be customized by the manager. In the preferred embodiment, the comparison key value can be any of the authentication account number, the internet protocol address, or the media access control address. By. If the comparison is successful, step S38 is performed; otherwise, step S39 is performed. Continuing the above example, the record reorganization update module 13 retrieves the instant connection record of the email whose identity identification block is recorded as a null value as shown in Table IX, and according to the authentication account number and the internet communication protocol. The address or any one of the media access control addresses is compared with the group of personnel correspondence table. Since there is no corresponding data, the process proceeds to step S39. In step S38, the record reorganization update module is performed. 13 updating the identity identification code obtained according to the comparison key value to the instant connection record in which the identity identification field is recorded as a null value, that is, updating the corresponding identity identification code The identity identification field of the instant connection record; and the analyzed package information recorded by the instant 13 201225581 connection corresponding to the group correspondence table of the update database. In step S39+, the record reorganization update module 13 generates a new identity identifier 'and updates the body cutter identification field of the instant connection record with the new identity identification code, and correspondingly adds the updated instant. The connection is recorded to the group correspondence table of the database 14. Continuing the example above, the new identity ID 2G1GG7271G1G_3 is generated for the instant connection record of the mail shown in Table IX, and the new identity code is updated to the instant connection record and table of the mail in Table 9. In the correspondence table of the mail account of the sixth, the updated instant connection record of the mail and the correspondence table of the mail account are respectively as shown in the following Tables 10-11.

14 201225581 一人員」的網路行為「皆能」受到監測,再者,每一即時 連線記錄經過更新處理後皆具有對應之該身分識別碼,網 路管理者可利用該身分識別碼作為索引,進行相關之監測 、控管與維護’使網路管理更具人性化,故確實能達成本 發明之目的。14 201225581 One person's network behavior is “monitored”. In addition, each instant connection record has the corresponding identity code after being updated, and the network administrator can use the identity identifier as an index. The related monitoring, control and maintenance 'make the network management more humane, so it can achieve the purpose of the present invention.

惟以上所述者’僅為本發明之較佳實施例而已,當不 能以此限定本發明實施之範圍’即大凡依本發明申請專利 範圍及發明說明内容所作之簡單的等效變化與修飾,皆仍 屬本發明專利涵蓋之範圍内。 【圖式簡單說明】 圖1是一網路系統架構圖,說明本發明網路監測系統 之一較佳實施例及應用該網路監測系統之一網路系統架 圖; …、However, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, that is, the simple equivalent changes and modifications made by the scope of the invention and the description of the invention, All remain within the scope of the invention patent. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a network system architecture diagram illustrating a preferred embodiment of the network monitoring system of the present invention and a network system diagram for applying the network monitoring system;

圖2是一方塊圖, 實施例;及 圖3是·一流程圖, 方法。 說明本發明網路監測系紙之該較佳 說明對應該較佳實施例之網路監測 15 201225581 【主要元件符號說明】 1 .......... ••網路監測系統 14..........資料庫 11......... •封包分析模組 2 ...........電子裝置 12......... •即時連線記錄處 S31〜S40 ·步驟 理模組 5 ...........網路節點 13......... •記錄重組更新模Figure 2 is a block diagram, an embodiment; and Figure 3 is a flow chart, method. The preferred description of the network monitoring system of the present invention corresponds to the network monitoring of the preferred embodiment. 15 201225581 [Signal Description of Main Components] 1 .......... • Network Monitoring System 14. .........Database 11......... • Packet Analysis Module 2 ........... Electronic Device 12... • Instant connection record S31~S40 · Step management module 5 ........... Network node 13......... Record reorganization update mode

1616

Claims (1)

201225581 七、申請專利範圍: i•一種網路監測方法,實現於一電子 列步驟: (a)根據掏取到 裝置’該方法包含下 之至少-封包得到—已分析封包資訊 , (b)將該已分析封包資訊與一組 貝對應表進行比對 產生括一身分識別欄位及至少— ^ , 刀析資訊欄位的 即時連線,己錄,其中,該組人員 去2|AAS| 只3了應表包括用以作為 家弓|的至Y —身分識別碼該 已分 襴位用以記錄該 析封匕資矾,若該組人員對應 P八祝〒不存在任一與該 刀析封L資訊至少部分相符的資 Μ ^ λ. * 則將該身分識別 欄位屺錄為一空值,否則,以 0 刀析封包資訊對應更 新該組人貝對應表,並將該組人 ^ ^ ^ ^ α, 貝耵應表中與該至少部 刀相符的資料對應的該身分識別 . V ,己錄於該即時連線記 錄的該身分識別攔位;及 (C)重複進行步驟(a)〜(b)至一 -... 頂疋時間後,將該身分 ,盆由〜止 1吁連線S己錄進行重組更新 八中,该步驟(C)包括下列子步驟: ㈣(二)將其中一身分識別欄位被記錄為空值的 二=ΪΤ該組人員對應表進行比對,若於該組 人員對應表中比對到任一盥今 g ,n4ggv ^ q即時連線記錄的分析資 2攔位中所紀錄的已分析封包f訊至少部分相符的資 祐則以該已分析封包資訊對應更新該組人員對應表 ,並以該組人員對應表中與玆、 V。卩分相符的資料對 17 201225581 應的該身分識別碼更新該即時連線記錄的身分識別欄 位,否則,產生一新的身分識別碼給其身分識別欄位 破記錄為空值的該即時連線記錄,並以該新的身分識 別碼更新該即時連線記錄的身分識別攔位,同時對應 新增已更新的該即時連線記錄至該組人員對應表;及 (c-2)重複執行子步驟(c_1},直到所有該身分識 別欄位皆不為空值為止。 2. 根據申請專利範圍第丨項所述之網路監測方法,其中, 該步驟(a)之該已分析封包資訊包括一認證帳號、一網際 網路通訊協定位址、一媒體存取控制位址及一通訊協定 資訊之其中至少一者。 3. 根據申請專利範圍第1項所述之網路監測方法,其中, 該步驟(b)之該組人員對應表包括利用該身分識別碼作為 索引之一人員基本資料對應表、一即時通帳號對應表及 一郵件帳號對應表。 4·根據申請專利範圍第丨項所述之網路監測方法,其中, 在該步驟(b)中’該比對流程是依照該已分析封包資訊中 之一認證帳號、一郵件帳號、一即時通帳號、一網際網 路通訊協定位址及一媒體存取控制位址之順序進行比對 〇 5·根據申請專利範圍第1項所述之網路監測方法,還包含 該子步驟(c-1)之前之一子步驟(c-3),根據至少—關連鍵 值’將其身分識別攔位分別被記錄為空值之該等即時連 線記錄進行群組化,以將具有相同關聯鍵值之該等即時 18 201225581 連線記錄群組為同一群組。 6. —種網路監測系統,包含: 封勺^包分析模組,用以接收至少—封包,並根據該 封包仵到-已分析封包資訊; π二即時連線記錄處理模組,^將該已分析封包資 。、-組人員對應表進行比對,以 攔位及至少一八私-I诚 祜身刀識別 刀析貝汛欄位的—即時連線記錄,其中, U二員對應表包括用以作為索弓丨的至少一身分識別碼 斤資訊襴位用以記錄該已分析封包資訊,若該組 人員對應表中不存在任—與該已分析封包資訊至少部分 目符的資料,則將該身分識別欄位記錄為一空值否則 該已刀析封包f訊對應更新該組人員對應表,並將 =組人員對應表中與該至少部分相符的資料對應的該身 刀識別碼δ己錄於該即時連線記錄的該身分識別欄位;及 —記錄重組更新模組,用以在每隔一預定時間後 番該身分識別欄位被記錄為空值的該即時連線記錄進行 —組更新’其中,對於其身分識別欄位被記錄為空值的 即時連線記錄,該記錄重組更新模线將該即時連 =記錄與該組人㈣應表進行比對,若於該組人員對應 $中比對到任—與該即時連線記錄的分析資訊攔位中所 =錄的已分析封包資訊至少部分相符的資料,則以該已 ^析封包資訊對應更新該組人Μ對應表,並以該組人員 對應表中與該至少部分相綷的咨 刀邳#的貝枓對應的該身分識別碼 新該即時連線記錄的身分識別欄位,否則,產生—新 19 201225581 的身分識別碼給其身分識別攔位被記錄為空值的該即時 連線記錄,並以該新的身分識別碼更新該即時連線記錄 的身分識別攔位,同時對應新增已更新的該即時連線記 錄至該組人員對應表。 7.根據申請專利範圍第6項所述之網路監測系統,其中, 該已分析封包資訊包括一認證帳號、一網際網路通訊協 定位址、一媒體存取控制位址及一通訊協定資訊之其中 至少一者。 8 ·根據申請專利範圍第6項所述之網路監測系統其中, 該組人員對應表包括利用該身分識別碼作為索引之一人 員基本資料對應表、一即時通帳號對應表及一郵件帳號 對應表。 9.根據申請專利範圍第6項所述之網路監測系統,其中, 該即時連線記錄處理模組之比對順序是依照該已分析封 匕資訊中之一遇證帳號、一郵件帳號、一即時通帳號、 一網際網路通訊協定位址及一媒體存取控制位址之順序 進行比對。 1 〇 ·根據申請專利範圍第6項所述之網路監測系統,其中, 該記錄重組更新模組還根據至少一關聯鍵值,將其身分 識別欄位被記錄為空值之該等即時連線記錄進行群組化 ,以將具有相同之關聯鍵值的該等即時連線記錄群組為 同一群組。201225581 VII. Patent application scope: i• A network monitoring method, implemented in an electronic column step: (a) according to the device to be extracted, the method includes at least one packet, the packet information is analyzed, and (b) The analyzed packet information is compared with a set of bay correspondence tables to generate an identity identification field and at least - ^, the instant connection of the information field, which has been recorded, wherein the group of personnel goes to 2|AAS| 3 The application form includes the Y-identification identification code used as the home bow|the identity number is used to record the information of the seal. If the group of personnel corresponds to P8, there is no such thing as the seal. L information at least partially matched ^ λ. * The identity recognition field is recorded as a null value, otherwise, the 0 packet analysis information corresponding to update the group of people corresponding table, and the group ^ ^ ^ ^ α, the identification of the identity corresponding to the data in the table corresponding to the at least part of the knife. V, the identity recognition block recorded in the instant connection record; and (C) repeating the step (a)~ (b) to one-... After the top time, the identity The basin is reorganized and updated by the 止1 连1 line. The step (C) includes the following sub-steps: (4) (2) The identification field of one of the identification points is recorded as a null value. Correspondence table comparison, if at least in the corresponding group of the corresponding table, the analysis of the analyzed packet in the analysis of the 2 interception records of the n4ggv ^ q instant connection records at least partially matched You will update the group correspondence table corresponding to the analyzed packet information, and use the corresponding personnel in the group to match the V and V. The identity data of 17 201225581 should update the identity identification field of the instant connection record, otherwise, generate a new identity identifier to the instant identification field whose record identification field is blank. Line recording, and updating the identity identification block of the instant connection record with the new identity identifier, and correspondingly adding the updated updated instant connection record to the group correspondence table; and (c-2) repeating execution Sub-step (c_1} until all the identity recognition fields are not null. 2. According to the network monitoring method described in the scope of the patent application, wherein the step (a) of the analyzed packet information The method includes: an authentication account, an internet protocol address, a media access control address, and a communication protocol information. 3. The network monitoring method according to claim 1, wherein The group correspondence table of the step (b) includes a person basic data correspondence table, an instant pass account correspondence table, and a mail account correspondence table using the identity identification code as an index. According to the network monitoring method described in the scope of the patent application, in the step (b), the comparison process is based on one of the analyzed packet information, an email account, and an instant account. Comparing the sequence of an internet protocol address and a media access control address. The network monitoring method according to claim 1 of the patent application scope further includes the sub-step (c-1) In the previous sub-step (c-3), the instant connection records whose identity recognition blocks are respectively recorded as null values are grouped according to at least the associated key value to have the same associated key value. The instant 18 201225581 connection record group is the same group. 6. A network monitoring system, comprising: a sealing packet analysis module for receiving at least a packet, and according to the packet - has been analyzed Packet information; π two instant connection record processing module, ^ the analysis of the packaged package. - Group of personnel correspondence table for comparison, to block and at least one eight private - I sincerely identify the knife Field-instant connection record, The U two-person correspondence table includes at least one identity identification code information used as a cable to record the analyzed packet information, and if the group of personnel correspondence table does not exist any-and the analyzed packet information For at least part of the data, the identity identification field is recorded as a null value, otherwise the knife resolution packet is updated corresponding to the group correspondence table, and the data corresponding to the at least part in the group correspondence table is corresponding to The body identification code δ has been recorded in the identity identification field of the instant connection record; and the recording reorganization update module is configured to record the identity identification field as a null value after every predetermined time. The instant connection record is performed - group update 'where, for the instant connection record whose identity recognition field is recorded as a null value, the record reorganization update mode line performs the instant connection = record with the group (4) The comparison, if the group of people corresponding to the $ match-to-at-the-at least the part of the analyzed packet information recorded in the analysis information block of the instant connection record, the data is The packet information correspondingly updates the group correspondence table, and the identity identification field of the instant connection record is newly identified by the identity identifier corresponding to the at least partially matching 枓 邳 枓 该 该, otherwise, the identity identifier of the new 19 201225581 is given to the instant connection record whose identity recognition block is recorded as a null value, and the identity identification block of the instant connection record is updated with the new identity identifier. At the same time, correspondingly adding the updated instant connection record to the group correspondence table. 7. The network monitoring system according to claim 6, wherein the analyzed packet information includes an authentication account number, an internet protocol address, a media access control address, and a communication protocol information. At least one of them. 8: The network monitoring system according to item 6 of the patent application scope, wherein the group correspondence table includes a person basic data correspondence table, an instant account number correspondence table, and a mail account corresponding to using the identity identification code as an index. table. 9. The network monitoring system according to claim 6, wherein the order of the instant connection recording processing module is based on one of the analyzed account information, a mail account, The sequence of an instant messenger account, an internet protocol address, and a media access control address are compared. The network monitoring system according to claim 6, wherein the record reorganization update module further records the identity identification field as a null value according to at least one associated key value. The line records are grouped to group the instant connection records having the same associated key value into the same group.
TW99143007A 2010-12-09 2010-12-09 Network monitoring method and its system TWI411263B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW99143007A TWI411263B (en) 2010-12-09 2010-12-09 Network monitoring method and its system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW99143007A TWI411263B (en) 2010-12-09 2010-12-09 Network monitoring method and its system

Publications (2)

Publication Number Publication Date
TW201225581A true TW201225581A (en) 2012-06-16
TWI411263B TWI411263B (en) 2013-10-01

Family

ID=46726237

Family Applications (1)

Application Number Title Priority Date Filing Date
TW99143007A TWI411263B (en) 2010-12-09 2010-12-09 Network monitoring method and its system

Country Status (1)

Country Link
TW (1) TWI411263B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW484282B (en) * 2000-04-10 2002-04-21 D Link Corp Monitoring management method of network exchange system to the online frame
GB2395090B (en) * 2002-10-01 2006-04-05 Ipwireless Inc Arrangement and method for session control in wireless communication network
US20070094374A1 (en) * 2005-10-03 2007-04-26 Snehal Karia Enterprise-managed wireless communication
IL189530A0 (en) * 2007-02-15 2009-02-11 Marvell Software Solutions Isr Method and apparatus for deep packet inspection for network intrusion detection
US8295188B2 (en) * 2007-03-30 2012-10-23 Extreme Networks, Inc. VoIP security

Also Published As

Publication number Publication date
TWI411263B (en) 2013-10-01

Similar Documents

Publication Publication Date Title
US10893021B2 (en) Methods for mapping IP addresses and domains to organizations using user activity data
CN102123156B (en) System and method to associate a private user identity with a public user identity
CN102918801B (en) By network traffics application of policies in the system and method for utility cession
CN101552801B (en) A method and system for on-line browsing and downloading the address-book of user group
US20080144655A1 (en) Systems, methods, and computer program products for passively transforming internet protocol (IP) network traffic
US8060602B2 (en) Network usage collection system
CN110708322A (en) Method for realizing proxy service of industrial internet identification analysis system
US20070180101A1 (en) System and method for storing data-network activity information
WO2019228034A1 (en) Method and apparatus for data synchronization
US20120158454A1 (en) Method and system for monitoring high risk users
CA2534121A1 (en) Network asset tracker for identifying users of networked computers
Janetzko Nonreactive data collection online
CN114124861A (en) Message group sending method and device, computer equipment and storage medium
CN107204050A (en) A kind of WIFI sent based on raspberry is registered system and method
Laštovička et al. Using TLS fingerprints for OS identification in encrypted traffic
CN105871638B (en) A kind of network safety control method and device
Bertolotti et al. Models of mail server workloads
CN105721274B (en) The fusion method and device of one kind of multiple instant messagings
CN101267405A (en) Instant communication monitoring method and system
CN110442611A (en) A kind of company brand domain name automation querying method and system
JP2018055497A (en) Information processing system, usage amount information formation method, information processing unit, and program
TW201225581A (en) Network monitoring method and system thereof
CN104301412B (en) A kind of big data cloud service centralized management system
KR20030042135A (en) System and Method for collecting Internet bulletin
CN113037615A (en) Intelligent communication system