TW201928747A - Server and monitoring method thereof - Google Patents

Server and monitoring method thereof Download PDF

Info

Publication number
TW201928747A
TW201928747A TW106145581A TW106145581A TW201928747A TW 201928747 A TW201928747 A TW 201928747A TW 106145581 A TW106145581 A TW 106145581A TW 106145581 A TW106145581 A TW 106145581A TW 201928747 A TW201928747 A TW 201928747A
Authority
TW
Taiwan
Prior art keywords
server
parameter value
current parameter
attribute information
attribute
Prior art date
Application number
TW106145581A
Other languages
Chinese (zh)
Other versions
TWI644228B (en
Inventor
常家銘
蔡雨龍
張婉瑜
許時銘
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW106145581A priority Critical patent/TWI644228B/en
Application granted granted Critical
Publication of TWI644228B publication Critical patent/TWI644228B/en
Publication of TW201928747A publication Critical patent/TW201928747A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A server and a monitoring method thereof are provided. The method includes: retrieving predetermined parameters corresponding to attributes of the server, wherein each attributes belongs to a first or a second type attribute; monitoring current parameters of the attributes; determining whether the current parameters are abnormal; if a specific current parameter of the current parameters is abnormal, determining whether it is necessary to provide a warning related to the specific current parameter based on policy sets; if the specific current parameter satisfies one of the policy sets, do not provide the warning, otherwise providing the warning, wherein the warning indicates one of the attributes corresponding to the specific current parameter and indicates the one of the attributes belongs to the first or the second type attribute.

Description

伺服器及其監控方法Server and its monitoring method

本發明是有關於一種伺服器及其監控方法,且特別是有關於一種可即時發覺惡意威脅的伺服器及其監控方法。The invention relates to a server and a monitoring method thereof, and in particular to a server capable of detecting a malicious threat immediately and a monitoring method thereof.

企業內部擁有許多提供各種服務的伺服器,例如檔案伺服器(File Server)、資料庫伺服器(Database Server)、郵件伺服器(Mail Server)、網頁伺服器(Web Server)等。如何確保企業內部伺服器正常運作以提供使用者穩定的服務,並且確保伺服器不受惡意程式威脅,是各企業重視的資訊安全議題與技術。There are many servers in the enterprise that provide various services, such as File Server, Database Server, Mail Server, and Web Server. How to ensure the internal operation of the enterprise server to provide users with stable services and ensure that the server is not threatened by malicious programs is an information security issue and technology that enterprises value.

有鑑於惡意軟體攻擊手法日漸複雜,且受駭之國際級企業越來越多,在Mandiant於2014年的威脅報告(threat report)當中,顯示有67%的企業無法自行偵測到威脅而必仰賴外界來協助偵測。並且,統計資料顯示,當一個企業遭受到潛在的威脅後,平均需要花費229天才能察覺出來。In view of the increasing complexity of malware attacks and the increasing number of international companies, Mandiant's threat report in 2014 shows that 67% of companies are unable to detect threats themselves and must rely on them. The outside world helps to detect. Moreover, statistics show that when a company is exposed to a potential threat, it takes an average of 229 days to detect it.

因此,對於本領域技術人員而言,如何更為即時地發覺伺服器上的惡意威脅將是一項極為重要的議題。Therefore, it will be an extremely important issue for those skilled in the art to discover the malicious threat on the server more immediately.

有鑑於此,本發明提供一種伺服器及其監控方法,其以伺服器的屬性資訊做為行為分析(Behavior analysis)的依據,並配合設定適當的預定參數值及若干個彈性準則,建立符合伺服器的正常行為基準。藉此,本發明的伺服器可分析是否出現特定惡意行為及異常行為,從而即時地發覺惡意威脅的存在。In view of this, the present invention provides a server and a monitoring method thereof, which use the attribute information of the server as a basis for behavior analysis, and establish an appropriate servo according to setting an appropriate predetermined parameter value and a plurality of elastic criteria. The normal behavioral benchmark of the device. Thereby, the server of the present invention can analyze whether a specific malicious behavior and an abnormal behavior occur, thereby instantly detecting the existence of a malicious threat.

本發明提供一種伺服器監控方法,適於一伺服器,包括:取得對應於前述伺服器的多個屬性資訊的多個預定參數值,其中各前述屬性資訊屬於一第一類屬性或一第二類屬性;監控前述屬性資訊的多個目前參數值;依據前述屬性資訊的前述預定參數值判斷前述目前參數值是否異常;當前述目前參數值中的一特定目前參數值為異常時,依據多個彈性準則組判斷是否需提供關聯於前述特定目前參數值的一告警,其中各前述彈性準則組包含至少一彈性準則;以及若前述特定目前參數值符合前述彈性準則組的其中之一,則不提供前述告警,反之則提供前述告警,其中前述告警指示前述特定目前參數值所對應的前述屬性資訊的其中之一者,以及指示前述屬性資訊的其中之前述者係為前述第一類屬性或前述第二類屬性。The present invention provides a server monitoring method, which is suitable for a server, comprising: obtaining a plurality of predetermined parameter values corresponding to a plurality of attribute information of the server, wherein each of the attribute information belongs to a first type attribute or a second a class attribute; a plurality of current parameter values for monitoring the attribute information; determining whether the current parameter value is abnormal according to the predetermined parameter value of the attribute information; and when a specific current parameter value of the current parameter value is abnormal, according to the plurality of The flexibility criterion group determines whether an alarm associated with the specific current parameter value is required to be provided, wherein each of the foregoing flexibility criterion groups includes at least one elasticity criterion; and if the specific current parameter value meets one of the foregoing flexibility criteria groups, the provision is not provided The foregoing alarm, and vice versa, providing the foregoing alarm, wherein the foregoing alarm indicates one of the foregoing attribute information corresponding to the specific current parameter value, and the foregoing one of the attribute information indicating the foregoing attribute information is the foregoing first type attribute or the foregoing The second type of attribute.

本發明亦提出一種伺服器,其包含儲存電路及處理器。儲存電路儲存多個模組。處理器連接前述儲存電路,存取前述模組以執行下列步驟:取得對應於前述伺服器的多個屬性資訊的多個預定參數值,其中各前述屬性資訊屬於一第一類屬性或一第二類屬性;監控前述屬性資訊的多個目前參數值;依據前述屬性資訊的前述預定參數值判斷前述目前參數值是否異常;當前述目前參數值中的一特定目前參數值為異常時,依據多個彈性準則組判斷是否需提供關聯於前述特定目前參數值的一告警,其中各前述彈性準則組包含至少一彈性準則;以及若前述特定目前參數值符合前述彈性準則組的其中之一,則不提供前述告警,反之則提供前述告警,其中前述告警指示前述特定目前參數值所對應的前述屬性資訊的其中之一者,以及指示前述屬性資訊的其中之前述者係為前述第一類屬性或前述第二類屬性。The invention also proposes a server comprising a storage circuit and a processor. The storage circuit stores a plurality of modules. The processor is connected to the foregoing storage circuit, and accesses the foregoing module to perform the following steps: obtaining a plurality of predetermined parameter values corresponding to the plurality of attribute information of the server, wherein each of the foregoing attribute information belongs to a first type attribute or a second a class attribute; a plurality of current parameter values for monitoring the attribute information; determining whether the current parameter value is abnormal according to the predetermined parameter value of the attribute information; and when a specific current parameter value of the current parameter value is abnormal, according to the plurality of The flexibility criterion group determines whether an alarm associated with the specific current parameter value is required to be provided, wherein each of the foregoing flexibility criterion groups includes at least one elasticity criterion; and if the specific current parameter value meets one of the foregoing flexibility criteria groups, the provision is not provided The foregoing alarm, and vice versa, providing the foregoing alarm, wherein the foregoing alarm indicates one of the foregoing attribute information corresponding to the specific current parameter value, and the foregoing one of the attribute information indicating the foregoing attribute information is the foregoing first type attribute or the foregoing The second type of attribute.

基於上述,本發明提供一種伺服器及其監控方法,其可依據屬性資訊的預定參數值判斷各屬性資訊的目前參數值是否異常,並且在前述目前參數值不符合相應的彈性準則時發出告警,以令相關人員能夠即時地進行檢測。Based on the above, the present invention provides a server and a monitoring method thereof, which can determine whether the current parameter value of each attribute information is abnormal according to a predetermined parameter value of the attribute information, and issue an alarm when the current parameter value does not meet the corresponding elastic criterion. In order to enable relevant personnel to conduct tests on the fly.

為讓本發明的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。The above described features and advantages of the invention will be apparent from the following description.

請參照圖1,其是依據本發明之一實施例繪示的伺服器示意圖。在本實施例中,伺服器100包括儲存電路110及處理器120。伺服器100例如是企業內部的檔案伺服器、資料庫伺服器、郵件伺服器及網頁伺服器,但可不限於此。儲存電路110例如是記憶體、硬碟或是其他任何可用於儲存資料的元件,而可用以記錄多個程式碼或模組。Please refer to FIG. 1 , which is a schematic diagram of a server according to an embodiment of the invention. In this embodiment, the server 100 includes a storage circuit 110 and a processor 120. The server 100 is, for example, a file server, a database server, a mail server, and a web server in the company, but is not limited thereto. The storage circuit 110 is, for example, a memory, a hard disk, or any other component that can be used to store data, and can be used to record a plurality of code codes or modules.

處理器120耦接儲存電路110。處理器120例如是一般用途處理器、特殊用途處理器、傳統的處理器、數位訊號處理器、多個微處理器(microprocessor)、一個或多個結合數位訊號處理器核心的微處理器、控制器、微控制器、特殊應用集成電路(Application Specific Integrated Circuit,ASIC)、場可程式閘陣列電路(Field Programmable Gate Array,FPGA)、任何其他種類的積體電路、狀態機、基於進階精簡指令集機器(Advanced RISC Machine,ARM)的處理器以及類似品。The processor 120 is coupled to the storage circuit 110. The processor 120 is, for example, a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, one or more microprocessors combined with a digital signal processor core, and controls. , Microcontroller, Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA), any other kind of integrated circuit, state machine, based on advanced reduced instructions Advanced RISC Machine (ARM) processors and similar products.

圖2是依據本發明之一實施例繪示的伺服器監控方法流程圖,以下即搭配圖1所示的各個元件來說明圖2所示方法的各個步驟。2 is a flow chart of a method for monitoring a server according to an embodiment of the present invention. The following steps are used to describe the steps of the method shown in FIG.

在本實施例中,伺服器100的相關人員可預先對所欲監控的多個屬性資訊設定對應的預定參數值,而這些屬性資訊可被區分為多個類別。舉例而言,前述屬性資訊例如包括(但不限於)網際網路協定(Internet Protocol,IP)位址來源地、伺服器100流量、IP位址來源地的IP流量、IP位址來源地的連線頻率、伺服器100的處理器使用率、伺服器100記憶體使用率、伺服器100的硬碟存取速度、伺服器100的運作通訊埠數量的至少其中之一。In this embodiment, the relevant personnel of the server 100 may preset corresponding predetermined parameter values for the plurality of attribute information to be monitored, and the attribute information may be divided into a plurality of categories. For example, the foregoing attribute information includes, but is not limited to, an Internet Protocol (IP) address source, a server 100 traffic, an IP address from an IP address source, and an IP address source. At least one of the line frequency, the processor usage rate of the server 100, the memory usage rate of the server 100, the hard disk access speed of the server 100, and the number of operational communication ports of the server 100.

在不同的實施例中,IP位址來源地可用於辨別使用者係從何處連線至伺服器100以使用伺服器100的服務。IP位址來源地的IP流量則例如是前述使用者存取伺服器100時所產生的流量。IP位址來源地的連線頻率例如是前述使用者存取伺服器100的頻率。伺服器100流量則可以是由處理器120在一定時間內統計的所有使用伺服器100的服務之IP的流量。In various embodiments, the IP address source can be used to identify where the user is connected to the server 100 to use the services of the server 100. The IP traffic originating from the IP address is, for example, the traffic generated when the user accesses the server 100. The connection frequency of the IP address source is, for example, the frequency at which the aforementioned user accesses the server 100. The server 100 traffic may be the traffic of all the IPs of the services using the server 100 that are counted by the processor 120 for a certain period of time.

另外,基於伺服器100的處理器使用率、伺服器100記憶體使用率及伺服器100的硬碟存取速度等屬性資訊,相關人員可觀察伺服器100是否出現異常的高負載情形。此外,由於伺服器100會根據服務目的的不同而啟用不同的通訊埠,因此相關人員可監控通訊埠的啟用與否及通訊埠的數量,以及早發覺伺服器100上的異常行為。Further, based on attribute information such as the processor usage rate of the server 100, the memory usage rate of the server 100, and the hard disk access speed of the server 100, the person concerned can observe whether or not the server 100 has an abnormally high load condition. In addition, since the server 100 enables different communication ports depending on the purpose of the service, the relevant personnel can monitor the activation and communication of the communication port and the number of communication ports, and detect the abnormal behavior on the server 100 early.

並且,在一實施例中,伺服器100的各個屬性資訊可被區分為屬於第一類屬性或第二類屬性。舉例而言,與伺服器100的網路行為相關的屬性資訊可歸類為第一類屬性,例如IP位址來源地、伺服器100流量、IP位址來源地的IP流量及IP位址來源地的連線頻率等。Moreover, in an embodiment, each attribute information of the server 100 can be classified as belonging to the first type attribute or the second type attribute. For example, attribute information related to the network behavior of the server 100 can be classified into a first type of attribute, such as IP address source, server 100 traffic, IP address source IP address, and IP address source. The connection frequency of the ground, etc.

另一方面,與伺服器100本身硬體的運作情形相關的屬性資訊則可歸類為第二類屬性,例如伺服器100的處理器使用率、伺服器100的記憶體使用率、伺服器100的硬碟存取速度及伺服器100的運作通訊埠數量等,但本發明可不限於此。On the other hand, the attribute information related to the operating condition of the server 100 itself can be classified into the second type of attributes, such as the processor usage of the server 100, the memory usage of the server 100, and the server 100. The hard disk access speed and the number of operational communication ports of the server 100, etc., but the present invention is not limited thereto.

針對前述的各種屬性資訊,其個別對應的預定參數值可搭配以下表1及表2來呈現,其中的「X」代表可由相關人員自行依需求或經驗所設定的任意數值或文字(例如某國家)。 表1(第一類屬性) 表2(第二類屬性)For each of the foregoing attribute information, the individual corresponding predetermined parameter values may be presented in conjunction with Tables 1 and 2 below, where "X" represents any value or text that can be set by the relevant personnel according to their needs or experience (for example, a country) ). Table 1 (first class attribute) Table 2 (second class attribute)

藉由對以上屬性資訊所設定的預定參數值,相關人員可初步地建立伺服器100的正常行為基準。The relevant personnel can initially establish a normal behavioral benchmark of the server 100 by the predetermined parameter values set by the above attribute information.

在相關人員完成對前述各預設參數值的設定之後,在步驟S210中,處理器120取得對應於屬性資訊的預定參數值,並在步驟S220中監控屬性資訊的目前參數值。前述目前參數值例如是目前各屬性資訊反應於伺服器100的工作情況所呈現的數值或內容。以「IP位址來源地的IP流量」的屬性資訊為例,處理器120所監控到的目前參數值可以是數值Y(MB/分)。再以「處理器使用率」的屬性資訊為例,處理器120所監控到的目前參數值可以是數值Z(%)。對於本領域具通常知識者而言,其餘屬性資訊的目前參數值可能的態樣應可由以上教示而推得,故在此不再贅述。After the relevant person completes the setting of the foregoing preset parameter values, in step S210, the processor 120 acquires a predetermined parameter value corresponding to the attribute information, and monitors the current parameter value of the attribute information in step S220. The foregoing current parameter value is, for example, a numerical value or content presented by each attribute information in response to the operation of the server 100. Taking the attribute information of the IP traffic of the IP address source as an example, the current parameter value monitored by the processor 120 may be the value Y (MB/minute). Taking the attribute information of the "processor usage rate" as an example, the current parameter value monitored by the processor 120 may be the value Z (%). For those of ordinary skill in the art, the possible aspect of the current parameter values of the remaining attribute information should be derived from the above teachings, and therefore will not be described herein.

之後,在步驟S230中,處理器120依據屬性資訊的預定參數值判斷目前參數值是否異常。在一實施例中,處理器120從目前參數值中取出第一目前參數值,並從預定參數值中取出第一預定參數值,其中第一預定參數值與第一目前參數值皆對應屬性資訊中的第一屬性資訊。接著,處理器120可判斷第一目前參數值是否超出第一預定參數值,若是則判定第一目前參數值為異常,反之則判定第一目前參數不為異常。Thereafter, in step S230, the processor 120 determines whether the current parameter value is abnormal according to the predetermined parameter value of the attribute information. In an embodiment, the processor 120 takes the first current parameter value from the current parameter value, and takes out the first predetermined parameter value from the predetermined parameter value, where the first predetermined parameter value and the first current parameter value correspond to the attribute information. The first attribute information in . Next, the processor 120 may determine whether the first current parameter value exceeds the first predetermined parameter value, and if yes, determine that the first current parameter value is abnormal, and otherwise determine that the first current parameter is not abnormal.

舉例而言,假設處理器120欲觀察的屬性資訊是「IP位址來源地的IP流量」,則處理器120可取出「IP位址來源地的IP流量」的目前參數值(例如是數值Y(MB/分))。接著,處理器120可取出「IP位址來源地的IP流量」的預定參數值(例如是數值M(MB/分))。之後,處理器120可判斷數值Y(MB/分)是否超出數值M(MB/分),若是則判定數值Y(MB/分)為異常,反之則判定數值Y(MB/分)不為異常。For example, if the attribute information to be observed by the processor 120 is “IP traffic of the IP address source”, the processor 120 may extract the current parameter value of the “IP traffic of the IP address source” (for example, the value Y). (MB/min)). Next, the processor 120 can take out a predetermined parameter value (for example, a value M (MB/minute) of the "IP traffic of the IP address source". Thereafter, the processor 120 can determine whether the value Y (MB/minute) exceeds the value M (MB/min), and if so, the value Y (MB/minute) is abnormal, otherwise the value Y (MB/minute) is not abnormal. .

舉另一例而言,假設處理器120欲觀察的屬性資訊是「處理器使用率」,則處理器120可取出「處理器使用率」的目前參數值(例如是數值P(%))。接著,處理器120可取出「處理器使用率」的預定參數值(例如是數值Q(%))。之後,處理器120可判斷數值P(%)是否超出數值Q(%),若是則判定數值P(%)為異常,反之則判定數值P(%)不為異常。對於本領域具通常知識者而言,判斷其餘屬性資訊的目前參數值是否異常的方式應可由以上教示而推得,故在此不再贅述。For another example, if the attribute information to be observed by the processor 120 is "processor usage rate", the processor 120 may take out the current parameter value of the "processor usage rate" (for example, the value P (%)). Next, the processor 120 may take out a predetermined parameter value of the "processor usage rate" (for example, the value Q (%)). Thereafter, the processor 120 may determine whether the value P (%) exceeds the value Q (%), and if so, determine that the value P (%) is abnormal, otherwise the value P (%) is not abnormal. For those of ordinary skill in the art, the manner of determining whether the current parameter value of the remaining attribute information is abnormal may be derived from the above teachings, and thus will not be described herein.

在其他實施例中,假設處理器120欲觀察的屬性資訊是「IP位址來源地」,則處理器120可取出「IP位址來源地」的目前參數值(例如是C(國家))。接著,處理器120可取出「IP位址來源地」的預定參數值(例如是D(國家)、E(國家)及F(國家))。之後處理器120可判斷C(國家)是否匹配於D(國家)、E(國家)及F(國家)的任一,若是則判定C(國家)不為異常,反之則判定C(國家)為異常。In other embodiments, assuming that the attribute information to be observed by the processor 120 is "IP address source", the processor 120 may extract the current parameter value of the "IP address source" (for example, C (country)). Next, the processor 120 may take out predetermined parameter values of the "IP address source" (for example, D (country), E (country), and F (country)). The processor 120 can then determine whether C (country) matches any of D (country), E (country), and F (country), and if so, determines that C (country) is not abnormal, and otherwise determines that C (country) is abnormal.

若步驟S230的結果顯示目前參數值不為異常,則處理器120可接續進行步驟S250以不提供告警。If the result of step S230 shows that the current parameter value is not abnormal, the processor 120 may continue to perform step S250 to provide no alarm.

然而,即便前述目前參數值被判定異常,但在不同的實施例中,由於伺服器100在某些允許的特殊情況下可能會發生被判定為異常的行為(例如過高的流量),因此本發明另藉由以下的步驟S240提供了相關的判斷機制,藉以決定是否針對各個異常情況提出實質的告警。具體而言,在步驟S230中,若某一個目前參數值(下稱特定目前參數值)被判斷為異常,則處理器120接續在步驟S240中依據彈性準則組判斷是否需提供關聯於特定目前參數值的告警。前述各彈性準則組包含至少一彈性準則。為令步驟S240的內容更易於理解,以下另舉一實例輔以說明。However, even if the aforementioned current parameter values are determined to be abnormal, in different embodiments, since the server 100 may be determined to be abnormal (for example, excessive traffic) under certain allowed special circumstances, The invention further provides a relevant judgment mechanism by the following step S240, thereby deciding whether to present a substantial alarm for each abnormal situation. Specifically, in step S230, if a certain current parameter value (hereinafter referred to as a specific current parameter value) is determined to be abnormal, the processor 120 successively determines, according to the elasticity criterion group, whether to provide a correlation with the specific current parameter according to the step S240. The value of the alarm. Each of the foregoing sets of elastic criteria includes at least one criterion of elasticity. In order to make the content of step S240 easier to understand, another example is hereinafter explained.

假設現有一A伺服器負責提供服務,B伺服器負責定期備份A伺服器的資料,而A伺服器的各屬性資訊及對應的預定參數值可設定如下表3。 表3Assuming that the existing A server is responsible for providing the service, the B server is responsible for periodically backing up the data of the A server, and the attribute information of the A server and the corresponding predetermined parameter values can be set as shown in Table 3 below. table 3

當B伺服器對A伺服器請求連線並且接收A伺服器的資料時,A伺服器會額外開啟一個通訊埠,並且相應地增加A伺服器的流量。針對這種情況,彈性準則組(其包括表4的第一彈性準則及表5的第二彈性準則)可相應地設計為以下態樣。 表4(第一彈性準則) 表5(第二彈性準則)When the B server requests the A server to connect and receives the data of the A server, the A server will additionally open a communication port and increase the traffic of the A server accordingly. For this case, the set of elasticity criteria (which includes the first elasticity criterion of Table 4 and the second elasticity criterion of Table 5) can be correspondingly designed as follows. Table 4 (first elastic criterion) Table 5 (second elastic criterion)

在此例中,當A伺服器傳送資料給B伺服器時,A伺服器的流量(例如,70(MB/分))有可能超過所設定預定參數值(即,60(MB/分)),且運作通訊埠也會從原本設定的5個增加至6個。因此,這兩種行為在步驟S230中將被判定為異常,故處理器120將接續進行步驟S240。從表4及表5所組成的彈性準則組可看出,即便A伺服器的流量超過60(MB/分),只要B伺服器的IP流量(例如48(MB/分))在第一彈性準則的設定範圍內,A伺服器流量的上限被允許提高至100(MB/分)。同時,即便A伺服器的運作通訊埠數量由5個增加至6個,只要確認B伺服器的IP流量仍在第二彈性準則的範圍內,皆視為正常。In this example, when the A server transmits data to the B server, the traffic of the A server (for example, 70 (MB/min)) may exceed the set predetermined parameter value (ie, 60 (MB/min)). And the operation communication will increase from 5 originally set to 6. Therefore, the two behaviors will be determined to be abnormal in step S230, so the processor 120 will proceed to step S240. It can be seen from the elastic criterion group composed of Table 4 and Table 5 that even if the traffic of the A server exceeds 60 (MB/min), as long as the IP traffic of the B server (for example, 48 (MB/min)) is in the first elasticity. Within the set range of the guidelines, the upper limit of the A server traffic is allowed to increase to 100 (MB/min). At the same time, even if the number of operational communication ports of the A server is increased from 5 to 6, it is considered normal to confirm that the IP traffic of the B server is still within the range of the second elastic criterion.

若前述特定目前參數值皆滿足以上彈性準則組的第一彈性準則及第二彈性準則,則處理器120可接續進行步驟S250以不提供相關的告警。If the specific current parameter values meet the first elastic criterion and the second elastic criterion of the above elastic criterion group, the processor 120 may continue to perform step S250 to provide no relevant alarm.

在其他實施例中,相關人員可依需求設定多個彈性準則組,而各彈性準則組可包括一或多個彈性準則。只要前述特定目前參數值符合其中一個彈性準則組的所有彈性準則,則處理器120即可判定不需提供相應的告警,但本發明可不限於此。In other embodiments, the relevant personnel may set a plurality of flexible criteria groups as required, and each of the flexible criteria groups may include one or more elastic criteria. As long as the aforementioned specific current parameter values meet all of the flexibility criteria of one of the sets of flexible criteria, the processor 120 can determine that no corresponding alert is required, but the invention is not limited thereto.

然而,若前述特定目前參數值未符合任一個彈性準則組,則代表伺服器120上可能出現了惡意的威脅,因此處理器120可進行步驟S260以提供告警,其指示前述特定目前參數值所對應的屬性資訊,以及此屬性資訊係為第一類屬性或第二類屬性。However, if the specific current parameter value does not meet any of the flexible criteria groups, a malicious threat may be present on the server 120, so the processor 120 may proceed to step S260 to provide an alert indicating that the specific current parameter value corresponds to the foregoing. The attribute information, and the attribute information is the first type attribute or the second type attribute.

舉例而言,假設未符合任一個彈性準則組的特定目前參數值對應的屬性資訊為「伺服器流量」,其例如屬於第一類屬性(即,與伺服器100的網路行為相關的屬性資訊)。在此情況下,處理器120所提供的告警可指示「伺服器流量」及「第一類屬性」等訊息,藉以使相關人員能夠直接朝向相關的方向(例如伺服器100的網路行為)進行除錯,而不需花時間在與第二類屬性(即,與伺服器100本身硬體的運作情形相關的屬性資訊)相關的方向進行除錯,從而提升偵測惡意威脅的準確率及除錯的效率。For example, assume that the attribute information corresponding to a specific current parameter value that does not meet any of the elastic criteria groups is "server traffic", which belongs, for example, to the first type of attribute (ie, attribute information related to the network behavior of the server 100). ). In this case, the alarm provided by the processor 120 may indicate a message such as "server traffic" and "first type attribute", so that the relevant personnel can directly go in the relevant direction (for example, the network behavior of the server 100). Debugging, without taking the time to debug in the direction related to the second type of attributes (ie, attribute information related to the operating conditions of the server 100 itself), thereby improving the accuracy and detection of detecting malicious threats. Wrong efficiency.

在一實施例中,由於相關人員對各屬性資訊所設定的預定參數值有可能較不符合伺服器100實際的運作情況(例如過於高估了伺服器100的流量),因此處理器120可另行基於以下機制來修正相關的預定參數值,藉以更準確地反映伺服器120的實際行為模式。In an embodiment, the processor 120 may be separately processed because the predetermined parameter value set by the relevant personnel for each attribute information may be less than the actual operation of the server 100 (for example, the traffic of the server 100 is overestimated). The associated predetermined parameter values are corrected based on the following mechanism to more accurately reflect the actual behavior pattern of the server 120.

具體而言,在選定某屬性資訊後,處理器120可基於其預定參數值決定一參數觀察區間,而此預定參數值位於參數觀察區間中。接著,處理器120可判斷此屬性資訊的目前參數值是否位於此參數觀察區間中。若是,則處理器120可記錄此目前參數值,並基於此目前參數值修正預定參數值。Specifically, after selecting certain attribute information, the processor 120 may determine a parameter observation interval based on its predetermined parameter value, and the predetermined parameter value is located in the parameter observation interval. Next, the processor 120 can determine whether the current parameter value of the attribute information is located in the parameter observation interval. If so, the processor 120 can record the current parameter value and correct the predetermined parameter value based on the current parameter value.

舉例而言,假設處理器120所考慮的是「伺服器流量」,而其預定參數值例如是「60(MB/分)」,則處理器120可基於「60(MB/分)」決定參數觀察區間(例如是60(MB/分)的70%至120%)。接著,若所觀察到的「伺服器流量」的目前參數值(例如50(MB/分))是否位於參數觀察區間,若是則可將預定參數值修正為50(MB/分),以較正確地反映伺服器100的工作情形。For example, if the processor 120 considers "server traffic" and its predetermined parameter value is, for example, "60 (MB/minute)", the processor 120 can determine the parameter based on "60 (MB/minute)". The observation interval (for example, 70% to 120% of 60 (MB/min)). Then, if the observed current parameter value of the "server flow rate" (for example, 50 (MB/min)) is in the parameter observation interval, if it is, the predetermined parameter value can be corrected to 50 (MB/min) to be correct. The ground reflects the working condition of the server 100.

在其他實施例中,處理器120亦可在收集多筆位於前述參數觀察區間內的目前參數值,再據以更新預定參數值。舉例而言,處理器120可計算前述多筆目前參數值的平均值,再將預定參數值修正為此平均值,從而更為客觀地建立伺服器100的行為模式。In other embodiments, the processor 120 may also collect a plurality of current parameter values located in the parameter observation interval, and then update the predetermined parameter values. For example, the processor 120 may calculate an average value of the plurality of current parameter values, and then correct the predetermined parameter value to the average value, thereby establishing the behavior mode of the server 100 more objectively.

綜上所述,本發明提供的伺服器及其監控方法可依據屬性資訊的預定參數值判斷各屬性資訊的目前參數值是否異常,並且在前述目前參數值不符合相應的彈性準則時發出告警,以令相關人員能夠即時地進行檢測。並且,由於前述告警可一併指示前述目前參數值的屬性資訊是屬於第一類屬性還是第二類屬性,因而使得相關人員能夠直接朝正確的方向進行除錯,從而提升效率。藉此,本發明的伺服器可分析是否出現特定惡意行為及異常行為,從而即時地發覺惡意威脅的存在。In summary, the server and the monitoring method thereof can determine whether the current parameter value of each attribute information is abnormal according to a predetermined parameter value of the attribute information, and issue an alarm when the current parameter value does not meet the corresponding elastic criterion. In order to enable relevant personnel to conduct tests on the fly. Moreover, since the foregoing alarm can indicate whether the attribute information of the current parameter value belongs to the first type attribute or the second type attribute, the related personnel can directly debug in the correct direction, thereby improving efficiency. Thereby, the server of the present invention can analyze whether a specific malicious behavior and an abnormal behavior occur, thereby instantly detecting the existence of a malicious threat.

雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何所屬技術領域中具有通常知識者,在不脫離本發明的精神和範圍內,當可作些許的更動與潤飾,故本發明的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the present invention, and any one of ordinary skill in the art can make some changes and refinements without departing from the spirit and scope of the present invention. The scope of the invention is defined by the scope of the appended claims.

100‧‧‧伺服器100‧‧‧Server

110‧‧‧儲存電路110‧‧‧Storage circuit

120‧‧‧處理器120‧‧‧ processor

S210~S260‧‧‧步驟S210~S260‧‧‧Steps

圖1是依據本發明之一實施例繪示的伺服器示意圖。 圖2是依據本發明之一實施例繪示的伺服器監控方法流程圖。1 is a schematic diagram of a server according to an embodiment of the invention. 2 is a flow chart of a server monitoring method according to an embodiment of the invention.

Claims (12)

一種伺服器監控方法,適於一伺服器,包括: 取得對應於該伺服器的多個屬性資訊的多個預定參數值,其中各該屬性資訊屬於一第一類屬性或一第二類屬性; 監控該些屬性資訊的多個目前參數值; 依據該些屬性資訊的該些預定參數值判斷該些目前參數值是否異常; 當該些目前參數值中的一特定目前參數值為異常時,依據多個彈性準則組判斷是否需提供關聯於該特定目前參數值的一告警,其中各該彈性準則組包含至少一彈性準則;以及 若該特定目前參數值符合該些彈性準則組的其中之一,則不提供該告警,反之則提供該告警,其中該告警指示該特定目前參數值所對應的該些屬性資訊的其中之一者,以及指示該些屬性資訊的其中之該者係為該第一類屬性或該第二類屬性。A server monitoring method, suitable for a server, comprising: obtaining a plurality of predetermined parameter values corresponding to a plurality of attribute information of the server, wherein each of the attribute information belongs to a first type attribute or a second type attribute; Monitoring a plurality of current parameter values of the attribute information; determining, according to the predetermined parameter values of the attribute information, whether the current parameter values are abnormal; when a specific current parameter value of the current parameter values is abnormal, according to Determining, by the plurality of flex criteria sets, whether an alert associated with the particular current parameter value is required, wherein each of the flex criteria sets includes at least one elasticity criterion; and if the particular current parameter value meets one of the sets of flex criteria, The alarm is not provided, and the alarm is provided, wherein the alarm indicates one of the attribute information corresponding to the specific current parameter value, and the one of the attribute information indicating the attribute information is the first Class attribute or the second class attribute. 如申請專利範圍第1項所述的方法,其中該些屬性資訊包含一網際網路協定(Internet Protocol,IP)位址來源地、一伺服器流量、該IP位址來源地的一IP流量、該IP位址來源地的一連線頻率、該伺服器的一處理器使用率、該伺服器的一記憶體使用率、該伺服器的一硬碟存取速度、該伺服器的一運作通訊埠數量的至少其中之一。The method of claim 1, wherein the attribute information includes an Internet Protocol (IP) address source, a server traffic, an IP traffic of the IP address source, a connection frequency of the IP address source, a processor usage rate of the server, a memory usage rate of the server, a hard disk access speed of the server, and a communication communication of the server At least one of the number of 埠. 如申請專利範圍第2項所述的方法,其中該網際網路協定(Internet Protocol,IP)位址來源地、該伺服器流量、該IP位址來源地的該IP流量及該IP位址來源地的該連線頻率屬於該第一類屬性,而該伺服器的該處理器使用率、該伺服器的該記憶體使用率、該伺服器的該硬碟存取速度及該伺服器的該運作通訊埠數量屬於該第二類屬性。The method of claim 2, wherein the Internet Protocol (IP) address source, the server traffic, the IP traffic of the IP address source, and the IP address source The connection frequency of the ground belongs to the first type of attribute, and the processor usage rate of the server, the memory usage rate of the server, the hard disk access speed of the server, and the server The number of operational communications belongs to this second type of attribute. 如申請專利範圍第1項所述的方法,其中當該些目前參數值皆不為異常時,不提供該告警。The method of claim 1, wherein the alarm is not provided when the current parameter values are not abnormal. 如申請專利範圍第1項所述的方法,其中依據該些屬性資訊的該些預定參數值判斷該些目前參數值是否異常的步驟包括: 從該些目前參數值中取出一第一目前參數值; 從該些預定參數值中取出一第一預定參數值,其中該第一預定參數值與該第一目前參數值皆對應該些屬性資訊中的一第一屬性資訊;以及 判斷該第一目前參數值是否超出該第一預定參數值,若是則判定該第一目前參數值為異常,反之則判定該第一目前參數不為異常。The method of claim 1, wherein the step of determining whether the current parameter values are abnormal according to the predetermined parameter values of the attribute information comprises: extracting a first current parameter value from the current parameter values. Obtaining a first predetermined parameter value from the predetermined parameter values, wherein the first predetermined parameter value and the first current parameter value correspond to a first attribute information of the attribute information; and determining the first current Whether the parameter value exceeds the first predetermined parameter value, and if yes, determining that the first current parameter value is abnormal, otherwise determining that the first current parameter is not abnormal. 如申請專利範圍第5項所述的方法,更包括: 基於該第一預定參數值決定一參數觀察區間,其中該第一預定參數值位於該參數觀察區間中; 判斷該第一目前參數值是否位於該參數觀察區間中;以及 若是,記錄該第一目前參數值,並基於該第一目前參數值修正該第一預定參數值。The method of claim 5, further comprising: determining a parameter observation interval based on the first predetermined parameter value, wherein the first predetermined parameter value is located in the parameter observation interval; determining whether the first current parameter value is Located in the parameter observation interval; and if so, recording the first current parameter value and correcting the first predetermined parameter value based on the first current parameter value. 一種伺服器,包括: 一儲存電路,儲存多個模組;以及 一處理器,連接該儲存電路,存取該些模組以執行下列步驟: 取得對應於該伺服器的多個屬性資訊的多個預定參數值,其中各該屬性資訊屬於一第一類屬性或一第二類屬性; 監控該些屬性資訊的多個目前參數值; 依據該些屬性資訊的該些預定參數值判斷該些目前參數值是否異常; 當該些目前參數值中的一特定目前參數值為異常時,依據多個彈性準則組判斷是否需提供關聯於該特定目前參數值的一告警,其中各該彈性準則組包含至少一彈性準則;以及 若該特定目前參數值符合該些彈性準則組的其中之一,則不提供該告警,反之則提供該告警,其中該告警指示該特定目前參數值所對應的該些屬性資訊的其中之一者,以及指示該些屬性資訊的其中之該者係為該第一類屬性或該第二類屬性。A server includes: a storage circuit for storing a plurality of modules; and a processor coupled to the storage circuit to access the modules to perform the following steps: obtaining a plurality of attribute information corresponding to the server a predetermined parameter value, wherein each of the attribute information belongs to a first type attribute or a second type attribute; monitoring a plurality of current parameter values of the attribute information; determining the current according to the predetermined parameter values of the attribute information Whether the parameter value is abnormal; when a specific current parameter value of the current parameter values is abnormal, determining whether to provide an alarm associated with the specific current parameter value according to the multiple elastic criterion groups, wherein each of the elastic criterion groups includes At least one flexibility criterion; and if the specific current parameter value meets one of the sets of flexible criteria, the alert is not provided, and the alert is provided, wherein the alert indicates the attributes corresponding to the particular current parameter value One of the information, and the one of the information indicating the attribute information is the first type attribute or the second type attribute. 如申請專利範圍第7項所述的伺服器,其中該些屬性資訊包含一網際網路協定(Internet Protocol,IP)位址來源地、一伺服器流量、該IP位址來源地的一IP流量、該IP位址來源地的一連線頻率、該伺服器的一處理器使用率、該伺服器的一記憶體使用率、該伺服器的一硬碟存取速度、該伺服器的一運作通訊埠數量的至少其中之一。The server of claim 7, wherein the attribute information includes an Internet Protocol (IP) address source, a server traffic, and an IP traffic of the IP address source. a connection frequency of the IP address source, a processor usage rate of the server, a memory usage rate of the server, a hard disk access speed of the server, and an operation of the server At least one of the number of communication ports. 如申請專利範圍第8項所述的伺服器,其中該網際網路協定(Internet Protocol,IP)位址來源地、該伺服器流量、該IP位址來源地的該IP流量及該IP位址來源地的該連線頻率屬於該第一類屬性,而該伺服器的該處理器使用率、該伺服器的該記憶體使用率、該伺服器的該硬碟存取速度及該伺服器的該運作通訊埠數量屬於該第二類屬性。The server of claim 8, wherein the Internet Protocol (IP) address source, the server traffic, the IP traffic of the IP address source, and the IP address. The connection frequency of the source belongs to the first type of attribute, and the processor usage rate of the server, the memory usage rate of the server, the hard disk access speed of the server, and the server The number of operational communication ports belongs to this second type of attribute. 如申請專利範圍第7項所述的伺服器,其中當該些目前參數值皆不為異常時,該處理器不提供該告警。The server of claim 7, wherein the processor does not provide the alarm when the current parameter values are not abnormal. 如申請專利範圍第7項所述的伺服器,其中該處理器經配置以: 從該些目前參數值中取出一第一目前參數值; 從該些預定參數值中取出一第一預定參數值,其中該第一預定參數值與該第一目前參數值皆對應該些屬性資訊中的一第一屬性資訊;以及 判斷該第一目前參數值是否超出該第一預定參數值,若是則判定該第一目前參數值為異常,反之則判定該第一目前參數不為異常。The server of claim 7, wherein the processor is configured to: extract a first current parameter value from the current parameter values; and extract a first predetermined parameter value from the predetermined parameter values The first predetermined parameter value and the first current parameter value respectively correspond to a first attribute information of the attribute information; and determining whether the first current parameter value exceeds the first predetermined parameter value, and if yes, determining the The first current parameter value is abnormal, otherwise the first current parameter is determined to be not abnormal. 如申請專利範圍第11項所述的伺服器,其中該處理器更經配置以: 基於該第一預定參數值決定一參數觀察區間,其中該第一預定參數值位於該參數觀察區間中; 判斷該第一目前參數值是否位於該參數觀察區間中;以及 若是,記錄該第一目前參數值,並基於該第一目前參數值修正該第一預定參數值。The server of claim 11, wherein the processor is further configured to: determine a parameter observation interval based on the first predetermined parameter value, wherein the first predetermined parameter value is located in the parameter observation interval; Whether the first current parameter value is located in the parameter observation interval; and if so, recording the first current parameter value, and correcting the first predetermined parameter value based on the first current parameter value.
TW106145581A 2017-12-25 2017-12-25 Server and monitoring method thereof TWI644228B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106145581A TWI644228B (en) 2017-12-25 2017-12-25 Server and monitoring method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106145581A TWI644228B (en) 2017-12-25 2017-12-25 Server and monitoring method thereof

Publications (2)

Publication Number Publication Date
TWI644228B TWI644228B (en) 2018-12-11
TW201928747A true TW201928747A (en) 2019-07-16

Family

ID=65431603

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106145581A TWI644228B (en) 2017-12-25 2017-12-25 Server and monitoring method thereof

Country Status (1)

Country Link
TW (1) TWI644228B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI827203B (en) * 2022-08-18 2023-12-21 中華電信股份有限公司 Verification system and verification method for malicious file of container
TWI817768B (en) * 2022-10-14 2023-10-01 英業達股份有限公司 System for monitoring service of server

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103795580B (en) * 2012-10-29 2016-10-26 腾讯科技(深圳)有限公司 A kind of data monitoring method, system and relevant device
TWI474213B (en) * 2013-01-09 2015-02-21 Hope Bay Technologies Inc Cloud system for threat protection and protection method using for the same
CN107135187A (en) * 2016-02-29 2017-09-05 阿里巴巴集团控股有限公司 Preventing control method, the apparatus and system of network attack

Also Published As

Publication number Publication date
TWI644228B (en) 2018-12-11

Similar Documents

Publication Publication Date Title
US11502922B2 (en) Technologies for managing compromised sensors in virtualized environments
CN109347827B (en) Method, device, equipment and storage medium for predicting network attack behavior
US11997120B2 (en) Detecting threats to datacenter based on analysis of anomalous events
US10135862B1 (en) Testing security incident response through automated injection of known indicators of compromise
US8214490B1 (en) Compact input compensating reputation data tracking mechanism
US20180336353A1 (en) Risk scores for entities
JP2020521383A5 (en)
US11632320B2 (en) Centralized analytical monitoring of IP connected devices
JP2018530066A (en) Security incident detection due to unreliable security events
US8774023B2 (en) Method and system for detecting changes in network performance
CN110362455B (en) Data processing method and data processing device
US20140189431A1 (en) Method and system for monitoring transaction execution on a computer network and computer storage medium
US20230011043A1 (en) Identification of time-ordered sets of connections to identify threats to a datacenter
EP2593896B1 (en) Supervision of the security in a computer system
US20200244685A1 (en) Scanner probe detection
CN108282355B (en) Equipment inspection device in cloud desktop system
CN110620690A (en) Network attack event processing method and electronic equipment thereof
US20200244683A1 (en) Port scan detection using destination profiles
CN104866296A (en) Data processing method and device
US20220309171A1 (en) Endpoint Security using an Action Prediction Model
TWI644228B (en) Server and monitoring method thereof
CN111061588A (en) Method and device for locating database abnormal source
US20210243219A1 (en) Security handling skill measurement system, method, and program
EP3918762B1 (en) Port scan detection
CN110177075B (en) Abnormal access interception method, device, computer equipment and storage medium