CN101931625A - Upgrading method and device of network monitoring data - Google Patents
Upgrading method and device of network monitoring data Download PDFInfo
- Publication number
- CN101931625A CN101931625A CN201010255367XA CN201010255367A CN101931625A CN 101931625 A CN101931625 A CN 101931625A CN 201010255367X A CN201010255367X A CN 201010255367XA CN 201010255367 A CN201010255367 A CN 201010255367A CN 101931625 A CN101931625 A CN 101931625A
- Authority
- CN
- China
- Prior art keywords
- audit
- database
- feature
- module
- audit feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an updating method and a device of network monitoring data. The method of the invention comprises the following steps: updating auditing characteristics of the network monitoring data stored in a database; and reading the auditing characteristics by an auditing device and monitoring the data in the network. The invention can further encrypt the database or the auditing characteristics in the database so as to prevent the database or the auditing characteristics in the database from being revised. The database is backed-up in the updating process; if the updating fails, the database can be recovered and the auditing functions thereof are not affected. A characteristic library solidified in the auditing device is stored in a database which can execute revision and updating, so the problems of recompiling the versions and needing the longer updating process time due to revising the auditing characteristics solidified in the auditing device, thereby saving the updating time and improving working efficiency of the auditing device.
Description
Technical field
The present invention relates to technical field of the computer network, more specifically, relate to a kind of upgrade method and device of network monitoring data.
Background technology
Along with networks development, the network information security is concerning a lot of aspects interests of company, and there is strict monitoring in a lot of companies to inner computer access external network.This supervisory control system is called the user behavior auditing system again.
At present, the user behavior auditing system of company's internal network monitors user's network operation, its basic handling flow process is to be integrated in the IPS will use the identification engine, IPS is the audit device with audit function, as unifying IAD (UAG, Unified AccessGateway) router, possessing the switch of routing function etc.
When the message of computer passes through audit device, audit device identifies the procotol under the message, again agreement load is carried out audit feature identification on the basis after agreement identification, agreement load is the packaged content-data of message of agreement for this reason, as data contents such as webpage, chat, mails.Audit feature is the keyword of institute's monitor data, after judging different agreements, the keyword that need monitor according to this agreement, judge and whether have these keywords in the agreement load, for example, after judging that message belongs to the agreement of mail protocol or instant message, addressee's mailbox of intercepting the inside or chat content etc.; After judging that message belongs to the XML agreement, judge whether contain this class keyword of address, illegal website in the message.
For different protocol massages, to different audit features should be arranged, calling the corresponding processing function of this protocol massages audits, it is legal that keyword in the extraction message judges whether, promptly judge and whether contain identical with audit feature or akin keyword in the message, judge illegal keyword and store in the database as the form of auditing result with daily record, also audit log can be sent to distance host, distance host is shown to the keeper by resolving journal file with the result.
The audit feature of present user behavior auditing system institute supporting business all is solidificated in the audit device and pre-defines, and the system version after compiling operates on the device and just can audit to the business of supporting.When system version needs upgrading, such as to make amendment to the audit feature in the audit device, operation such as deletion, or newly-increased audit feature needs to revise the platform code in the audit device, and the recompility system version, the system version after the compiling is updated to audit device finishes updating operation.
Because the user needs the frequent procotol and the audit operations of being audited that change, then need to restart, download new audit feature in the audit device, modification is solidificated in inner corresponding audit feature, and recompility version, frequent restart, escalation process takes a long time, and reduced the operating efficiency of audit device.
Summary of the invention
The present invention aims to provide a kind of upgrade method and device of network monitoring data, and it can solve in the process of audit device upgrading, owing to revise the audit feature that is solidificated in the audit device, and recompilate version, the problem that restart, the escalation process time is long.
According to an aspect of the present invention, provide a kind of upgrade method of network monitoring data, comprised updating stored in the database, obtained audit feature by audit device, according to the data in the audit feature monitor network as the audit feature of network monitoring data.
Further, upgrade before the operation, also comprise the audit feature in the backup database.
Further, upgrade after the operation, also comprise data base encryption is become the audit feature storehouse.
Further, the step of obtaining audit feature by audit device comprises the audit feature storehouse is decrypted into audit feature in database and the reading database; Reading under the situation of failure, reading the audit feature in backed up data storehouse.
Further, database or audit feature storehouse be installed in one with server that audit device is connected in.
According to another aspect of the present invention, also provide a kind of update device of network monitoring data, comprise update module, be used for updating stored in the audit feature of database as network monitoring data; Acquisition module is used for obtaining audit feature by audit device; And monitoring module, be used for responding the data of audit feature monitor network.
Further, update device also comprises backup module, is used for before update module is carried out the renewal operation audit feature of backup database.
Further, update device also comprises encrypting module, is used for after update module is carried out the renewal operation data base encryption being become the audit feature storehouse.
Further, monitoring module comprises deciphering module, is used for the audit feature storehouse is decrypted into database; Read module is used for the audit feature of reading database; If read failure, then read the audit feature in the backed up data storehouse in the backup module; And the audit module, be used to the audit feature of notifying read module to read, the data in the monitor network.
Further, the above audit device is router, switch or acting server.
Because the present invention has adopted the feature database that will be solidificated in the audit device to exist scalable and the database revised in and do not need compiling, restart, so overcome in the process that audit device restarts, upgrades, owing to revise the audit feature that is solidificated in the audit device, and recompility version, the problem that the escalation process time is long, and then reached the saving update time, improve the effect of the operating efficiency of audit device.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 shows network equipment structured flowchart according to an embodiment of the invention;
Fig. 2 shows the flow chart according to an embodiment of the inventive method;
Fig. 3 shows the network equipment structured flowchart of second and the 3rd embodiment according to the present invention;
Fig. 4 shows the flow chart according to second embodiment of the inventive method;
Fig. 5 shows the flow chart according to the 3rd embodiment of the inventive method; And
Fig. 6 shows the structured flowchart according to four embodiment of the invention.
Embodiment
Below with reference to the accompanying drawings and in conjunction with the embodiments, describe the present invention in detail.
The present invention will be solidificated in audit feature in the audit device 10, preserve with the form of database 12, and database can be integrated in the audit device 10, also can be integrated in separately in the server 16 that is connected with audit device 10.Thereby when audit feature is upgraded, can directly revise the audit feature in the database 12, needn't revise, compile the audit feature that is solidificated in the audit device 10, thereby save the time, improve the operating efficiency of audit device 10.
Implementation of the present invention has various ways, describes the escalation process of audit feature among each embodiment below in detail.
Describe first embodiment according to the invention in detail below in conjunction with accompanying drawing, among this embodiment, the database 12 of storage audit feature is integrated in the server 16, the structural representation of network equipment as shown in Figure 1, audit device 10 Connection Service devices 16, and the database from server 16 12 reads audit feature.Audit device 10 connects the client 14 of remote monitoring center, and by the audit feature in the database 12 of client 14 modification audit devices 10, audit device 10 jockeys 1 are to device N by the user, and auditing, each installs the data that send or receive.The method according to this invention is applied in the network equipment shown in Figure 1, describes embodiment one in detail below by the applied network environment device of the present invention and in conjunction with flow chart shown in Figure 2, and embodiment one may further comprise the steps:
S20: server 16 updates stored in the database 12 audit feature as network monitoring data.
Preferably, the modification information of server 16 receiving management persons input, and update stored in the database 12 audit feature as network monitoring data according to modification information.The keeper can pass through the client 14 at the telemanagement center of server 16 connections, revise audit feature in the database 12 by the keeper by client 14, these audit features comprise: the message protocol of needs audit, as ICP/IP protocol message, XML protocol massages, Mail Transfer protocol message etc., and the every kind of pairing keyword that will audit of agreement, as audit features such as the addressees in network address, instant message, the mail.After the renewal operation is finished, can realize the upgrading of audit feature, these audit features are as follow-up monitor data.
S22: audit device 10 reads audit feature, uses the data in the audit feature monitor network.
Audit feature in audit device 10 reading databases 12, and the data in the monitor network.Audit device 10 can be router, switch or acting server etc., can according to IP address or MAC Address monitor each address the data of transmitting-receiving of corresponding audit device 10, these audit devices 10 are connected with audit device 10, comprise that device 1 is to device N, by audit device 10 transceive data, audit device 10 is the corresponding audit feature of monitoring from the data of transmitting-receiving, and the audit feature of monitoring is sent to the client 14 of the remote monitoring center of connection with the daily record form, can also be kept at simultaneously in the database of storage audit feature.
Describe in detail above according to embodiments of the invention one, in this embodiment, can be by the database upgrade audit feature, the audit feature after upgrading in the audit device 10 direct reading databases 12, and use the audit feature monitor data that reads.Owing to avoided renewal, compiling to be solidificated in the audit feature in the audit device 10, can effectively save update time, improve the operating efficiency of audit device 10.
Certainly, the database 12 of storage audit feature can also be integrated in audit device 10 inside, and as shown in Figure 3, the user makes amendment by the audit feature in 20 pairs of databases of I/O device of audit device 10 connections.Do not revised arbitrarily or divulged a secret for ease of audit feature, also can encrypt, and use the audit feature after encrypting to upgrade audit feature.Below by second embodiment shown in Figure 4 this flow process is described, this flow process may further comprise the steps:
S40: 10 pairs of audit features of audit device or database are encrypted.Audit device 10 is used to audit feature of upgrading or the database of storing audit feature, and data encrypted storehouse 12 also may be defined as audit feature storehouse 18.
S42: upgrade the audit feature storehouse 18 in the audit device 10.The user can connect audit device 10 by external memory storage, as USB flash disk or card reader etc., automatically upgrade the audit feature storehouse 18 of storage card in the USB flash disk that connects or the card reader by audit device 10, or, revise the audit feature in the audit feature storehouse 18 by the I/O device 20 that audit device 10 connects.
S44: audit device 10 deciphering audit feature storehouses 18, read the audit feature in the database 12 after the deciphering.After audit device 10 upgrades audit feature storehouse 18, deciphering audit feature storehouse 18, restore database 12, the audit feature in the reading database 12.
S46: audit device 10 uses the audit feature that reads, the data in the monitor network.In above-mentioned second embodiment, by encrypting audit feature or database 12, in upgrading, can prevent effectively that also audit feature from arbitrarily being changed, the audit feature of avoiding being modified causes audit device 10 monitoring to be lost efficacy.
In the process of audit feature upgrading, if database 12 or audit feature storehouse 18 are directly covered upgrading preceding database 12 or audit feature storehouse 18, the situation that occurs the upgrading failure sometimes, thereby the audit device 10 after causing upgrading can't be realized audit function, for avoiding this situation, and can be before updating operation, backup database 12 or audit feature storehouse 18, below by embodiment three explanations, referring to Fig. 5 and Fig. 3, it may further comprise the steps:
S500: audit device 10 function of auditing.Audit device 10 response audit features are audited to the data in the network.
S502: select the audit feature storehouse 18 that is used to upgrade for audit device 10.The audit feature storehouse 18 that the I/O device 20 that the user connects by audit device 10 is used to upgrade for audit device 10 selections.
S504: audit device 10 stops current audit function.
S506: the current audit feature storehouse 18 of audit device 10 backups.After audit device 10 shut-down operations, the audit feature storehouse 18 or the database 12 of the current use of audit device 10 backups.
S508: audit device 10 upgrades audit feature storehouse 18.Audit device 10 upgrades according to the audit feature storehouse 18 that S502 selects.Certainly, if audit feature is stored on the server 16 that is connected with audit device 10 among first embodiment, can be by server 16 upgrading audit feature storehouse 18 or databases 12,
S510: audit device 10 reads audit feature storehouse 18 and deciphering, restore database 12.
S512: audit device 10 obtains the audit feature in the databases 12, and judge whether available, if, then carry out S500, audit device 10 is audited to the data in the network according to audit feature.If not, then carry out S514.
S514: the audit feature storehouse 18 of audit device 10 reduction backups, and carry out S508.
Through above-mentioned step, when audit device 10 in escalation process, if the situation of upgrading failure, audit feature storehouse 18 or the database 12 that can select to back up continue to use.Even thereby the audit device 10 that occurs causing because of the upgrading failure lost efficacy, audit device 10 also can recover and continue to use.
In the above embodiments three, also possibility initialization of audit device 10, as carrying out S506a, after the step of S506a, steps such as execution S508 are with the operation of auditing.
Describe embodiment above in detail according to the inventive method, the method according to this invention can adopt the form of various devices to be integrated in the audit device 10, as be integrated in the devices such as acting server, router, switch, gateway, also can be integrated in the server 16 that is connected with audit device 10, all not influence realization of the present invention.Describe according to preferred update device of the present invention below by embodiment four, referring to Fig. 6, this update device comprises update module 60, is used for updating stored in the audit feature of database 12 as network monitoring data; Monitoring module 62 is used to control audit device 10 and reads audit feature, and the data in the response audit feature monitor network.
Preferably, this update device also comprises backup module 64, is used for before update module 60 is carried out the renewal operation update module 60 that response is connected, the audit feature of backup database 12.So that in the follow-up recovery process, read the audit feature in the backed up data storehouse 12 in the backup module 64 by the read module 622 that connects.
Preferably, this update device also comprises encrypting module 66, is used for after described update module 60 is carried out described renewal operation, and response update module 60 is encrypted to audit feature storehouse 18 with database 12.
Preferably, monitoring module 62 comprises deciphering module 620, is used for described audit feature storehouse 18 is decrypted into database 12; Read module 622 is used for reading the audit feature of the database 12 that deciphering module 620 decrypted; If read failure, then read the audit feature in backed up data storehouse 12 in the backup module 64; Audit module 624 is used to the audit feature of notifying read module 622 to read, the data in the monitor network.
Preferably, described audit device 10 is router, switch or acting server.Device of the present invention can be integrated in audit device 10 inside, also can be integrated in the memory, can plug to connect audit device 10, and is user-friendly.
Technique effect of the present invention is, because the present invention has adopted the audit feature stock that will be solidificated in the audit device in scalable and the database revised and do not need compiling, so overcome in the process of audit device upgrading, owing to revise the audit feature that is solidificated in the audit device, and recompility version, the problem that the escalation process time is long, and then reached the saving update time, improve the effect of the operating efficiency of audit device.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, carry out by calculation element thereby they can be stored in the storage device, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. the upgrade method of a network monitoring data comprises database and audit device, it is characterized in that may further comprise the steps:
Update stored in the described database audit feature as described network monitoring data;
Read described audit feature by described audit device; And
According to the data in the described audit feature monitor network.
2. method according to claim 1 is characterized in that, the described audit feature before described step of updating in the described database of backup.
3. method according to claim 2 is characterized in that, after described step of updating described data base encryption is become the audit feature storehouse.
4. method according to claim 3 is characterized in that, the described step that reads described audit feature comprises:
Decipher the described database of described audit feature Kucheng by described audit device;
Read the described audit feature in the described database; And
If read failure, then read the audit feature of the described database of backup.
5. according to each described method in the claim 1 to 4, it is characterized in that described audit device is router, switch or acting server.
6. method according to claim 5 is characterized in that described database or described audit feature storehouse are installed in the server, and described server is connected to described audit device.
7. the update device of a network monitoring data comprises database and audit device, it is characterized in that comprising:
Update module is used for updating stored in the audit feature of described database as described network monitoring data;
Acquisition module is used for obtaining described audit feature by described audit device; And
Monitoring module is used for responding the data of described audit feature monitor network.
8. device according to claim 7 is characterized in that also comprising backup module, is used for backing up the audit feature of described database before described update module is carried out described renewal operation.
9. device according to claim 8 is characterized in that also comprising encrypting module, is used for after described update module is carried out described renewal operation described data base encryption being become the audit feature storehouse.
10. device according to claim 9 is characterized in that described acquisition module comprises:
Deciphering module is used for described audit feature storehouse is decrypted into described database;
Read module is used for reading the described audit feature of described database; If read failure, then read the described audit feature of the described database that backs up in the described backup module;
The audit module is used for the data of the described audit feature monitor network that reads by described read module.
11., it is characterized in that described audit device is router, switch or acting server according to each described device in the claim 7 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010255367XA CN101931625A (en) | 2010-08-13 | 2010-08-13 | Upgrading method and device of network monitoring data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010255367XA CN101931625A (en) | 2010-08-13 | 2010-08-13 | Upgrading method and device of network monitoring data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101931625A true CN101931625A (en) | 2010-12-29 |
Family
ID=43370551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010255367XA Pending CN101931625A (en) | 2010-08-13 | 2010-08-13 | Upgrading method and device of network monitoring data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101931625A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102325061A (en) * | 2011-09-16 | 2012-01-18 | 北京星网锐捷网络技术有限公司 | Method for monitoring network, equipment and system |
| CN105991331A (en) * | 2015-02-16 | 2016-10-05 | 杭州迪普科技有限公司 | Forum review method, device and log management device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388010A (en) * | 2007-09-12 | 2009-03-18 | 北京启明星辰信息技术有限公司 | Oracle database audit method and system |
| CN101399716A (en) * | 2008-10-28 | 2009-04-01 | 深圳市中科新业信息科技发展有限公司 | Distributed audit system and method for monitoring using state of office computer |
| US20090138592A1 (en) * | 2007-11-15 | 2009-05-28 | Kevin Overcash | Method and apparatus for detection of information transmission abnormalities |
-
2010
- 2010-08-13 CN CN201010255367XA patent/CN101931625A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388010A (en) * | 2007-09-12 | 2009-03-18 | 北京启明星辰信息技术有限公司 | Oracle database audit method and system |
| US20090138592A1 (en) * | 2007-11-15 | 2009-05-28 | Kevin Overcash | Method and apparatus for detection of information transmission abnormalities |
| CN101399716A (en) * | 2008-10-28 | 2009-04-01 | 深圳市中科新业信息科技发展有限公司 | Distributed audit system and method for monitoring using state of office computer |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102325061A (en) * | 2011-09-16 | 2012-01-18 | 北京星网锐捷网络技术有限公司 | Method for monitoring network, equipment and system |
| CN102325061B (en) * | 2011-09-16 | 2014-07-02 | 北京星网锐捷网络技术有限公司 | Network monitoring method, equipment and system |
| CN105991331A (en) * | 2015-02-16 | 2016-10-05 | 杭州迪普科技有限公司 | Forum review method, device and log management device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1174302C (en) | Verification of software agents and agent activities | |
| US9715537B2 (en) | Systems and methods for event driven object management and distribution among multiple client applications | |
| CN101194233B (en) | System and method of testing wireless component applications | |
| US9465959B2 (en) | Persistent agent supported by processor | |
| JP5508502B2 (en) | Persistent service agent | |
| US20030009752A1 (en) | Automated content and software distribution system | |
| US20160378458A1 (en) | Method and device for system application installation package, and terminal | |
| CN109154968B (en) | System and method for secure and efficient communication within an organization | |
| CN116760705B (en) | Multi-tenant platform isolation management system and method based on comprehensive energy management system | |
| WO2014150339A2 (en) | Method and system for enabling communications between unrelated applications | |
| CN104573497A (en) | Processing method and device for starting items | |
| JP2008520051A (en) | Method and system for measuring software | |
| US8340652B2 (en) | System and method of waste management | |
| US11496304B2 (en) | Information processing device, information processing method, and storage medium | |
| JP2010282242A (en) | Access control system, access control method, and access control program | |
| CN103927252A (en) | Cross-component log recording method, device and system | |
| US20090150882A1 (en) | System and method for software application installation | |
| CN101931625A (en) | Upgrading method and device of network monitoring data | |
| CN106936643B (en) | Equipment linkage method and terminal equipment | |
| US11636021B2 (en) | Preserving system integrity using file manifests | |
| CN105338058A (en) | Application updating method and device | |
| CN115567218A (en) | Data processing method and device of security certificate based on block chain and server | |
| US10740191B2 (en) | Tiered data storage management system | |
| KR20050034508A (en) | File upload and healing system through network based remote storage and method thereof | |
| CN104484198A (en) | Method and device for setting up application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20101229 |