[go: up one dir, main page]

CN104468537A - System and method for achieving safety audit - Google Patents

System and method for achieving safety audit Download PDF

Info

Publication number
CN104468537A
CN104468537A CN201410686636.6A CN201410686636A CN104468537A CN 104468537 A CN104468537 A CN 104468537A CN 201410686636 A CN201410686636 A CN 201410686636A CN 104468537 A CN104468537 A CN 104468537A
Authority
CN
China
Prior art keywords
security
security audit
request message
service request
business operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410686636.6A
Other languages
Chinese (zh)
Inventor
李勋
吴松洋
李营那
刘欣
张涛
符运辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN201410686636.6A priority Critical patent/CN104468537A/en
Publication of CN104468537A publication Critical patent/CN104468537A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种实现安全审计的系统,其中包括数个客户端、数个服务器和安全审计设备,本发明还涉及一种安全审计的方法,包括客户端将业务请求报文发送至安全审计设备;安全审计设备将业务请求报文转发至业务请求报文对应的服务器,并将业务请求报文镜像复制得到对应的镜像文件;安全审计设备解析镜像文件得到对应的业务操作指令;服务器响应业务请求报文,并将对应的业务操作日志发送至安全审计设备;安全审计设备对业务操作指令和所述的业务操作日志进行比较分析。采用本发明的实现安全审计的系统,具有双机热备和集群部署的功能,易于普及,稳定可靠,支持动态扩展,具有更广泛的应用范围。

The present invention relates to a system for realizing security auditing, which includes several clients, several servers and security auditing equipment, and the present invention also relates to a method for security auditing, including sending a service request message from the client to the security auditing equipment ; The security audit device forwards the service request message to the server corresponding to the service request message, and mirrors and copies the service request message to obtain the corresponding image file; the security audit device parses the image file to obtain the corresponding service operation instruction; the server responds to the service request message, and send the corresponding business operation log to the security audit device; the security audit device compares and analyzes the business operation instruction and the business operation log. The system for realizing safety audit by adopting the present invention has the functions of dual-machine hot backup and cluster deployment, is easy to popularize, is stable and reliable, supports dynamic expansion, and has a wider application range.

Description

实现安全审计的系统及方法System and method for realizing safety audit

技术领域technical field

本发明涉及信息安全领域,尤其涉及用户访问的安全审计领域,具体是指一种实现安全审计的系统及方法。The present invention relates to the field of information security, in particular to the field of security audit of user access, and specifically refers to a system and method for realizing security audit.

背景技术Background technique

随着信息技术的高速发展,互联网的安全问题日益突出。防火墙、入侵检测等传统网络安全手段,可以实现对网络异常行为的管理和监测,但不能监控网络内容和已经授权的正常内部网络访问行为,因此对正常网络访问行为导致的信息泄密、网络资源监测行为无能为力。在这种背景下产生了安全审计设备,现有的安全审计设备网络拓扑图如图1所示,安全审计设备与服务器一一对应。然而,目前各行业对信息系统的依赖性很大,需要提供不间断的服务,保证24小时不间断运行,这也要求安全审计设备提供连续可靠的服务,图1中所示的方法难以满足该要求;在现实应用中应用服务器的数量比较大并且逐日增加,通常一个安全审计设备无法支持大量的服务器,这要求安全审计设备支持动态扩展。With the rapid development of information technology, Internet security issues have become increasingly prominent. Traditional network security methods such as firewalls and intrusion detection can realize the management and monitoring of abnormal network behaviors, but cannot monitor network content and authorized normal internal network access behaviors. Therefore, information leakage and network resource monitoring caused by normal network access behaviors Behavior can't be helped. Under this background, a security audit device is produced. The network topology diagram of the existing security audit device is shown in Figure 1, and the security audit device corresponds to the server one by one. However, at present, various industries rely heavily on information systems and need to provide uninterrupted services to ensure 24-hour uninterrupted operation. This also requires security audit equipment to provide continuous and reliable services. The method shown in Figure 1 is difficult to meet this requirement. Requirements: In actual applications, the number of application servers is relatively large and increasing day by day. Usually, a security audit device cannot support a large number of servers, which requires the security audit device to support dynamic expansion.

发明内容Contents of the invention

本发明的目的是克服了上述现有技术的缺点,提供了一种支持大量服务器,且设备之间周期性的进行数据同步,通过比较业务操作指令和业务操作日志进行选择性的报警,同时具有双机热备和集群部署,易于普及,稳定可靠,支持动态扩展的实现安全审计的系统及方法。The purpose of the present invention is to overcome the shortcomings of the above-mentioned prior art, and provide a device that supports a large number of servers, and periodically performs data synchronization between devices, and performs selective alarms by comparing business operation instructions and business operation logs, and has Dual-machine hot backup and cluster deployment, easy to popularize, stable and reliable, support dynamic expansion of the security audit system and method.

为了实现上述目的,本发明的实现安全审计的系统及方法具有如下构成:In order to achieve the above object, the system and method for realizing security audit of the present invention have the following components:

该实现安全审计的系统,其主要特点是,所述的系统包括:The main feature of the system for realizing safety audit is that the system includes:

数个客户端,用以将业务请求报文发送至安全审计设备;Several clients are used to send the service request message to the security audit device;

数个服务器,用以响应所述的安全审计设备转发的所述的业务请求报文,并将对应的业务操作日志发送至所述的安全审计设备;Several servers are used to respond to the service request message forwarded by the security audit device, and send the corresponding service operation log to the security audit device;

安全审计设备,用以将所述的业务请求报文镜像复制得到对应的镜像文件,并解析所述的镜像文件得到对应的业务操作指令,和对所述的业务操作指令和所述的业务操作日志进行比较分析。A security auditing device, configured to mirror copy the business request message to obtain a corresponding mirror file, and parse the mirror file to obtain a corresponding business operation instruction, and to perform a review of the business operation instruction and the business operation logs for comparative analysis.

进一步地,所述的安全审计设备包括:Further, the security audit equipment includes:

交换模块,用以将所述的业务请求报文转发至所述的业务请求报文对应的服务器,并对所述的业务请求报文进行镜像复制得到对应的镜像文件;A switching module, configured to forward the service request message to the server corresponding to the service request message, and mirror copy the service request message to obtain a corresponding mirror image file;

报文抓包模块,用以对所述的镜像文件进行加密并得到对应的加密文件;A packet capture module for encrypting the image file and obtaining a corresponding encrypted file;

协议解析模块,用以解析所述的加密文件得到所述的业务操作指令;a protocol parsing module, configured to parse the encrypted file to obtain the business operation instruction;

预警监测模块,用以对所述的业务操作指令和所述的业务操作日志进行比较分析。The early warning monitoring module is used to compare and analyze the business operation instruction and the business operation log.

更进一步地,所述的安全审计设备还包括本地存储模块,所述的本地存储模块用以存储所述的加密文件。Furthermore, the security auditing device further includes a local storage module, and the local storage module is used to store the encrypted file.

其中,所述的加密文件为pcap格式的加密文件,所述的交换机模块为具有STP协议的交换机,各个安全审计设备之间通过局域网连接,并且各个安全审计设备之间进行数据同步。Wherein, the encrypted file is an encrypted file in pcap format, the switch module is a switch with STP protocol, each security audit device is connected through a local area network, and data synchronization is performed between each security audit device.

此外,本发明还涉及一种实现安全审计的方法,其主要特点是,所述的方法包括以下步骤:In addition, the present invention also relates to a method for implementing security auditing, the main feature of which is that the method includes the following steps:

(1)所述的客户端将业务请求报文发送至安全审计设备;(1) The client sends the service request message to the security audit device;

(2)所述的安全审计设备将所述的业务请求报文转发至所述的业务请求报文对应的服务器,并将所述的业务请求报文镜像复制得到对应的镜像文件;(2) The security auditing device forwards the service request message to the server corresponding to the service request message, and mirror copies the service request message to obtain a corresponding image file;

(3)所述的安全审计设备解析所述的镜像文件得到对应的业务操作指令;(3) The security audit device parses the image file to obtain the corresponding business operation instruction;

(4)所述的服务器响应所述的业务请求报文,并将对应的业务操作日志发送至所述的安全审计设备;(4) The server responds to the service request message, and sends the corresponding service operation log to the security audit device;

(5)所述的安全审计设备对所述的业务操作指令和所述的业务操作日志进行比较分析。(5) The security audit device compares and analyzes the business operation instruction and the business operation log.

进一步地,所述的安全审计设备包括报文抓包模块和协议解析模块,所述的安全审计设备解析所述的镜像文件得到对应的业务操作指令,包括以下步骤:Further, the security audit device includes a packet capture module and a protocol analysis module, and the security audit device parses the image file to obtain corresponding business operation instructions, including the following steps:

(3.1)所述的报文抓包模块对所述的镜像文件进行加密并得到对应的加密文件;(3.1) the packet capture module described in the message encrypts the image file and obtains the corresponding encrypted file;

(3.2)所述的协议解析模块解析所述的加密文件得到所述的业务操作指令。(3.2) The protocol analysis module analyzes the encrypted file to obtain the business operation instruction.

进一步地,所述的安全审计设备通过具有STP协议的交换模块与所述的数个服务器建立连接,所述的步骤(1)之前,还包括以下步骤:Further, the security auditing device establishes connections with the several servers through the switching module with the STP protocol, before the step (1), it also includes the following steps:

(0)所述的交换模块运行STP协议发现所述的安全审计设备与所述的数个服务器建立的网络中的环路网络结构,并将所述的环路网络结构修剪成无环路的树型网络结构。(0) The switching module runs the STP protocol to discover the loop network structure in the network established by the security audit device and the several servers, and prunes the loop network structure to be loop-free Tree network structure.

进一步地,所述的步骤(1)和(2)之间,还包括以下步骤:Further, between the steps (1) and (2), the following steps are also included:

(1.1)所述的交换模块通过STP协议判断所述的安全审计设备与所述的数个服务器之间的通信线路是否正常,如果是,则继续步骤(2),否则继续步骤(1.2);(1.1) said switching module judges whether the communication lines between said security audit equipment and said several servers are normal by STP protocol, if yes, then continue step (2), otherwise continue step (1.2);

(1.2)所述的交换模块切换所述的安全审计设备与所述的数个服务器之间的通信线路。(1.2) The switch module switches the communication lines between the security audit device and the several servers.

进一步地,各个安全审计设备之间通过局域网连接,所述的步骤(5)之后,还包括以下步骤:Further, each security auditing device is connected through a local area network, and after the step (5), the following steps are also included:

(6)所述的各个安全审计设备判断是否达到定时同步时间,如果是,则继续步骤(7),否则继续等待;(6) each safety audit equipment described judges whether to reach timing synchronous time, if yes, then continue step (7), otherwise continue to wait;

(7)所述的各个安全审计设备之间进行数据同步。(7) Data synchronization is performed among the security audit devices described above.

采用了本发明的实现安全审计的系统及方法,具有以下积极的效益:Adopting the system and method for realizing safety audit of the present invention has the following positive benefits:

1、审计数据的全面性:本安全审计设备收集用户操作产生的所有报文和web服务响应用户请求产生的业务日志;1. Comprehensiveness of audit data: This security audit device collects all messages generated by user operations and business logs generated by web services in response to user requests;

2、方便动态扩展:当需要增加web服务器时可以通过本安全审计设备的多组端口可以连接新增的web服务器,如果安全审计设备的端口被用完,只要在集群环境中新增安全审计设备并将要增加的web服务器通过交换机与安全审计设备链接即可,扩展web服务器十分方便;2. Convenient dynamic expansion: when it is necessary to add a web server, you can connect to the newly added web server through multiple groups of ports of this security audit device. If the ports of the security audit device are used up, just add a new security audit device in the cluster environment Just connect the web server to be added to the security audit device through the switch, and it is very convenient to expand the web server;

3、高稳定性、高可靠性:本安全审计设备支持双机热备份,当主安全审计设备出现故障时自动启用备用安全审计设备,保障为用户提供继续、不间断、稳定、可靠地服务。3. High stability and high reliability: This security audit device supports dual-machine hot backup. When the main security audit device fails, the backup security audit device is automatically activated to ensure continuous, uninterrupted, stable and reliable services for users.

附图说明Description of drawings

图1为现有的安全审计设备的网络拓扑结构图。FIG. 1 is a network topology diagram of an existing security auditing device.

图2为本发明的实现安全审计的系统的网络拓扑结构图。FIG. 2 is a network topology diagram of the system for implementing security auditing in the present invention.

图3为本发明的实现安全审计的方法的流程图。Fig. 3 is a flow chart of the method for implementing security auditing in the present invention.

图4为本发明的实现安全审计的系统的集群部署的网络拓扑结构图。FIG. 4 is a network topology diagram of the cluster deployment of the security auditing system of the present invention.

图5为本发明的实现安全审计的系统的热备份的网络拓扑结构图。FIG. 5 is a network topology diagram of the hot backup of the system for implementing security auditing in the present invention.

图6为本发明的基于热备份环境实现安全审计的方法的流程图。Fig. 6 is a flow chart of the method for implementing security audit based on the hot backup environment of the present invention.

具体实施方式Detailed ways

为了能够更清楚地描述本发明的技术内容,下面结合具体实施例来进行进一步的描述。In order to describe the technical content of the present invention more clearly, further description will be given below in conjunction with specific embodiments.

本发明涉及的实现安全审计的系统具有抓取业务请求报文、解析报文、业务操作指令分析、故障预警等功能,其中的安全审计设备实际为一种安全审计产品,该系统的网络拓扑结构图如图2所示。The system for implementing security audit involved in the present invention has functions such as capturing business request messages, analyzing messages, analyzing business operation instructions, and fault warnings. The security audit equipment is actually a security audit product. The network topology of the system The picture is shown in Figure 2.

通过安全审计设备的多组端口,安全审计设备可串接于多个客户端用户和多个提供web服务的服务器之间。该安全审计设备接收客户端向服务器发出的业务请求报文和服务器响应用户请求后产生的业务操作日志;用户访问web服务的所有http报文(即业务请求报文)都必须经过安全审计设备,大多交换机(即交换模块)都支持mirror(镜像)策略,mirror策略可以将一个端口符合指定规则的报文复制到一个或多个端口,方便使用,效果较好,因此,本安全审计设备在交换板组件上设置mirror策略,结合图3所示的方法,本发明的一个具体实施例如下:Through multiple groups of ports of the security audit device, the security audit device can be connected in series between multiple client users and multiple servers providing web services. The security audit device receives the service request message sent by the client to the server and the service operation log generated after the server responds to the user request; all http messages (ie service request messages) for the user to access the web service must pass through the security audit device, Most switches (that is, switching modules) support the mirror (mirror) strategy. The mirror strategy can copy the packets that meet the specified rules on one port to one or more ports, which is convenient to use and has a good effect. Therefore, this security audit device is used in switching The mirror strategy is set on the board assembly, in conjunction with the method shown in Figure 3, a specific embodiment of the present invention is as follows:

用户访问服务器,安全审计设备将协议为HTTP协议、报文的目的地址在web服务器白名单中、目的端口为8080的报文复制到安全审计设备的主控板,利用主控板的报文抓包模块对镜像文件加密后存储在本地磁盘(即本地存储模块),主控板的协议解析模块对http报文进行协议解析以获取业务操作指令,并将业务操作指令存储在安全审计设备中;服务器响应用户的发起的业务请求产生业务操作日志,将业务操作日志上报给安全审计设备,安全审计设备的预警监测模块定期对业务操作指令和上报的用户操作日志的进行对比分析,根据设定的规则产生相应的断网、断线、无流量等预警信息。When a user accesses the server, the security audit device copies the packets whose protocol is HTTP, whose destination address is in the whitelist of the web server, and whose destination port is 8080 to the main control board of the security audit device. The package module encrypts the image file and stores it in the local disk (ie, the local storage module), and the protocol analysis module of the main control board performs protocol analysis on the http message to obtain business operation instructions, and stores the business operation instructions in the security audit device; The server responds to the business request initiated by the user to generate a business operation log, and reports the business operation log to the security audit device. The early warning monitoring module of the security audit device regularly compares and analyzes the business operation instruction and the reported user operation log. The rules generate corresponding early warning information such as network disconnection, disconnection, and no traffic.

其次,本发明涉及的安全审计设备支持集群部署,其网络拓扑结构图如图4所示:服务器通过交换机连接到不同的安全审计设备,集群中的各个安全审计设备之间通过局域网连接。集群中每个安全审计设备提供相同的业务,产生的数据存储于自身的本地磁盘;通过定时任务定时对集群中所有的安全审计设备进行数据同步,以保证集群中每台安全审计设备数据的一致性;当服务器数量增加,现有的安全审计设备难以支持新增的服务器时,只需在图3所示的集群部署环境中新增安全审计设备,将其与现有的安全审计设备接入同一局域网即可。Secondly, the security audit equipment involved in the present invention supports cluster deployment, and its network topology diagram is shown in Figure 4: the server is connected to different security audit equipment through a switch, and each security audit equipment in the cluster is connected through a local area network. Each security audit device in the cluster provides the same service, and the generated data is stored in its own local disk; data synchronization is performed on all security audit devices in the cluster through scheduled tasks to ensure data consistency of each security audit device in the cluster When the number of servers increases and the existing security audit equipment cannot support the new servers, it is only necessary to add a new security audit equipment in the cluster deployment environment shown in Figure 3 and connect it with the existing security audit equipment The same local area network is enough.

此外,本发明基于STP(Spanning Tree Protocol,生成树协议)协议实现双机热备份,选择支持STP协议的交换机,开启交换机设置STP协议,搭建如图5所示的双机热备份环境。STP协议具有逻辑上断开环路防止二层网络的广播风暴的产生、在线路出现故障时断开的接口被激活恢复通信的线路备份作用,实现的效果具体如下:In addition, the present invention is based on the STP (Spanning Tree Protocol, Spanning Tree Protocol) protocol to realize dual-machine hot backup, select a switch that supports the STP protocol, open the switch to set the STP protocol, and build a dual-machine hot backup environment as shown in Figure 5. The STP protocol has the function of logically disconnecting the loop to prevent the generation of broadcast storms on the Layer 2 network, and the disconnected interface is activated to restore communication when the line fails. The effect is as follows:

(1)路径选择:在用户访问服务器时,STP协议会为其选择最佳的访问路径;(1) Path selection: when the user accesses the server, the STP protocol will select the best access path for it;

(2)自动路径切换:在当前访问线路出现故障时,STP协议自动切换到备用线路;(2) Automatic path switching: when the current access line fails, the STP protocol automatically switches to the backup line;

(3)故障预警:当图4中安全审计设备出现故障时,该安全审计设备的后台报警程序会提示报警信息;(3) Fault warning: when the security audit equipment in Fig. 4 breaks down, the background alarm program of the security audit equipment will prompt alarm information;

(4)数据同步:本安全审计设备采用内存同步而不是共享存储器的方式进行数据同步,通过安全审计设备的定时同步任务定时同步两台安全审计设备的数据,以保持数据的一致性。(4) Data synchronization: This security audit device uses memory synchronization instead of shared memory for data synchronization, and regularly synchronizes the data of two security audit devices through the timing synchronization task of the security audit device to maintain data consistency.

结合上述的热备份环境与图6,本发明的另一个具体实施例如下:In combination with the above-mentioned hot backup environment and FIG. 6, another specific embodiment of the present invention is as follows:

按照图5所示的网络拓扑图搭建热备份工作环境,连接交换机并设置STP协议,运行STP协议的交换机通过彼此交互信息发现网络中的环路,并有选择的对某些端口进行阻塞,最终将环路网络结构修剪成无环路的树型网络结构,从而防止报文在环路网络中不断增生和无限循环,在安全审计设备的交换板组件上设置mirror策略。Build a hot backup working environment according to the network topology diagram shown in Figure 5, connect the switch and set the STP protocol, the switches running the STP protocol discover loops in the network by exchanging information with each other, and selectively block some ports, and finally Prune the loop network structure into a loop-free tree network structure, so as to prevent the continuous proliferation and infinite loop of packets in the loop network, and set the mirror policy on the switch board component of the security audit device.

用户通过客户端访问web服务,交换机通过STP协议为用户选择最佳访问线路(主线路),用户发起的请求经过该线路传送到服务器,同时STP协议不断对主线路进行检测,当线路出现故障时自动启用断开的备用路线,恢复通信,同时主线路上的报警监测程序提示报警信息,提示维护人员修护故障,从而为用户提供稳定可靠的通信环境。The user accesses the web service through the client, and the switch selects the best access line (main line) for the user through the STP protocol. The request initiated by the user is transmitted to the server through this line. At the same time, the STP protocol continuously detects the main line. When the line fails Automatically enable the disconnected backup line to restore communication, and at the same time, the alarm monitoring program on the main line prompts the alarm information and prompts the maintenance personnel to repair the fault, thus providing users with a stable and reliable communication environment.

用户访问web服务器服务的上行通信报文(即业务请求报文)都必须通过安全审计设备,在实际应用中用户会大量、并发的访问Web服务,会不断的产生大量通信报文,如果对报文进行实时分析对安全审计设备的性能要求很高,安全审计设备的CPU使用率较高时,会产生丢包现象,因此本安全审计设备采取对报文加密后以pcap文件存储在安全审计设备的本地硬盘延后处理的方式,在保证本产品质量的同时又降低了本产品的费用。Uplink communication packets (that is, business request packets) that users access to web server services must pass through the security audit device. In practical applications, users will access web services in large numbers and The real-time analysis of the text requires high performance of the security audit equipment. When the CPU usage of the security audit equipment is high, packet loss will occur. Therefore, the security audit equipment encrypts the message and stores it in the security audit equipment as a pcap file. The local hard disk deferred processing method reduces the cost of the product while ensuring the quality of the product.

在实际应用中,本发明的安全审计设备的协议解析模块定期对pcap文件进行解密,本安全审计设备可以支持多个厂商提供的web服务,各个服务商提供自己的数据包解析程序,安全审计设备根据报文的目的地址调用相应的解包程序对报文进行协议解析,从而获取业务操作指令。加密pcap文件和不同的服务使用不同的解包程序保证了通信报文的安全性。In practical applications, the protocol analysis module of the security audit equipment of the present invention decrypts pcap files regularly, and the security audit equipment can support web services provided by multiple manufacturers, and each service provider provides its own data packet analysis program, and the security audit equipment According to the destination address of the message, the corresponding unpacking program is called to analyze the protocol of the message, so as to obtain the business operation instruction. Encrypted pcap files and different services use different unpacking programs to ensure the security of communication messages.

预警检测设备(即预警监测模块)定期对业务操作指令和上报的用户操作日志的进行对比分析,如果安全审计设备连续12小时没有收到web服务的任务信息,则产生断线预警;在未断线前提下,连续12小时业务操作指令和上报的用户业务操作日志的数量都为零,则产生无流量报警;在未断线前提下如果业务操作指令的数量大于web服务报送的用户业务操作日志的数量,则产生报送日志异常。The early warning detection device (that is, the early warning monitoring module) regularly compares and analyzes the business operation instructions and the reported user operation logs. If the security audit device does not receive the task information of the web service for 12 consecutive hours, it will generate a disconnection warning; Under the premise of offline connection, if the number of business operation instructions and reported user business operation logs is zero for 12 consecutive hours, a no-flow alarm will be generated; If the number of logs is larger than the number of logs, an exception will be generated for submitting logs.

本发明中主安全审计设备和备用安全审计设备收集到的审计信息都是存在各自本地硬盘中,数据同步是采用内存同步而不是共享存储器的方式进行,通过安全审计设备的数据同步模块定时对两台安全审计设备进行审计信息数据同步。In the present invention, the audit information collected by the main security audit equipment and the standby security audit equipment is stored in their respective local hard disks, and data synchronization is carried out by using memory synchronization instead of shared storage. Synchronize audit information data with one security audit device.

采用了本发明的实现安全审计的系统及方法,具有以下积极的效益:Adopting the system and method for realizing safety audit of the present invention has the following positive benefits:

1、审计数据的全面性:本安全审计设备收集用户操作产生的所有报文和web服务响应用户请求产生的业务日志;1. Comprehensiveness of audit data: This security audit device collects all messages generated by user operations and business logs generated by web services in response to user requests;

2、方便动态扩展:当需要增加web服务器时可以通过本安全审计设备的多组端口可以连接新增的web服务器,如果安全审计设备的端口被用完,只要在集群环境中新增安全审计设备并将要增加的web服务器通过交换机与安全审计设备链接即可,扩展web服务器十分方便;2. Convenient dynamic expansion: when it is necessary to add a web server, you can connect to the newly added web server through multiple groups of ports of this security audit device. If the ports of the security audit device are used up, just add a new security audit device in the cluster environment Just connect the web server to be added to the security audit device through the switch, and it is very convenient to expand the web server;

3、高稳定性、高可靠性:本安全审计设备支持双机热备份,当主安全审计设备出现故障时自动启用备用安全审计设备,保障为用户提供继续、不间断、稳定、可靠地服务。3. High stability and high reliability: This security audit device supports dual-machine hot backup. When the main security audit device fails, the backup security audit device is automatically activated to ensure continuous, uninterrupted, stable and reliable services for users.

在此说明书中,本发明已参照其特定的实施例作了描述。但是,很显然仍可以作出各种修改和变换而不背离本发明的精神和范围。因此,说明书和附图应被认为是说明性的而非限制性的。In this specification, the invention has been described with reference to specific embodiments thereof. However, it is obvious that various modifications and changes can be made without departing from the spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded as illustrative rather than restrictive.

Claims (11)

1.一种实现安全审计的系统,其特征在于,所述的系统包括:1. A system that realizes safety audit, is characterized in that, described system comprises: 数个客户端,用以将业务请求报文发送至安全审计设备;Several clients are used to send the service request message to the security audit device; 数个服务器,用以响应所述的安全审计设备转发的所述的业务请求报文,并将对应的业务操作日志发送至所述的安全审计设备;Several servers are used to respond to the service request message forwarded by the security audit device, and send the corresponding service operation log to the security audit device; 安全审计设备,用以将所述的业务请求报文镜像复制得到对应的镜像文件,并解析所述的镜像文件得到对应的业务操作指令,和对所述的业务操作指令和所述的业务操作日志进行比较分析。A security auditing device, configured to mirror copy the business request message to obtain a corresponding mirror file, and parse the mirror file to obtain a corresponding business operation instruction, and to perform a review of the business operation instruction and the business operation logs for comparative analysis. 2.根据权利要求1所述的实现安全审计的系统,其特征在于,所述的安全审计设备包括:2. The system for realizing security auditing according to claim 1, wherein said security auditing equipment comprises: 交换模块,用以将所述的业务请求报文转发至所述的业务请求报文对应的服务器,并对所述的业务请求报文进行镜像复制得到对应的镜像文件;A switching module, configured to forward the service request message to the server corresponding to the service request message, and mirror copy the service request message to obtain a corresponding mirror image file; 报文抓包模块,用以对所述的镜像文件进行加密并得到对应的加密文件;A packet capture module for encrypting the image file and obtaining a corresponding encrypted file; 协议解析模块,用以解析所述的加密文件得到所述的业务操作指令;a protocol parsing module, configured to parse the encrypted file to obtain the business operation instruction; 预警监测模块,用以对所述的业务操作指令和所述的业务操作日志进行比较分析。The early warning monitoring module is used to compare and analyze the business operation instruction and the business operation log. 3.根据权利要求2所述的实现安全审计的系统,其特征在于,所述的安全审计设备还包括本地存储模块,所述的本地存储模块用以存储所述的加密文件。3. The system for implementing security auditing according to claim 2, wherein the security auditing device further comprises a local storage module, and the local storage module is used to store the encrypted file. 4.根据权利要求3所述的实现安全审计的系统,其特征在于,所述的加密文件为pcap格式的加密文件。4. The system for realizing security audit according to claim 3, characterized in that, the encrypted file is an encrypted file in pcap format. 5.根据权利要求1至4中任一项所述的实现安全审计的系统,其特征在于,所述的交换模块为具有STP协议的交换机。5. The system for implementing security audit according to any one of claims 1 to 4, characterized in that, the switching module is a switch with STP protocol. 6.根据权利要求1至4中任一项所述的实现安全审计的系统,其特征在于,各个安全审计设备之间通过局域网连接,并且各个安全审计设备之间进行数据同步。6. The system for implementing security auditing according to any one of claims 1 to 4, characterized in that each security auditing device is connected through a local area network, and data synchronization is performed between each security auditing device. 7.一种基于权利要求1至4中任一项所述的系统实现安全审计的方法,其特征在于,所述的方法包括以下步骤:7. A method for realizing security audit based on the system according to any one of claims 1 to 4, characterized in that, said method comprises the following steps: (1)所述的客户端将业务请求报文发送至所述的安全审计设备;(1) The client sends the service request message to the security audit device; (2)所述的安全审计设备将所述的业务请求报文转发至所述的业务请求报文对应的服务器,并将所述的业务请求报文镜像复制得到对应的镜像文件;(2) The security auditing device forwards the service request message to the server corresponding to the service request message, and mirror copies the service request message to obtain a corresponding image file; (3)所述的安全审计设备解析所述的镜像文件得到对应的业务操作指令;(3) The security audit device parses the image file to obtain the corresponding business operation instruction; (4)所述的服务器响应所述的业务请求报文,并将对应的业务操作日志发送至所述的安全审计设备;(4) The server responds to the service request message, and sends the corresponding service operation log to the security audit device; (5)所述的安全审计设备对所述的业务操作指令和所述的业务操作日志进行比较分析。(5) The security audit device compares and analyzes the business operation instruction and the business operation log. 8.根据权利要求7所述的实现安全审计的方法,其特征在于,所述的安全审计设备包括报文抓包模块和协议解析模块,所述的安全审计设备解析所述的镜像文件得到对应的业务操作指令,包括以下步骤:8. The method for realizing security audit according to claim 7, characterized in that, said security audit device includes a packet capture module and a protocol analysis module, and said security audit device parses said image file to obtain a corresponding business operation instructions, including the following steps: (3.1)所述的报文抓包模块对所述的镜像文件进行加密并得到对应的加密文件;(3.1) the packet capture module described in the message encrypts the image file and obtains the corresponding encrypted file; (3.2)所述的协议解析模块解析所述的加密文件得到所述的业务操作指令。(3.2) The protocol analysis module analyzes the encrypted file to obtain the business operation instruction. 9.根据权利要求7所述的实现安全审计的方法,其特征在于,所述的安全审计设备通过具有STP协议的交换模块与所述的数个服务器建立连接,所述的步骤(1)之前,还包括以下步骤:9. the method for realizing safety audit according to claim 7, is characterized in that, described safety audit equipment establishes connection with described several servers by the switching module with STP agreement, before described step (1) , also includes the following steps: (0)所述的交换模块运行STP协议发现所述的安全审计设备与所述的数个服务器建立的网络中的环路网络结构,并将所述的环路网络结构修剪成无环路的树型网络结构。(0) The switching module runs the STP protocol to discover the loop network structure in the network established by the security audit device and the several servers, and prunes the loop network structure to be loop-free Tree network structure. 10.根据权利要求7所述的实现安全审计的方法,其特征在于,所述的步骤(1)和(2)之间,还包括以下步骤:10. The method for realizing security audit according to claim 7, characterized in that, between described steps (1) and (2), further comprising the following steps: (1.1)所述的交换模块通过STP协议判断所述的安全审计设备与所述的数个服务器之间的通信线路是否正常,如果是,则继续步骤(2),否则继续步骤(1.2);(1.1) said switching module judges whether the communication lines between said security audit equipment and said several servers are normal by STP protocol, if yes, then continue step (2), otherwise continue step (1.2); (1.2)所述的交换模块切换所述的安全审计设备与所述的数个服务器之间的通信线路。(1.2) The switch module switches the communication lines between the security audit device and the several servers. 11.根据权利要求7所述的实现安全审计的方法,其特征在于,各个安全审计设备之间通过局域网连接,所述的步骤(5)之后,还包括以下步骤:11. the method for realizing safety audit according to claim 7, is characterized in that, between each safety audit equipment, connect by local area network, after described step (5), also comprise the following steps: (6)所述的各个安全审计设备判断是否达到定时同步时间,如果是,则继续步骤(7),否则继续等待;(6) each safety audit equipment described judges whether to reach timing synchronous time, if yes, then continue step (7), otherwise continue to wait; (7)所述的各个安全审计设备之间进行数据同步。(7) Data synchronization is performed among the security audit devices described above.
CN201410686636.6A 2014-11-25 2014-11-25 System and method for achieving safety audit Pending CN104468537A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410686636.6A CN104468537A (en) 2014-11-25 2014-11-25 System and method for achieving safety audit

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410686636.6A CN104468537A (en) 2014-11-25 2014-11-25 System and method for achieving safety audit

Publications (1)

Publication Number Publication Date
CN104468537A true CN104468537A (en) 2015-03-25

Family

ID=52913909

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410686636.6A Pending CN104468537A (en) 2014-11-25 2014-11-25 System and method for achieving safety audit

Country Status (1)

Country Link
CN (1) CN104468537A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105407014A (en) * 2015-11-03 2016-03-16 上海良相智能化工程有限公司 Network behavior audit system
CN105653943A (en) * 2015-12-24 2016-06-08 北京奇虎科技有限公司 Log auditing method and system for android applications
CN106789029A (en) * 2017-01-04 2017-05-31 浙江神州量子网络科技有限公司 A kind of auditing system and auditing method and quantum fort machine system based on quantum fort machine
CN107124385A (en) * 2016-02-24 2017-09-01 中国科学院声学研究所 A kind of SSL/TLS agreement clear data acquisition methods based on mirror image stream
CN107707535A (en) * 2017-09-25 2018-02-16 深圳市友华软件科技有限公司 Realize that more peaces of hot-swap examine plateform system and method
CN108563404A (en) * 2018-04-17 2018-09-21 四川神琥科技有限公司 A kind of data packet capturing storage method and equipment
CN111506022A (en) * 2019-01-30 2020-08-07 中国石油天然气集团有限公司 Industrial control system and safety auditing method in industrial control system
CN112217881A (en) * 2020-09-24 2021-01-12 上海上讯信息技术股份有限公司 File synchronization method and equipment based on operation and maintenance audit system
CN116827698A (en) * 2023-08-31 2023-09-29 国能大渡河大数据服务有限公司 Network gateway flow security situation awareness system and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101207521A (en) * 2007-12-12 2008-06-25 华为技术有限公司 Ethernet fault detection and convergence method and node equipment
CN101442449A (en) * 2008-12-18 2009-05-27 中国移动通信集团浙江有限公司 Method for completely auditing user behaviors under centralization access mode
CN104063473A (en) * 2014-06-30 2014-09-24 江苏华大天益电力科技有限公司 Database auditing monitoring system and database auditing monitoring method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101207521A (en) * 2007-12-12 2008-06-25 华为技术有限公司 Ethernet fault detection and convergence method and node equipment
CN101442449A (en) * 2008-12-18 2009-05-27 中国移动通信集团浙江有限公司 Method for completely auditing user behaviors under centralization access mode
CN104063473A (en) * 2014-06-30 2014-09-24 江苏华大天益电力科技有限公司 Database auditing monitoring system and database auditing monitoring method

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105407014A (en) * 2015-11-03 2016-03-16 上海良相智能化工程有限公司 Network behavior audit system
CN105653943A (en) * 2015-12-24 2016-06-08 北京奇虎科技有限公司 Log auditing method and system for android applications
CN105653943B (en) * 2015-12-24 2018-08-07 北京奇虎科技有限公司 The log audit method and system of Android applications
CN107124385B (en) * 2016-02-24 2020-02-04 中国科学院声学研究所 Mirror flow-based SSL/TLS protocol plaintext data acquisition method
CN107124385A (en) * 2016-02-24 2017-09-01 中国科学院声学研究所 A kind of SSL/TLS agreement clear data acquisition methods based on mirror image stream
CN106789029A (en) * 2017-01-04 2017-05-31 浙江神州量子网络科技有限公司 A kind of auditing system and auditing method and quantum fort machine system based on quantum fort machine
CN106789029B (en) * 2017-01-04 2019-11-22 浙江神州量子网络科技有限公司 A kind of auditing system and auditing method and quantum fort machine system based on quantum fort machine
CN107707535A (en) * 2017-09-25 2018-02-16 深圳市友华软件科技有限公司 Realize that more peaces of hot-swap examine plateform system and method
CN108563404A (en) * 2018-04-17 2018-09-21 四川神琥科技有限公司 A kind of data packet capturing storage method and equipment
CN108563404B (en) * 2018-04-17 2021-07-27 四川神琥科技有限公司 Data packet capturing and storing method and equipment
CN111506022A (en) * 2019-01-30 2020-08-07 中国石油天然气集团有限公司 Industrial control system and safety auditing method in industrial control system
CN112217881A (en) * 2020-09-24 2021-01-12 上海上讯信息技术股份有限公司 File synchronization method and equipment based on operation and maintenance audit system
CN112217881B (en) * 2020-09-24 2023-02-21 上海上讯信息技术股份有限公司 File synchronization method and equipment based on operation and maintenance audit system
CN116827698A (en) * 2023-08-31 2023-09-29 国能大渡河大数据服务有限公司 Network gateway flow security situation awareness system and method
CN116827698B (en) * 2023-08-31 2023-12-05 国能大渡河大数据服务有限公司 Network gateway flow security situation awareness system and method

Similar Documents

Publication Publication Date Title
CN104468537A (en) System and method for achieving safety audit
CN103152352B (en) A kind of perfect information security forensics monitor method based on cloud computing environment and system
US11323307B2 (en) Method and system of a dynamic high-availability mode based on current wide area network connectivity
EP3288269B1 (en) Method and system for cloud storage of video, and method and system for previewing cloud-stored video
CN106331098B (en) Server cluster system
JP5643433B2 (en) Method and apparatus for protocol event management
CN111459749B (en) Prometheus-based private cloud monitoring method and device, computer equipment and storage medium
US20190037009A1 (en) System and method for providing data and application continuity in a computer system
CN101795222B (en) Multi-stage forward service system and method
US10581697B2 (en) SDN controlled PoE management system
CN106982244B (en) Method and device for realizing packet mirroring of dynamic traffic in cloud network environment
WO2016183967A1 (en) Failure alarm method and apparatus for key component, and big data management system
CN104320446A (en) Distributed multi-Agent website monitoring method and system
CN110445697B (en) Video big data cloud platform equipment access service method
WO2021018309A1 (en) Method, device and system for determination of message transmission path, and computer storage medium
CN105208352A (en) Safe monitoring system and physical isolation method for network video
Basu et al. Architecture of a cloud-based fault-tolerant control platform for improving the qos of social multimedia applications on sd-wan
AU2011229566B2 (en) Load sharing method and apparatus
CN110061876A (en) The optimization method and system of O&M auditing system
Aglan et al. Reliability and scalability in sdn networks
CN105490847B (en) A kind of private cloud storage system interior joint failure real-time detection and processing method
CN118631782A (en) A method, device and equipment for domain name resolution
CN103108218A (en) Network discovery method of video distribution network node server
CN114301763B (en) Distributed cluster fault processing method and system, electronic equipment and storage medium
CN116781554A (en) Link state detection method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150325

RJ01 Rejection of invention patent application after publication