CN106713049A - Alarm method and device of monitor - Google Patents

Alarm method and device of monitor Download PDF

Info

Publication number
CN106713049A
CN106713049A CN201710064475.0A CN201710064475A CN106713049A CN 106713049 A CN106713049 A CN 106713049A CN 201710064475 A CN201710064475 A CN 201710064475A CN 106713049 A CN106713049 A CN 106713049A
Authority
CN
China
Prior art keywords
alarm
warning message
log
data server
monitoring system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710064475.0A
Other languages
Chinese (zh)
Other versions
CN106713049B (en
Inventor
李奉超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201710064475.0A priority Critical patent/CN106713049B/en
Publication of CN106713049A publication Critical patent/CN106713049A/en
Application granted granted Critical
Publication of CN106713049B publication Critical patent/CN106713049B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0695Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an alarm method and device of a monitor. The method comprises the following steps: receiving an alarm message; determining a classification field of the alarm message; writing the message content of the received alarm message in a target alarm log with the same classification field content, and accumulating one on the alarm frequency of the target alarm log; and only sending the alarm of the alarm log with the alarm frequency achieving a threshold value to a client. The technical scheme shows that an alarm identifier and the classification field are introduced into a monitoring system by use of the alarm method provided by the invention, the alarm logs with the same classification field are combined, and the alarm is sent out only when the alarm frequency is accumulated to achieve the preset threshold value. When the monitoring system has many abnormal conditions, needs to send out a large number of alarms and to save a large number of alarm logs, the alarm frequency and the number of the alarm log can be effectively reduced by use of the method provided by the embodiment of the invention on the basis of guaranteeing the normal work of the monitoring system, and the alarm processing efficiency of a manager is improved.

Description

The alarm method and device of a kind of monitoring
Technical field
The application is related to communication technical field, the alarm method and device for more particularly to monitoring.
Background technology
With speeding up the construction for the monitoring systems such as public security, traffic police, the large scale deployment of substantial amounts of monitoring probe is in city Each position.The surge of monitoring probe quantity, also causes that the maintenance workload of monitoring system is continued to increase, can in time by prison Produced problem is alerted in control system, and the network security to realizing monitoring system is most important.
In the prior art, once exception occurs in monitoring system, for example:The access privately of unmonitored control system equipment, appearance are non- Video flow etc., monitoring system will send alarm prompt administrative staff treatment abnormal conditions, while for each alarm is preserved A alarm log is checked for administrative staff.When the abnormal conditions that monitoring system occurs are more, for example:It is subjected to malice to attack When hitting, monitoring system can send substantial amounts of alarm, and preserve substantial amounts of alarm log.Excessive alarm and the alarm excessively enumerated Daily record can reduce the treatment effeciency of alarm.
The content of the invention
The embodiment of the present invention provides the alarm method and device of monitoring, causes to accuse for solving existing monitoring alarm technology The relatively low problem of alert treatment effeciency.
A kind of first aspect according to embodiments of the present invention, there is provided alarm method of monitoring, methods described is applied to monitoring The data server of system, the data server receives warning message from the control management equipment of monitoring system, is to monitoring The client of system sends and alerts and provide alarm log, wherein, the warning message includes the alarm for indicating alarm type Mark, corresponding relation of the data server comprising alarm identifier with classification field, methods described includes:
Receive warning message;
The corresponding relation of alarm identifier and the alarm identifier and classification field according to the warning message for being received, really The classification field of the warning message of the fixed reception;
If there is target alarms daily record in the alarm log that the data server has been preserved, by the reception The message content of warning message writes the target alarms daily record, and by the alarm number of times of the target alarms daily record cumulative 1, institute State the field contents that target alarms daily record refers to its correspondence classification field, the word with the classification field of the warning message of the reception Section content identical alarm log;
If the alarm number of times of any alarm log reaches the default threshold value of monitoring system in data server, to client End sends the alarm on any alarm log.
A kind of first aspect according to embodiments of the present invention, there is provided alarm device of monitoring, described device is applied to monitoring The data server of system, the data server receives warning message from the control management equipment of monitoring system, is to monitoring The client of system sends and alerts and provide alarm log, wherein, the warning message includes the alarm for indicating alarm type Mark, corresponding relation of the data server comprising alarm identifier with classification field, described device includes:
Receiving unit, for receiving warning message;
Determining unit, for the alarm identifier according to the warning message for being received and the alarm identifier and classification field Corresponding relation, determine the classification field of the warning message of the reception;
Writing unit, for when there is target alarms daily record in the alarm log that the data server has been preserved, inciting somebody to action The message content of the warning message of the reception writes the target alarms daily record, and the target alarms daily record refers to that its correspondence is returned The field contents of class field, the field contents identical alarm log with the classification field of the warning message of the reception;
Summing elements, for the message content of the warning message of the reception to be write into the target alarms in writing unit After daily record, by the alarm number of times of the target alarms daily record cumulative 1;
Transmitting element, for being preset when the alarm number of times of any alarm log in the data server reaches monitoring system Threshold value when, to the client send the alarm on any alarm log.
From above technical scheme, the embodiment of the present invention in monitoring system by introducing alarm identifier and classification word Section, by identical alarm log in data server carried out merge sort out, and only when alarm number of times be accumulated to it is a certain pre- If just sending alarm during threshold value.When the abnormal conditions that monitoring system occurs are more, it is necessary to send substantial amounts of alarm, and preserve a large amount of Alarm log when, the embodiment of the present invention can ensure monitoring system normal work on the basis of, effectively reduce alarm time The quantity of number and alarm log, improves the efficiency of administrative staff's treatment alarm.
Brief description of the drawings
Fig. 1 is an application scenarios schematic diagram of the method for the alarm of embodiment of the present invention monitoring;
Fig. 2 is one embodiment flow chart of the method for the alarm of present invention monitoring;
Fig. 3 is another embodiment flow chart of the method for the alarm of present invention monitoring;
Fig. 4 is a kind of hardware structure diagram of the device place equipment of the alarm of present invention monitoring;
Fig. 5 is one embodiment block diagram of the device of the alarm of present invention monitoring.
Specific embodiment
In order that those skilled in the art are better understood from the technical scheme in the embodiment of the present invention, and make of the invention real Applying the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to the technology in the embodiment of the present invention Scheme is described in further detail.
It is an application scenarios schematic diagram of the alarm method of embodiment of the present invention monitoring referring to Fig. 1.
As shown in figure 1, the application scenarios are a video monitoring system, include:Data server, client, control Management equipment and 8 cameras.Wherein, the control management equipment is connected with 8 cameras and data server respectively, When shooting rostral occur it is abnormal (connect by private, by it is counterfeit, there is non-video flow etc.), control management equipment will be to data, services Device sends warning message, and data server generates alarm log after warning message is processed, and is sent out to connected client Go out alarm and alarm log is provided.
In the prior art, once exception occurs in above-mentioned video monitoring system, data server will send alarm prompt pipe Reason personnel process abnormal conditions, while for each alarm preserves a alarm log so that administrative staff check.When video prison When the abnormal conditions that control system occurs are more, for example:When being subjected to malicious attack, video monitoring system can send substantial amounts of announcement It is alert, and preserve substantial amounts of alarm log.Excessive alarm and the alarm log excessively enumerated can reduce the treatment effeciency of alarm.
With reference to the application scenarios shown in Fig. 1, the embodiment of the present invention is described in detail.
Referring to Fig. 2, Fig. 2 is one embodiment flow chart of the alarm method of present invention monitoring, and the embodiment is applied to prison The data server of control system, the data server receives warning message from the control management equipment of monitoring system, to monitoring The client of system sends and alerts and provide alarm log, wherein, the warning message includes the announcement for indicating alarm type Alert mark, corresponding relation of the data server comprising alarm identifier with classification field, the described method comprises the following steps:
Step 201:Receive warning message.
Step 202:Alarm identifier and the alarm identifier according to the warning message for being received is right with classification field Should be related to, determine the classification field of the warning message of the reception.
In an optional example, alarm identifier and alarm identifier and alarm class according to the warning message for being received The corresponding relation of type, determines the alarm type of the warning message of above-mentioned reception, and the alarm type is associated to receiving alarm The corresponding alarm log of message, above-mentioned alarm identifier is pre-stored in data server with the corresponding relation of alarm type, should Alarm type includes:MAC alarms, destination interface or the agreement that the IP that source IP certification does not pass through is alerted, source MAC certifications do not pass through are recognized The dynamic sensing alarm that card does not pass through.
Step 203:If there is target alarms daily record in the alarm log that the data server has been preserved, by institute The message content for stating the warning message of reception writes the target alarms daily record, and by the alarm number of times of the target alarms daily record Cumulative 1, the target alarms daily record refers to the field contents of its correspondence classification field, the classification with the warning message of the reception The field contents identical alarm log of field.
In an optional example, if there is the corresponding classification field of alarm log office in above-mentioned data server Field contents, the field contents with the classification field of the warning message of above-mentioned reception are different from, then be the alarm of above-mentioned reception Message creates alarm log, and the alarm number of times of the alarm log of establishment is recorded as into 1.
Step 204:If the alarm number of times of any alarm log reaches the default threshold value of monitoring system in data server, Then the alarm on any alarm log is sent to client.
In an optional example, can be for different alarm types, different source IPs, different source MAC associations not Same alarm level;If the alarm number of times of any alarm log reaches the default threshold value of monitoring system in data server, The alarm of rank corresponding to any alarm log is sent to client.
In another optional example, if receiving alarm log from client deletes instruction, the deletion is referred to The alarm log for pointing to is made to delete.
From above technical scheme, the embodiment of the present invention in monitoring system by introducing alarm identifier and classification word Section, by identical alarm log in data server carried out merge sort out, and only when alarm number of times be accumulated to it is a certain pre- If just sending alarm during threshold value.When the abnormal conditions that monitoring system occurs are more, it is necessary to send substantial amounts of alarm, and preserve a large amount of Alarm log when, the embodiment of the present invention can ensure monitoring system normal work on the basis of, effectively reduce alarm time The quantity of number and alarm log, improves the efficiency of administrative staff's treatment alarm.
Referring to Fig. 3, Fig. 3 is another embodiment flow chart of the method for the alarm of present invention monitoring, and the embodiment is from regarding The data server side of frequency monitoring system has been described in detail to the implementing procedure for alerting, and the data server is from monitoring The control management equipment of system receives warning message, is sent to the client of monitoring system and alerts and provide alarm log, wherein, institute State warning message and include the alarm identifier for indicating alarm type, the data server includes alarm identifier and classification field Corresponding relation, the flow comprises the following steps:
Step 301:Receive warning message.
Step 302:Alarm identifier and the alarm identifier according to the warning message for being received is right with classification field Should be related to, it is determined that the classification field of the warning message for being received.
Step 303:Judge with the presence or absence of target alarms daily record in the alarm log that data server has been preserved, if Step 305 is then performed, if otherwise performing step 304.
The target alarms daily record refers to the field contents of its correspondence classification field, with returning for the warning message of the reception The field contents identical alarm log of class field
Step 304:Be that the warning message that is received creates alarm log, and the alarm log that will be created alarm time number scale Record is 1.
In an optional example, the content of above-mentioned alarm log can include:Alarm type, source MAC, source mesh IP, Source eye end slogan, device IP, protocol type, incoming interface, terminal type, time, alarm number of times, region, particular geographic location etc.
Step 305:The message content of the warning message that will be received writes above-mentioned target alarms daily record, and by above-mentioned target The alarm number of times of alarm log cumulative 1.
Step 306:Alarm identifier and alarm identifier pass corresponding with alarm type according to the warning message for being received System, it is determined that the alarm type of the warning message for being received, and the alarm type is associated into announcement corresponding to received warning message Alert daily record.
In this step, the alarm identifier can be pre-stored in data server with the corresponding relation of alarm type, its In the alarm type can include:The IP that source IP certification does not pass through is alerted, source MAC certifications do not pass through MAC alarms, destination interface Or the dynamic sensing alarm that protocol authentication does not pass through.
Step 307:Judge whether the alarm log of step 304 establishment or the alarm number of times of target alarms daily record reach default Threshold value, if it is performs step 308, if otherwise performing step 309.
Step 308:According to different alarm types and the corresponding relation of different alarm levels, above-mentioned reaching is sent to client To predetermined threshold value alarm log corresponding to rank alarm.
In this step, the corresponding relation of above-mentioned different alarm type and different alarm levels is pre-stored in data and takes Business device in, above-mentioned alarm level can be divided into typically, prompting, promptly.
Can be different source IPs in an optional example, or different source MAC associates different alarm levels.
In another optional mode, alarm, short message can also be sent to administrative staff by way of mail, short message With the page that mail may be coupled to check all daily record details, keeper can use Log Types, source MAC, source IP, mesh IP, source port number, destination slogan, device IP, protocol type, incoming interface, terminal type, the time, alarm number of times, region, Particular geographic location etc. is used as filter condition query warning daily record.
Step 309:Prepare to receive next warning message.
In an optional example, if receiving alarm log from client deletes instruction, instruction will be deleted and referred to To alarm log delete.
From above technical scheme, on the one hand, the embodiment of the present invention by monitoring system introduce alarm identifier with And classification field, identical alarm log in data server merge and has been sorted out, and only when alarm number of times adds up To just sending alarm during a certain predetermined threshold value.When the abnormal conditions that monitoring system occurs are more, it is necessary to send substantial amounts of alarm, and When preserving substantial amounts of alarm log, the embodiment of the present invention can effectively be reduced on the basis of monitoring system normal work is ensured The number of times of alarm and the quantity of alarm log, improve the efficiency of administrative staff's treatment alarm.Another further aspect, the embodiment of the present invention Different alarm levels are associated by for different alarm types, allows administrative staff fast for the different alarm of urgency level The differentiation that gives of speed is treated, and further increases the efficiency of administrative staff's treatment alarm.
The embodiment of the present invention is illustrated below by a specific application example, application example combination Fig. 1 shows The application scenarios for going out are described.Where it is assumed that the alarm identifier preserved in shown data server and classification field, alarm class The corresponding relation of type, and alarm type and the inter-step corresponding relation of announcement, as shown in table 1:
Table 1
Alarm identifier Classification field Alarm type Alarm level
1 Source IP IP is alerted Typically
2 Source MAC MAC is alerted Prompting
3 Destination interface and agreement Dynamic sensing is alerted Promptly
Assuming that the partial content of the alarm log preserved in shown data server is as shown in table 2:
Table 2
Log-sequence numbers Classification field Source IP Source MAC Alarm number of times Alarm type Alarm level
01 Source IP 168.1.1.1 0000-0000-0001 4 IP is alerted Typically
02 Source MAC 168.1.1.2 0000-0000-0003 4 MAC is alerted Prompting
03 Source IP 1.8.1.1.6 0000-0000-0005 1 IP is alerted Typically
When data server is 01 from controlling management equipment to receive alarm identifier, source IP is 168.1.1.1, and source MAC is After the warning message -1 of 0000-0000-0011, the alarm processing of data server is as follows:
According to alarm identifier in table 1 and classification field, the corresponding relation of alarm type and the warning message -1 for being received Alarm identifier 01, determine the classification field of warning message -1 for source IP, alarm type is IP alarms;
According to alarm type in table 1 and the IP alarm types for accusing inter-step corresponding relation and warning message -1, it is determined that The alarm level for going out warning message -1 is general;
Judged to draw according to table 2, the log-sequence numbers preserved in data server are the classification field of 01 alarm log Content, the classification field content with warning message -1 is all 168.1.1.1;
By the alarm log that the message content of warning message -1 write-in log-sequence numbers are 01, and by announcement that log-sequence numbers are 01 The alarm number of times cumulative 1 of alert daily record;
Judgement show that the alarm number of times of the alarm log that log-sequence numbers are 01 reaches the predetermined threshold value 5 of alarm number of times, passes through Short message and mail, it is general alarm log to send alarm level to client;
The handling process for the warning message terminates since then, waits next warning message to be received;
After the deletion instruction for the alarm log that log-sequence numbers are 01 is received from client, deleting log-sequence numbers is 01 alarm log.
Embodiment with the alarm method of foregoing monitoring is corresponding, present invention also provides the implementation of the alarm device of monitoring Example.
The embodiment of the alarm device of the application monitoring can be applied on the data server of monitoring system.Device is implemented Example can be realized by software, it is also possible to be realized by way of hardware or software and hardware combining.As a example by implemented in software, as Device on one logical meaning, is by corresponding computer journey in nonvolatile memory by the processor of equipment where it Sequence instruction runs what is formed in reading internal memory.From for hardware view, as shown in figure 4, being the alarm device of the application monitoring A kind of hardware structure diagram of place equipment, except the processor shown in Fig. 4, internal memory, network interface and nonvolatile memory Outside, the equipment in embodiment where device can also include other hardware, to this not generally according to the actual functional capability of the equipment Repeat again.
Fig. 5 is refer to, is one embodiment block diagram of the alarm device of present invention monitoring, described device is applied to monitoring system The data server of system, the data server receives warning message from the control management equipment of monitoring system, to monitoring system Client send and alert and alarm log is provided, wherein, the warning message is comprising for indicating the alarm mark of alarm type Know, corresponding relation of the data server comprising alarm identifier with classification field, described device includes:Receiving unit 501, really Order unit 502, writing unit 503, summing elements 504, transmitting element 505;
Wherein, receiving unit 501, for receiving warning message;
Determining unit 502, for the alarm identifier according to the warning message for being received and the alarm identifier and classification The corresponding relation of field, determines the classification field of the warning message of the reception;
Writing unit 503, for when there is target alarms daily record in the alarm log that the data server has been preserved, The message content of the warning message of the reception is write into the target alarms daily record, the target alarms daily record refers to its correspondence The field contents of classification field, the field contents identical alarm log with the classification field of the warning message of the reception;
Summing elements 504, for the message content of the warning message of the reception to be write into the mesh in writing unit 503 After mark alarm log, by the alarm number of times of the target alarms daily record cumulative 1;
Transmitting element 505, monitoring system is reached for the alarm number of times when any alarm log in the data server During default threshold value, the alarm on any alarm log is sent to the client.
From above technical scheme, the embodiment of the present invention in monitoring system by introducing alarm identifier and classification word Section, by identical alarm log in data server carried out merge sort out, and only when alarm number of times be accumulated to it is a certain pre- If just sending alarm during threshold value.When the abnormal conditions that monitoring system occurs are more, it is necessary to send substantial amounts of alarm, and preserve a large amount of Alarm log when, the embodiment of the present invention can ensure monitoring system normal work on the basis of, effectively reduce alarm time The quantity of number and alarm log, improves the efficiency of administrative staff's treatment alarm.
In an optional example, described device is also included (not shown in Fig. 5):Creating unit 506, recording unit 507。
Wherein, creating unit 506, for when the word of the corresponding classification field of all alarm logs in the data server Section content, is the alarm report of the reception when field contents with the classification field of the warning message of the reception are different from Text creates alarm log;
Recording unit 507, for after creating unit 506 creates alarm log for the warning message of the reception, will create The alarm number of times of the alarm log built is recorded as 1.
In another optional example, the determining unit 502 is additionally operable to:
Alarm identifier and alarm identifier and the corresponding relation of alarm type according to the warning message for being received, determine institute The alarm type of the warning message of reception;
Described device is also included (not shown in Fig. 5):
Associative cell 508, for after the alarm type that the determining unit 502 determines received warning message, inciting somebody to action The alarm type associates the corresponding relation of alarm log corresponding to received warning message, the alarm identifier and alarm type It is pre-stored in data server, the alarm type includes:
MAC alarms, destination interface or the protocol authentication that the IP that source IP certification does not pass through is alerted, source MAC certifications do not pass through are not The dynamic sensing alarm for passing through.
In another optional example, the associative cell 508 is additionally operable to:
It is different alarm types, or,
Different source IPs, or,
Different source MAC associates different alarm levels;
The transmitting element 505, is additionally operable to:
When the default threshold value of the alarm number of times arrival monitoring system of any alarm log in the data server, to visitor Family end sends the alarm of rank corresponding to any alarm log.
In another optional example, described device is also included (not shown in Fig. 5):Delete unit 509;
Unit 509 is deleted, for after receiving unit 501 receives alarm log deletion instruction from client, will delete The alarm log for pointing to is instructed to delete.
From above technical scheme, on the one hand, the embodiment of the present invention by monitoring system introduce alarm identifier with And classification field, identical alarm log in data server merge and has been sorted out, and only when alarm number of times adds up To just sending alarm during a certain predetermined threshold value.When the abnormal conditions that monitoring system occurs are more, it is necessary to send substantial amounts of alarm, and When preserving substantial amounts of alarm log, the embodiment of the present invention can effectively be reduced on the basis of monitoring system normal work is ensured The number of times of alarm and the quantity of alarm log, improve the efficiency of administrative staff's treatment alarm.Another further aspect, the embodiment of the present invention Different alarm levels are associated by for different alarm types, allows administrative staff fast for the different alarm of urgency level The differentiation that gives of speed is treated, and further increases the efficiency of administrative staff's treatment alarm.
The function of unit and the implementation process of effect correspond to step in specifically referring to the above method in said apparatus Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.Device embodiment described above is only schematical, wherein described as separating component The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, is not used to limit the application, all essences in the application Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.

Claims (10)

1. a kind of alarm method of monitoring, it is characterised in that methods described is applied to the data server of monitoring system, the number Warning message is received from the control management equipment of monitoring system according to server, is sent to the client of monitoring system and is alerted and provide Alarm log, wherein, the warning message includes the alarm identifier for indicating alarm type, and the data server includes announcement The corresponding relation of alert mark and classification field, methods described includes:
Receive warning message;
Alarm identifier and the alarm identifier and the corresponding relation of classification field according to the warning message for being received, determine institute State the classification field of the warning message of reception;
If there is target alarms daily record in the alarm log that the data server has been preserved, by the alarm of the reception The message content of message writes the target alarms daily record, and by the alarm number of times of the target alarms daily record cumulative 1, the mesh Mark alarm log refers to the field contents of its correspondence classification field, in the field of the classification field of the warning message of the reception Hold identical alarm log;
If the alarm number of times of any alarm log reaches the default threshold value of monitoring system in data server, sent out to client Send the alarm on any alarm log.
2. method according to claim 1, it is characterised in that also include:
If the field contents of the corresponding classification field of all alarm logs, the alarm with the reception in the data server The field contents of the classification field of message are different from, then for the warning message of the reception creates alarm log, and will create The alarm number of times of alarm log be recorded as 1.
3. method according to claim 1 and 2, it is characterised in that also include:
The corresponding relation of alarm identifier and alarm identifier and alarm type according to the warning message for being received, it is determined that being received Warning message alarm type, and the alarm type is associated into alarm log corresponding to received warning message, the announcement Alert mark is pre-stored in data server with the corresponding relation of alarm type, and the alarm type includes:
MAC alarms, destination interface or the protocol authentication that the IP that source IP certification does not pass through is alerted, source MAC certifications do not pass through do not pass through Dynamic sensing alarm.
4. method according to claim 3, it is characterised in that also include:
It is different alarm types, or,
Different source IPs, or,
Different source MAC associates different alarm levels;
If the alarm number of times of any alarm log reaches the default threshold value of monitoring system in the data server, to client End sends alarm, including:
If the alarm number of times of any alarm log reaches the default threshold value of monitoring system in data server, sent out to client Send the alarm of rank corresponding to any alarm log.
5. method according to claim 1, it is characterised in that also include:
If receiving alarm log from client deletes instruction, the alarm log that will delete instruction sensing is deleted.
6. a kind of alarm device of monitoring, it is characterised in that described device is applied to the data server of monitoring system, the number Warning message is received from the control management equipment of monitoring system according to server, is sent to the client of monitoring system and is alerted and provide Alarm log, wherein, the warning message includes the alarm identifier for indicating alarm type, and the data server includes announcement The corresponding relation of alert mark and classification field, described device includes:
Receiving unit, for receiving warning message;
Determining unit is right with classification field for the alarm identifier according to the warning message for being received and the alarm identifier Should be related to, determine the classification field of the warning message of the reception;
Writing unit, for when there is target alarms daily record in the alarm log that the data server has been preserved, by described in The message content of the warning message of reception writes the target alarms daily record, and the target alarms daily record refers to that its correspondence sorts out word The field contents of section, the field contents identical alarm log with the classification field of the warning message of the reception;
Summing elements, for the message content of the warning message of the reception to be write into the target alarms daily record in writing unit Afterwards, by the alarm number of times of the target alarms daily record cumulative 1;
Transmitting element, the default threshold of monitoring system is reached for the alarm number of times when any alarm log in the data server During value, the alarm on any alarm log is sent to the client.
7. device according to claim 6, it is characterised in that also include:
Creating unit, for when the field contents of the corresponding classification field of all alarm logs in the data server, with institute It is that the warning message of the reception creates alarm day when the field contents for stating the classification field of the warning message of reception are different from Will;
Recording unit, for the alarm day that after the warning message that creating unit is the reception creates alarm log, will be created The alarm number of times of will is recorded as 1.
8. the device according to claim 6 or 7, it is characterised in that the determining unit, is additionally operable to:
The corresponding relation of alarm identifier and alarm identifier and alarm type according to the warning message for being received, it is determined that being received Warning message alarm type;
Described device also includes:
Associative cell, for after the alarm type that the determining unit determines received warning message, by the alarm type To the corresponding alarm log of warning message is received, the alarm identifier is pre-stored in the corresponding relation of alarm type for association In data server, the alarm type includes:
MAC alarms, destination interface or the protocol authentication that the IP that source IP certification does not pass through is alerted, source MAC certifications do not pass through do not pass through Dynamic sensing alarm.
9. device according to claim 8, it is characterised in that the associative cell, is additionally operable to:
It is different alarm types, or,
Different source IPs, or,
Different source MAC associates different alarm levels;
The transmitting element, is additionally operable to:
When the default threshold value of the alarm number of times arrival monitoring system of any alarm log in the data server, to client Send the alarm of rank corresponding to any alarm log.
10. device according to claim 6, it is characterised in that also include:
Unit is deleted, for after receiving unit receives alarm log deletion instruction from client, will delete what instruction was pointed to Alarm log is deleted.
CN201710064475.0A 2017-02-04 2017-02-04 Monitoring alarm method and device Active CN106713049B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710064475.0A CN106713049B (en) 2017-02-04 2017-02-04 Monitoring alarm method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710064475.0A CN106713049B (en) 2017-02-04 2017-02-04 Monitoring alarm method and device

Publications (2)

Publication Number Publication Date
CN106713049A true CN106713049A (en) 2017-05-24
CN106713049B CN106713049B (en) 2020-08-04

Family

ID=58910284

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710064475.0A Active CN106713049B (en) 2017-02-04 2017-02-04 Monitoring alarm method and device

Country Status (1)

Country Link
CN (1) CN106713049B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171873A (en) * 2017-07-21 2017-09-15 北京微影时代科技有限公司 A kind of method and apparatus of Message Processing
CN107707380A (en) * 2017-07-31 2018-02-16 贵州白山云科技有限公司 A kind of monitoring alarm method and apparatus
CN109039718A (en) * 2018-07-19 2018-12-18 江苏满运软件科技有限公司 A kind of alarm method and system of online service
CN109194532A (en) * 2018-11-07 2019-01-11 广东电网有限责任公司 A kind of method for pushing and device of power grid warning information
CN109218102A (en) * 2018-09-26 2019-01-15 江苏满运软件科技有限公司 A kind of alarm monitoring method and system
CN109361537A (en) * 2018-10-10 2019-02-19 广东信通通信有限公司 Network system monitoring method, device, computer equipment and storage medium
CN109391496A (en) * 2017-08-10 2019-02-26 大唐移动通信设备有限公司 Alarm log method for uploading and device
CN109412852A (en) * 2018-10-29 2019-03-01 京信通信***(中国)有限公司 Alarm method, device, computer equipment and storage medium
CN109412870A (en) * 2018-12-10 2019-03-01 网宿科技股份有限公司 Alarm monitoring method and platform, server, storage medium
CN109450727A (en) * 2018-11-01 2019-03-08 广州市百果园信息技术有限公司 A kind of methods of exhibiting of network monitoring data, device, equipment and storage medium
CN110191094A (en) * 2019-04-26 2019-08-30 北京奇安信科技有限公司 Monitoring method and device, storage medium, the terminal of abnormal data
CN110535702A (en) * 2019-08-30 2019-12-03 北京神州绿盟信息安全科技股份有限公司 A kind of alarm information processing method and device
CN110598180A (en) * 2019-08-30 2019-12-20 国家电网有限公司 Event detection method, device and system based on statistical analysis
CN111092758A (en) * 2019-12-06 2020-05-01 上海上讯信息技术股份有限公司 Method and device for reducing alarm and recovering false alarm and electronic equipment
CN111740868A (en) * 2020-07-07 2020-10-02 腾讯科技(深圳)有限公司 Alarm data processing method and device and storage medium
CN112347057A (en) * 2020-10-19 2021-02-09 云南电网有限责任公司 Processing method for abnormal alarm analysis and handling of power dispatching information system
CN113192331A (en) * 2021-04-26 2021-07-30 吉林大学 Intelligent early warning system and early warning method for riding safety in internet environment
WO2022048671A1 (en) * 2020-09-07 2022-03-10 华为技术有限公司 Method and apparatus for event categorization

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1523802A (en) * 2003-09-05 2004-08-25 中兴通讯股份有限公司 A method for preventing alarm storm in CDMA system
CN101247269A (en) * 2008-03-05 2008-08-20 中兴通讯股份有限公司 Method for automatically discovering association rule for judging redundant alarm
CN101345972A (en) * 2008-08-26 2009-01-14 ***通信集团福建有限公司 Network element alarming intelligent monitoring system
CN101360313A (en) * 2007-08-01 2009-02-04 中兴通讯股份有限公司 Method for uploading alarm quantity information to network management system by network element management system
CN102546216A (en) * 2010-12-30 2012-07-04 ***通信集团山东有限公司 Method for processing alarm messages in network management system and network management system
US20130227589A1 (en) * 2012-02-27 2013-08-29 Hitachi, Ltd. Monitoring system and monitoring program
CN104537796A (en) * 2014-12-17 2015-04-22 深圳市中科安防科技有限公司 Alarm message processing system and method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1523802A (en) * 2003-09-05 2004-08-25 中兴通讯股份有限公司 A method for preventing alarm storm in CDMA system
CN101360313A (en) * 2007-08-01 2009-02-04 中兴通讯股份有限公司 Method for uploading alarm quantity information to network management system by network element management system
CN101247269A (en) * 2008-03-05 2008-08-20 中兴通讯股份有限公司 Method for automatically discovering association rule for judging redundant alarm
CN101345972A (en) * 2008-08-26 2009-01-14 ***通信集团福建有限公司 Network element alarming intelligent monitoring system
CN102546216A (en) * 2010-12-30 2012-07-04 ***通信集团山东有限公司 Method for processing alarm messages in network management system and network management system
US20130227589A1 (en) * 2012-02-27 2013-08-29 Hitachi, Ltd. Monitoring system and monitoring program
CN104537796A (en) * 2014-12-17 2015-04-22 深圳市中科安防科技有限公司 Alarm message processing system and method

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171873A (en) * 2017-07-21 2017-09-15 北京微影时代科技有限公司 A kind of method and apparatus of Message Processing
CN107707380A (en) * 2017-07-31 2018-02-16 贵州白山云科技有限公司 A kind of monitoring alarm method and apparatus
CN109391496A (en) * 2017-08-10 2019-02-26 大唐移动通信设备有限公司 Alarm log method for uploading and device
CN109039718B (en) * 2018-07-19 2021-06-25 江苏满运软件科技有限公司 Online service warning method and system
CN109039718A (en) * 2018-07-19 2018-12-18 江苏满运软件科技有限公司 A kind of alarm method and system of online service
CN109218102A (en) * 2018-09-26 2019-01-15 江苏满运软件科技有限公司 A kind of alarm monitoring method and system
CN109361537A (en) * 2018-10-10 2019-02-19 广东信通通信有限公司 Network system monitoring method, device, computer equipment and storage medium
CN109412852B (en) * 2018-10-29 2022-05-03 京信网络***股份有限公司 Alarm method, alarm device, computer equipment and storage medium
CN109412852A (en) * 2018-10-29 2019-03-01 京信通信***(中国)有限公司 Alarm method, device, computer equipment and storage medium
CN109450727A (en) * 2018-11-01 2019-03-08 广州市百果园信息技术有限公司 A kind of methods of exhibiting of network monitoring data, device, equipment and storage medium
CN109194532A (en) * 2018-11-07 2019-01-11 广东电网有限责任公司 A kind of method for pushing and device of power grid warning information
CN109412870B (en) * 2018-12-10 2022-07-01 网宿科技股份有限公司 Alarm monitoring method and platform, server and storage medium
CN109412870A (en) * 2018-12-10 2019-03-01 网宿科技股份有限公司 Alarm monitoring method and platform, server, storage medium
CN110191094A (en) * 2019-04-26 2019-08-30 北京奇安信科技有限公司 Monitoring method and device, storage medium, the terminal of abnormal data
CN110598180A (en) * 2019-08-30 2019-12-20 国家电网有限公司 Event detection method, device and system based on statistical analysis
CN110535702A (en) * 2019-08-30 2019-12-03 北京神州绿盟信息安全科技股份有限公司 A kind of alarm information processing method and device
CN110535702B (en) * 2019-08-30 2022-07-12 绿盟科技集团股份有限公司 Alarm information processing method and device
CN110598180B (en) * 2019-08-30 2022-09-09 国家电网有限公司 Event detection method, device and system based on statistical analysis
CN111092758A (en) * 2019-12-06 2020-05-01 上海上讯信息技术股份有限公司 Method and device for reducing alarm and recovering false alarm and electronic equipment
CN111740868A (en) * 2020-07-07 2020-10-02 腾讯科技(深圳)有限公司 Alarm data processing method and device and storage medium
CN111740868B (en) * 2020-07-07 2023-12-15 腾讯科技(深圳)有限公司 Alarm data processing method and device and storage medium
WO2022048671A1 (en) * 2020-09-07 2022-03-10 华为技术有限公司 Method and apparatus for event categorization
CN112347057A (en) * 2020-10-19 2021-02-09 云南电网有限责任公司 Processing method for abnormal alarm analysis and handling of power dispatching information system
CN113192331A (en) * 2021-04-26 2021-07-30 吉林大学 Intelligent early warning system and early warning method for riding safety in internet environment

Also Published As

Publication number Publication date
CN106713049B (en) 2020-08-04

Similar Documents

Publication Publication Date Title
CN106713049A (en) Alarm method and device of monitor
CN108932426B (en) Unauthorized vulnerability detection method and device
US9686301B2 (en) Method and system for virtual asset assisted extrusion and intrusion detection and threat scoring in a cloud computing environment
CN100448203C (en) System and method for identifying and preventing malicious intrusions
EP3108395B1 (en) Targeted attack protection using predictive sandboxing
US8544099B2 (en) Method and device for questioning a plurality of computerized devices
US9264441B2 (en) System and method for securing a network from zero-day vulnerability exploits
US8015604B1 (en) Hierarchical architecture in a network security system
CN111274583A (en) Big data computer network safety protection device and control method thereof
US11882140B1 (en) System and method for detecting repetitive cybersecurity attacks constituting an email campaign
US20130081065A1 (en) Dynamic Multidimensional Schemas for Event Monitoring
US20130081141A1 (en) Security threat detection associated with security events and an actor category model
EP2180660A1 (en) Method and system for statistical analysis of botnets
CN105376210A (en) Account threat identification and defense method and system
KR102160950B1 (en) Data Distribution System and Its Method for Security Vulnerability Inspection
CN105959290A (en) Detection method and device of attack message
CN110210213A (en) The method and device of filtering fallacious sample, storage medium, electronic device
CN106254353A (en) The update method of IPS strategy and device
US20090300156A1 (en) Methods And Systems For Managing Security In A Network
CN111859374B (en) Method, device and system for detecting social engineering attack event
CN110149319A (en) The method for tracing and device, storage medium, electronic device of APT tissue
US9027120B1 (en) Hierarchical architecture in a network security system
CN116545678A (en) Network security protection method, device, computer equipment and storage medium
CN113098852B (en) Log processing method and device
US20220086173A1 (en) Improving incident classification and enrichment by leveraging context from multiple security agents

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant