CN106713049B - Monitoring alarm method and device - Google Patents

Monitoring alarm method and device Download PDF

Info

Publication number
CN106713049B
CN106713049B CN201710064475.0A CN201710064475A CN106713049B CN 106713049 B CN106713049 B CN 106713049B CN 201710064475 A CN201710064475 A CN 201710064475A CN 106713049 B CN106713049 B CN 106713049B
Authority
CN
China
Prior art keywords
alarm
log
message
received
data server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710064475.0A
Other languages
Chinese (zh)
Other versions
CN106713049A (en
Inventor
李奉超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201710064475.0A priority Critical patent/CN106713049B/en
Publication of CN106713049A publication Critical patent/CN106713049A/en
Application granted granted Critical
Publication of CN106713049B publication Critical patent/CN106713049B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0695Management of faults, events, alarms or notifications the faulty arrangement being the maintenance, administration or management system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a monitoring alarm method and a monitoring alarm device, wherein the method comprises the following steps: receiving an alarm message; determining a classification field of the alarm message; writing the message content of the received alarm message into a target alarm log with the same classified field content, and accumulating the alarm times of the target alarm log by 1; and only sending the alarm of the alarm log with the alarm times reaching the threshold value to the client. According to the technical scheme, the alarm identification and the classification field are introduced into the monitoring system, the alarm logs with the same classification field are combined, and the alarm is sent out only when the alarm times are accumulated to the preset threshold value. When the monitoring system has more abnormal conditions, a large number of alarms need to be sent out, and a large number of alarm logs are stored, the embodiment of the invention can effectively reduce the number of times of alarms and the number of alarm logs on the basis of ensuring the normal work of the monitoring system, and improve the efficiency of managing personnel for processing alarms.

Description

Monitoring alarm method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a monitoring alarm method and apparatus.
Background
With the accelerated construction of monitoring systems such as public security and traffic police, a large number of monitoring probes have been deployed in various locations in cities on a large scale. The rapid increase of the number of the monitoring probes also enables the maintenance workload of the monitoring system to be continuously increased, can timely alarm problems occurring in the monitoring system, and is of great importance to the realization of the network safety of the monitoring system.
In the prior art, once an abnormality occurs in a monitoring system, for example, a non-monitoring system device is privately accessed, non-video traffic occurs, and the like, the monitoring system sends an alarm to prompt a manager to handle the abnormal condition, and simultaneously, an alarm log is stored for each alarm for the manager to check. When the monitoring system has more abnormal conditions, for example: when suffering from malicious attacks, the monitoring system can send out a large amount of alarms and store a large amount of alarm logs. Too many alarms and too many listed alarm logs may reduce the efficiency of alarm processing.
Disclosure of Invention
The embodiment of the invention provides a monitoring alarm method and a monitoring alarm device, which are used for solving the problem of low alarm processing efficiency caused by the existing monitoring alarm technology.
According to a first aspect of an embodiment of the present invention, a monitoring alarm method is provided, where the method is applied to a data server of a monitoring system, the data server receives an alarm packet from a control management device of the monitoring system, sends an alarm to a client of the monitoring system, and provides an alarm log, where the alarm packet includes an alarm identifier for indicating an alarm type, and the data server includes a correspondence between the alarm identifier and a classification field, where the method includes:
receiving an alarm message;
determining a classification field of the received alarm message according to an alarm identifier of the received alarm message and a corresponding relation between the alarm identifier and the classification field;
if a target alarm log exists in the alarm logs stored by the data server, writing the message content of the received alarm message into the target alarm log, and accumulating the alarm times of the target alarm log by 1, wherein the target alarm log refers to the alarm log with the field content of the corresponding classification field and the same field content as the classification field of the received alarm message;
and if the alarm times of any alarm log in the data server reach a threshold value preset by a monitoring system, sending an alarm related to any alarm log to the client.
According to a first aspect of the embodiments of the present invention, a monitoring alarm device is provided, where the device is applied to a data server of a monitoring system, the data server receives an alarm packet from a control management device of the monitoring system, sends an alarm to a client of the monitoring system, and provides an alarm log, where the alarm packet includes an alarm identifier for marking an alarm type, and the data server includes a correspondence between the alarm identifier and a classification field, and the device includes:
a receiving unit, configured to receive an alarm message;
the determining unit is used for determining the classification field of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the classification field;
a writing unit, configured to write the message content of the received alarm message into a target alarm log when the alarm log stored by the data server has the target alarm log, where the target alarm log refers to an alarm log whose field content of the corresponding classification field is the same as the field content of the classification field of the received alarm message;
the accumulation unit is used for accumulating the alarm times of the target alarm log by 1 after the writing unit writes the message content of the received alarm message into the target alarm log;
and the sending unit is used for sending the alarm about any alarm log to the client when the alarm frequency of any alarm log in the data server reaches a threshold value preset by a monitoring system.
According to the technical scheme, the alarm identification and the classification field are introduced into the monitoring system, the same alarm logs in the data server are merged and classified, and the alarm is sent out only when the alarm times are accumulated to a certain preset threshold value. When the monitoring system has more abnormal conditions, a large number of alarms need to be sent out, and a large number of alarm logs are stored, the embodiment of the invention can effectively reduce the number of times of alarms and the number of alarm logs on the basis of ensuring the normal work of the monitoring system, and improve the efficiency of managing personnel for processing alarms.
Drawings
FIG. 1 is a schematic diagram of an application scenario of a method for monitoring alarms according to an embodiment of the present invention;
FIG. 2 is a flow diagram of one embodiment of a method of monitoring alarms of the present invention;
FIG. 3 is a flow chart of another embodiment of a method of monitoring alarms in accordance with the present invention;
FIG. 4 is a hardware block diagram of the apparatus in which the alarm monitoring device of the present invention is located;
FIG. 5 is a block diagram of an apparatus for monitoring alarms in accordance with one embodiment of the present invention.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more obvious and understandable to those skilled in the art, the technical solutions in the embodiments of the present invention are further described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic view of an application scenario of the monitoring alarm method according to the embodiment of the present invention.
As shown in fig. 1, the application scenario is a video monitoring system, which includes: data server, customer end, control management equipment and 8 cameras. The control management equipment is respectively connected with the 8 cameras and the data server, when the camera side is abnormal (is privately connected, counterfeited, non-video flow occurs and the like), the control management equipment sends an alarm message to the data server, the data server processes the alarm message to generate an alarm log, and sends an alarm to a client side connected with the data server and provides the alarm log.
In the prior art, once the video monitoring system is abnormal, the data server sends an alarm to prompt a manager to handle the abnormal condition, and simultaneously, an alarm log is stored for each alarm for the manager to check. When the video monitoring system has more abnormal conditions, for example: when the video monitoring system is attacked maliciously, a large amount of alarms can be sent out by the video monitoring system, and a large amount of alarm logs are stored. Too many alarms and too many listed alarm logs may reduce the efficiency of alarm processing.
The following describes an embodiment of the present invention in detail with reference to an application scenario shown in fig. 1.
Referring to fig. 2, fig. 2 is a flowchart of an embodiment of a monitoring alarm method according to the present invention, where the embodiment is applied to a data server of a monitoring system, the data server receives an alarm packet from a control management device of the monitoring system, sends an alarm to a client of the monitoring system, and provides an alarm log, where the alarm packet includes an alarm identifier for marking an alarm type, and the data server includes a correspondence between the alarm identifier and a classification field, and the method includes the following steps:
step 201: and receiving an alarm message.
Step 202: and determining the classification field of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the classification field.
In an optional example, the method includes determining an alarm type of a received alarm message according to an alarm identifier of the received alarm message and a corresponding relationship between the alarm identifier and the alarm type, and associating the alarm type to an alarm log corresponding to the received alarm message, where the corresponding relationship between the alarm identifier and the alarm type is stored in a data server in advance, and the alarm type includes: IP alarm that source IP authentication fails, MAC alarm that source MAC authentication fails, dynamic perception alarm that destination port or protocol authentication fails.
Step 203: if the alarm logs stored in the data server have target alarm logs, writing the message content of the received alarm message into the target alarm logs, and accumulating the alarm times of the target alarm logs by 1, wherein the target alarm logs refer to the alarm logs with the field content of the corresponding classification fields and the same field content as the classification fields of the received alarm message.
In an optional example, if the field contents of the classification field corresponding to any alarm log in the data server are different from the field contents of the classification field of the received alarm message, an alarm log is created for the received alarm message, and the number of alarms of the created alarm log is recorded as 1.
Step 204: and if the alarm times of any alarm log in the data server reach a threshold value preset by a monitoring system, sending an alarm related to any alarm log to the client.
In an alternative example, different alarm types, different source IPs, different source MACs may be associated with different alarm levels; and if the alarm times of any alarm log in the data server reach a threshold value preset by the monitoring system, sending an alarm of a level corresponding to any alarm log to the client.
In another alternative example, if an alarm log deletion instruction is received from the client, the alarm log to which the deletion instruction points is deleted.
According to the technical scheme, the alarm identification and the classification field are introduced into the monitoring system, the same alarm logs in the data server are merged and classified, and the alarm is sent out only when the alarm times are accumulated to a certain preset threshold value. When the monitoring system has more abnormal conditions, a large number of alarms need to be sent out, and a large number of alarm logs are stored, the embodiment of the invention can effectively reduce the number of times of alarms and the number of alarm logs on the basis of ensuring the normal work of the monitoring system, and improve the efficiency of managing personnel for processing alarms.
Referring to fig. 3, fig. 3 is a flowchart of another embodiment of the method for monitoring an alarm according to the present invention, which describes in detail an implementation process of the alarm from a data server side of a video monitoring system, where the data server receives an alarm packet from a control management device of the monitoring system, sends the alarm to a client of the monitoring system, and provides an alarm log, where the alarm packet includes an alarm identifier for marking an alarm type, and the data server includes a correspondence between the alarm identifier and a classification field, and the process includes the following steps:
step 301: and receiving an alarm message.
Step 302: and determining the classification field of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the classification field.
Step 303: and judging whether a target alarm log exists in the alarm logs saved by the data server, if so, executing the step 305, and otherwise, executing the step 304.
The target alarm log refers to the field content of the corresponding classification field, and the alarm log has the same field content as the classification field of the received alarm message
Step 304: and creating an alarm log for the received alarm message, and recording the alarm times of the created alarm log as 1.
In an optional example, the content of the alarm log may include: alarm type, source MAC, source destination IP, source destination port number, equipment IP, protocol type, input interface, terminal type, time, alarm times, region, specific geographic position, etc
Step 305: and writing the message content of the received alarm message into the target alarm log, and accumulating the alarm times of the target alarm log by 1.
Step 306: and determining the alarm type of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the alarm type, and associating the alarm type to an alarm log corresponding to the received alarm message.
In this step, the corresponding relationship between the alarm identifier and the alarm type may be pre-stored in the data server, where the alarm type may include: IP alarm that source IP authentication fails, MAC alarm that source MAC authentication fails, dynamic perception alarm that destination port or protocol authentication fails.
Step 307: and judging whether the alarm times of the alarm log created in the step 304 or the target alarm log reach a preset threshold value, if so, executing the step 308, and otherwise, executing the step 309.
Step 308: and sending the alarm of the level corresponding to the alarm log reaching the preset threshold value to the client according to the corresponding relation between different alarm types and different alarm levels.
In this step, the corresponding relationship between the different alarm types and the different alarm levels is pre-stored in the data server, and the alarm levels may be general, prompt, and emergency.
In an alternative example, different alarm levels may be associated for different source IPs, or different source MACs.
In another optional mode, an alarm can be sent to an administrator by a mail or a short message, the short message and the mail can be connected to a page for viewing detailed information of all logs, and the administrator can query the alarm log by using a log type, a source MAC, a source IP, a destination IP, a source port number, a destination port number, a device IP, a protocol type, an input interface, a terminal type, time, alarm times, an area, a specific geographic location, and the like as filtering conditions.
Step 309: ready to receive the next alarm message.
In an alternative example, if an alarm log deletion instruction is received from the client, the alarm log pointed to by the deletion instruction is deleted.
As can be seen from the above technical solutions, on one hand, in the embodiments of the present invention, the alarm identifier and the classification field are introduced into the monitoring system, so that the same alarm logs in the data server are merged and classified, and an alarm is issued only when the alarm times are accumulated to a certain preset threshold. When the monitoring system has more abnormal conditions, a large number of alarms need to be sent out, and a large number of alarm logs are stored, the embodiment of the invention can effectively reduce the number of times of alarms and the number of alarm logs on the basis of ensuring the normal work of the monitoring system, and improve the efficiency of managing personnel for processing alarms. On the other hand, the embodiment of the invention associates different alarm levels for different alarm types, so that the manager can quickly distinguish and treat the alarms with different emergency degrees, and the alarm processing efficiency of the manager is further improved.
The following describes an embodiment of the present invention with a specific application example, which is described in conjunction with the application scenario shown in fig. 1. Wherein, assuming the corresponding relationship between the alarm identifier stored in the data server and the classification field and the alarm type, and the corresponding relationship between the alarm type and the alarm level, as shown in table 1:
TABLE 1
Alarm mark Categorizing fields Type of alarm Alarm level
1 Source IP IP alarm In general
2 Source MAC MAC alarm Prompting
3 Destination port and protocol Dynamic perceptual alerting Emergency system
It is assumed that the contents of the alarm log saved in the data server are shown in table 2:
TABLE 2
Log sequence number Categorizing fields Source IP Source MAC Number of alarms Type of alarm Alarm level
01 Source IP 168.1.1.1 0000-0000-0001 4 IP alarm In general
02 Source MAC 168.1.1.2 0000-0000-0003 4 MAC alarm Prompting
03 Source IP 1.8.1.1.6 0000-0000-0005 1 IP alarm In general
When the data server receives the alarm message-1 with the alarm identifier 01, the source IP 168.1.1.1 and the source MAC 0000-:
determining the classification field of the alarm message-1 as a source IP and the alarm type as an IP alarm according to the corresponding relation between the alarm identifier and the classification field and the alarm type in the table 1 and the alarm identifier 01 of the received alarm message-1;
determining the alarm level of the alarm message-1 to be general according to the corresponding relation between the alarm type and the alarm level in the table 1 and the IP alarm type of the alarm message-1;
according to the judgment of the table 2, the classified field content of the alarm log with the log serial number of 01 stored in the data server is 168.1.1.1 with the classified field content of the alarm message-1;
writing the message content of the alarm message-1 into an alarm log with a log serial number of 01, and accumulating the alarm times of the alarm log with the log serial number of 01 by 1;
judging that the alarm frequency of the alarm log with the log serial number of 01 reaches a preset threshold value 5 of the alarm frequency, and sending the alarm log with a common alarm level to the client through a short message and an email;
when the processing flow aiming at the alarm message is finished, waiting for receiving the next alarm message;
and when a deletion instruction aiming at the alarm log with the log sequence number of 01 is received from the client, deleting the alarm log with the log sequence number of 01.
Corresponding to the embodiment of the alarm method for monitoring, the application also provides an embodiment of the alarm device for monitoring.
The embodiment of the monitoring alarm device can be applied to a data server of a monitoring system. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the device where the software implementation is located as a logical means. In terms of hardware, as shown in fig. 4, the hardware structure diagram of the device where the alarm apparatus monitored by the present application is located is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 4, the device where the apparatus is located in the embodiment may also include other hardware according to the actual function of the device, which is not described again.
Referring to fig. 5, a block diagram of an embodiment of a monitoring alarm apparatus according to the present invention is applied to a data server of a monitoring system, where the data server receives an alarm packet from a control management device of the monitoring system, sends an alarm to a client of the monitoring system, and provides an alarm log, where the alarm packet includes an alarm identifier for indicating an alarm type, and the data server includes a corresponding relationship between the alarm identifier and a classification field, and the apparatus includes: a receiving unit 501, a determining unit 502, a writing unit 503, an accumulating unit 504, and a transmitting unit 505;
the receiving unit 501 is configured to receive an alarm message;
a determining unit 502, configured to determine a classification field of a received alarm packet according to an alarm identifier of the received alarm packet and a corresponding relationship between the alarm identifier and the classification field;
a writing unit 503, configured to write the message content of the received alarm packet into a target alarm log when the target alarm log exists in the alarm logs stored by the data server, where the target alarm log refers to an alarm log whose field content of the corresponding classification field is the same as the field content of the classification field of the received alarm packet;
an accumulation unit 504, configured to accumulate 1 for the alarm times of the target alarm log after the writing unit 503 writes the message content of the received alarm message into the target alarm log;
a sending unit 505, configured to send an alarm about any alarm log to the client when the number of alarms of any alarm log in the data server reaches a threshold preset by a monitoring system.
According to the technical scheme, the alarm identification and the classification field are introduced into the monitoring system, the same alarm logs in the data server are merged and classified, and the alarm is sent out only when the alarm times are accumulated to a certain preset threshold value. When the monitoring system has more abnormal conditions, a large number of alarms need to be sent out, and a large number of alarm logs are stored, the embodiment of the invention can effectively reduce the number of times of alarms and the number of alarm logs on the basis of ensuring the normal work of the monitoring system, and improve the efficiency of managing personnel for processing alarms.
In an optional example, the apparatus further comprises (not shown in fig. 5): a creating unit and a recording unit.
The creating unit is used for creating an alarm log for the received alarm message when the field contents of the classification fields corresponding to all the alarm logs in the data server are different from the field contents of the classification fields of the received alarm message;
and the recording unit is used for recording the alarm frequency of the created alarm log as 1 after the creating unit creates the alarm log for the received alarm message.
In another optional example, the determining unit 502 is further configured to:
determining the alarm type of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the alarm type;
the device further comprises (not shown in fig. 5):
an association unit, configured to associate, after the determining unit 502 determines an alarm type of the received alarm packet, the alarm type to an alarm log corresponding to the received alarm packet, where a correspondence between the alarm identifier and the alarm type is stored in a data server in advance, and the alarm type includes:
IP alarm that source IP authentication fails, MAC alarm that source MAC authentication fails, dynamic perception alarm that destination port or protocol authentication fails.
In another optional example, the associating unit is further configured to:
the alarm is of a different alarm type, or,
the different sources of IP, or,
different source MACs are associated with different alarm levels;
the sending unit 505 is further configured to:
and when the alarm frequency of any alarm log in the data server reaches a threshold value preset by a monitoring system, sending an alarm of a level corresponding to any alarm log to a client.
In another optional example, the apparatus further comprises (not shown in fig. 5): a deletion unit;
and the deleting unit is configured to delete the alarm log pointed by the deleting instruction after the receiving unit 501 receives the alarm log deleting instruction from the client.
As can be seen from the above technical solutions, on one hand, in the embodiments of the present invention, the alarm identifier and the classification field are introduced into the monitoring system, so that the same alarm logs in the data server are merged and classified, and an alarm is issued only when the alarm times are accumulated to a certain preset threshold. When the monitoring system has more abnormal conditions, a large number of alarms need to be sent out, and a large number of alarm logs are stored, the embodiment of the invention can effectively reduce the number of times of alarms and the number of alarm logs on the basis of ensuring the normal work of the monitoring system, and improve the efficiency of managing personnel for processing alarms. On the other hand, the embodiment of the invention associates different alarm levels for different alarm types, so that the manager can quickly distinguish and treat the alarms with different emergency degrees, and the alarm processing efficiency of the manager is further improved.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. A monitoring alarm method is applied to a data server of a monitoring system, the data server receives an alarm message from a control management device of the monitoring system, sends an alarm to a client of the monitoring system and provides an alarm log, wherein the alarm message comprises an alarm identifier for marking an alarm type, and the data server comprises a corresponding relation between the alarm identifier and a classification field, and the method comprises the following steps:
receiving an alarm message;
determining a classification field of the received alarm message according to an alarm identifier of the received alarm message and a corresponding relation between the alarm identifier and the classification field;
if a target alarm log exists in the alarm logs stored by the data server, writing the message content of the received alarm message into the target alarm log, and accumulating the alarm times of the target alarm log by 1, wherein the target alarm log refers to the alarm log with the field content of the corresponding classification field and the same field content as the classification field of the received alarm message;
if the alarm times of any alarm log in the data server reach a threshold value preset by a monitoring system, sending an alarm about any alarm log to a client;
and if an alarm log deleting instruction is received from the client, deleting the alarm log pointed by the deleting instruction.
2. The method of claim 1, further comprising:
and if the field contents of the classification fields corresponding to all the alarm logs in the data server are different from the field contents of the classification fields of the received alarm message, creating the alarm logs for the received alarm message, and recording the alarm times of the created alarm logs as 1.
3. The method of claim 1 or 2, further comprising:
determining the alarm type of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the alarm type, and associating the alarm type to an alarm log corresponding to the received alarm message, wherein the corresponding relation between the alarm identifier and the alarm type is stored in a data server in advance, and the alarm type comprises:
IP alarm that source IP authentication fails, MAC alarm that source MAC authentication fails, dynamic perception alarm that destination port or protocol authentication fails.
4. The method of claim 3, further comprising:
the alarm is of a different alarm type, or,
the different sources of IP, or,
different source MACs are associated with different alarm levels;
if the alarm frequency of any alarm log in the data server reaches a threshold value preset by the monitoring system, sending an alarm to the client, wherein the alarm comprises the following steps:
and if the alarm times of any alarm log in the data server reach a threshold value preset by the monitoring system, sending an alarm of a level corresponding to any alarm log to the client.
5. A monitoring alarm device is applied to a data server of a monitoring system, the data server receives an alarm message from a control management device of the monitoring system, sends an alarm to a client of the monitoring system and provides an alarm log, wherein the alarm message comprises an alarm identifier for marking an alarm type, and the data server comprises a corresponding relation between the alarm identifier and a classification field, and the device comprises:
a receiving unit, configured to receive an alarm message;
the determining unit is used for determining the classification field of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the classification field;
a writing unit, configured to write the message content of the received alarm message into a target alarm log when the alarm log stored by the data server has the target alarm log, where the target alarm log refers to an alarm log whose field content of the corresponding classification field is the same as the field content of the classification field of the received alarm message;
the accumulation unit is used for accumulating the alarm times of the target alarm log by 1 after the writing unit writes the message content of the received alarm message into the target alarm log;
the sending unit is used for sending the alarm about any alarm log to the client when the alarm frequency of any alarm log in the data server reaches a threshold value preset by a monitoring system;
and the deleting unit is used for deleting the alarm log pointed by the deleting instruction after the receiving unit receives the alarm log deleting instruction from the client.
6. The apparatus of claim 5, further comprising:
the creating unit is used for creating an alarm log for the received alarm message when the field contents of the classification fields corresponding to all the alarm logs in the data server are different from the field contents of the classification fields of the received alarm message;
and the recording unit is used for recording the alarm frequency of the created alarm log as 1 after the creating unit creates the alarm log for the received alarm message.
7. The apparatus according to claim 5 or 6, wherein the determining unit is further configured to:
determining the alarm type of the received alarm message according to the alarm identifier of the received alarm message and the corresponding relation between the alarm identifier and the alarm type;
the device further comprises:
the association unit is configured to associate, after the determination unit determines an alarm type of the received alarm packet, the alarm type to an alarm log corresponding to the received alarm packet, where a correspondence between the alarm identifier and the alarm type is stored in a data server in advance, and the alarm type includes:
IP alarm that source IP authentication fails, MAC alarm that source MAC authentication fails, dynamic perception alarm that destination port or protocol authentication fails.
8. The apparatus of claim 7, wherein the associating unit is further configured to:
the alarm is of a different alarm type, or,
the different sources of IP, or,
different source MACs are associated with different alarm levels;
the sending unit is further configured to:
and when the alarm frequency of any alarm log in the data server reaches a threshold value preset by a monitoring system, sending an alarm of a level corresponding to any alarm log to a client.
CN201710064475.0A 2017-02-04 2017-02-04 Monitoring alarm method and device Active CN106713049B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710064475.0A CN106713049B (en) 2017-02-04 2017-02-04 Monitoring alarm method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710064475.0A CN106713049B (en) 2017-02-04 2017-02-04 Monitoring alarm method and device

Publications (2)

Publication Number Publication Date
CN106713049A CN106713049A (en) 2017-05-24
CN106713049B true CN106713049B (en) 2020-08-04

Family

ID=58910284

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710064475.0A Active CN106713049B (en) 2017-02-04 2017-02-04 Monitoring alarm method and device

Country Status (1)

Country Link
CN (1) CN106713049B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171873A (en) * 2017-07-21 2017-09-15 北京微影时代科技有限公司 A kind of method and apparatus of Message Processing
CN107707380B (en) * 2017-07-31 2018-10-23 贵州白山云科技有限公司 A kind of monitoring alarm method and apparatus
CN109391496A (en) * 2017-08-10 2019-02-26 大唐移动通信设备有限公司 Alarm log method for uploading and device
CN109039718B (en) * 2018-07-19 2021-06-25 江苏满运软件科技有限公司 Online service warning method and system
CN109218102A (en) * 2018-09-26 2019-01-15 江苏满运软件科技有限公司 A kind of alarm monitoring method and system
CN109361537A (en) * 2018-10-10 2019-02-19 广东信通通信有限公司 Network system monitoring method, device, computer equipment and storage medium
CN109412852B (en) * 2018-10-29 2022-05-03 京信网络***股份有限公司 Alarm method, alarm device, computer equipment and storage medium
CN109450727A (en) * 2018-11-01 2019-03-08 广州市百果园信息技术有限公司 A kind of methods of exhibiting of network monitoring data, device, equipment and storage medium
CN109194532B (en) * 2018-11-07 2020-05-01 广东电网有限责任公司 Method and device for pushing power grid alarm information
CN109412870B (en) * 2018-12-10 2022-07-01 网宿科技股份有限公司 Alarm monitoring method and platform, server and storage medium
CN110191094B (en) * 2019-04-26 2022-04-08 奇安信科技集团股份有限公司 Abnormal data monitoring method and device, storage medium and terminal
CN110535702B (en) * 2019-08-30 2022-07-12 绿盟科技集团股份有限公司 Alarm information processing method and device
CN110598180B (en) * 2019-08-30 2022-09-09 国家电网有限公司 Event detection method, device and system based on statistical analysis
CN111092758A (en) * 2019-12-06 2020-05-01 上海上讯信息技术股份有限公司 Method and device for reducing alarm and recovering false alarm and electronic equipment
CN111740868B (en) * 2020-07-07 2023-12-15 腾讯科技(深圳)有限公司 Alarm data processing method and device and storage medium
CN114244683A (en) * 2020-09-07 2022-03-25 华为技术有限公司 Event classification method and device
CN112347057A (en) * 2020-10-19 2021-02-09 云南电网有限责任公司 Processing method for abnormal alarm analysis and handling of power dispatching information system
CN113192331B (en) * 2021-04-26 2022-04-15 吉林大学 Intelligent early warning system and early warning method for riding safety in internet environment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1523802A (en) * 2003-09-05 2004-08-25 中兴通讯股份有限公司 A method for preventing alarm storm in CDMA system
CN101247269A (en) * 2008-03-05 2008-08-20 中兴通讯股份有限公司 Method for automatically discovering association rule for judging redundant alarm
CN101345972A (en) * 2008-08-26 2009-01-14 ***通信集团福建有限公司 Network element alarming intelligent monitoring system
CN101360313A (en) * 2007-08-01 2009-02-04 中兴通讯股份有限公司 Method for uploading alarm quantity information to network management system by network element management system
CN102546216A (en) * 2010-12-30 2012-07-04 ***通信集团山东有限公司 Method for processing alarm messages in network management system and network management system
CN104537796A (en) * 2014-12-17 2015-04-22 深圳市中科安防科技有限公司 Alarm message processing system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8863154B2 (en) * 2012-02-27 2014-10-14 Hitachi, Ltd. Monitoring system and monitoring program

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1523802A (en) * 2003-09-05 2004-08-25 中兴通讯股份有限公司 A method for preventing alarm storm in CDMA system
CN101360313A (en) * 2007-08-01 2009-02-04 中兴通讯股份有限公司 Method for uploading alarm quantity information to network management system by network element management system
CN101247269A (en) * 2008-03-05 2008-08-20 中兴通讯股份有限公司 Method for automatically discovering association rule for judging redundant alarm
CN101345972A (en) * 2008-08-26 2009-01-14 ***通信集团福建有限公司 Network element alarming intelligent monitoring system
CN102546216A (en) * 2010-12-30 2012-07-04 ***通信集团山东有限公司 Method for processing alarm messages in network management system and network management system
CN104537796A (en) * 2014-12-17 2015-04-22 深圳市中科安防科技有限公司 Alarm message processing system and method

Also Published As

Publication number Publication date
CN106713049A (en) 2017-05-24

Similar Documents

Publication Publication Date Title
CN106713049B (en) Monitoring alarm method and device
CN108932426B (en) Unauthorized vulnerability detection method and device
US7779465B2 (en) Distributed peer attack alerting
CN110809010B (en) Threat information processing method, device, electronic equipment and medium
CN106330944B (en) Malicious system vulnerability scanner identification method and device
US20160248788A1 (en) Monitoring apparatus and method
EP2800024B1 (en) System and methods for identifying applications in mobile networks
CN110830986B (en) Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card
CN102769549A (en) Network security monitoring method and device
CN105376210A (en) Account threat identification and defense method and system
CN108449349B (en) Method and device for preventing malicious domain name attack
CN110313147A (en) Data processing method, device and system
CN105959290A (en) Detection method and device of attack message
CN106921671B (en) network attack detection method and device
CN112565300B (en) Industry cloud hacker attack identification and blocking method, system, device and medium
CN108234426B (en) APT attack warning method and APT attack warning device
CN114208114B (en) Multi-view security context per participant
US9654491B2 (en) Network filtering apparatus and filtering method
CN113098852B (en) Log processing method and device
CN106446720A (en) IDS rule optimization system and optimization method
CN108494766A (en) WAF regulation managements method and WAF groups
CN106899977B (en) Abnormal flow detection method and device
CN108259214B (en) Configuration command management method, device and machine-readable storage medium
KR101022167B1 (en) Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices
CN112929347B (en) Frequency limiting method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant