CN113259377B - Internet security monitoring system and method and integrated all-in-one machine - Google Patents

Internet security monitoring system and method and integrated all-in-one machine Download PDF

Info

Publication number
CN113259377B
CN113259377B CN202110650766.4A CN202110650766A CN113259377B CN 113259377 B CN113259377 B CN 113259377B CN 202110650766 A CN202110650766 A CN 202110650766A CN 113259377 B CN113259377 B CN 113259377B
Authority
CN
China
Prior art keywords
board
flow
service processing
deployment
internet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110650766.4A
Other languages
Chinese (zh)
Other versions
CN113259377A (en
Inventor
张宏斌
许凤凯
张尼
薛继东
孙世豪
李末军
鞠奕明
王博闻
李庆科
燕玮
魏利卓
石春竹
田晓娜
李东成
贾星威
刘子健
崔轲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Priority to CN202110650766.4A priority Critical patent/CN113259377B/en
Publication of CN113259377A publication Critical patent/CN113259377A/en
Application granted granted Critical
Publication of CN113259377B publication Critical patent/CN113259377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an Internet security monitoring system, an Internet security monitoring method and an integrated all-in-one machine. The system comprises: an integrated all-in-one machine comprising: the system comprises a convergence and shunt board card, a service processing calculation board and a controller; the deployment mode of the convergence and shunt board card comprises serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems; and the flow monitoring platform is used for receiving the flow logs, generating a monitoring management strategy based on the flow logs and issuing the monitoring management strategy so as to control the internet outlet link. According to the internet security monitoring system with series-parallel integrated deployment, the convergence shunt board card and the service processing computing board which support series-parallel deployment are integrated into a whole, the convergence shunt board card and the service processing computing board can be uniformly and efficiently managed through the mode, and the series-parallel deployment mode of the system can be conveniently switched on line.

Description

Internet security monitoring system and method and integrated all-in-one machine
Technical Field
The application relates to the technical field of network security, in particular to an internet security monitoring system, a method and an integrated all-in-one machine.
Background
At present, two deployment methods of serial connection and parallel connection exist for internet security monitoring. The existing serial connection and parallel connection deployment has large implementation limitation, and a deployment mode needs to be determined in an early stage, because the serial connection and parallel connection deployment is not only limited by hardware but also limited by system software. From a hardware device perspective analysis: the tandem deployment needs to deploy optical protection equipment, the matched convergence and shunt equipment needs to support a heartbeat control function corresponding to the optical protection equipment, and the parallel deployment needs to have an optical splitter and the corresponding convergence and shunt equipment. From the software perspective, at present, part of manufacturers in a software system integration factory support parallel system deployment software, and part of manufacturers support serial deployment software. Meanwhile, the problem of program adaptation of system software and the convergence and diversion device also exists. If the deployment mode cannot be clearly defined in the early stage, great risk exists in the project construction stage. Therefore, at present, a large amount of manpower and material resources are required to be invested in the initial construction stage of the Internet safety monitoring system for investigation, the construction cost is high, the later-stage network transformation cost is high, and the utilization rate of old equipment is low.
Disclosure of Invention
An object of the embodiments of the present application is to provide an internet security monitoring system, a method and an integrated all-in-one machine, so as to reduce the manpower, material resources and construction cost consumed in the initial construction stage of the internet security monitoring system, reduce the later stage network transformation cost, and improve the utilization rate of equipment.
The invention is realized by the following steps:
in a first aspect, an embodiment of the present application provides an internet security monitoring system, including: an integrated all-in-one machine comprising: the system comprises a convergence and shunt board card, a service processing calculation board and a controller; the controller is connected with the service processing calculating board and the convergence splitter plate card respectively, and the service processing calculating board is connected with the convergence splitter plate card; the deployment modes of the convergence and shunt board cards comprise serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems; the controller is used for determining the deployment mode of the convergence and shunt board card and the operating system used by the service processing computing board according to the instruction of the internet outlet link flow; the convergence and shunt board card is used for filtering flow data output by an internet exit link based on the determined deployment mode and sending the filtered flow data to the service processing computing board, and the service processing computing board is used for processing the filtered flow data based on the determined operating system to generate a flow log; and the flow monitoring platform is connected with the service processing computing board and used for receiving the flow logs from the service processing computing board, generating a monitoring management strategy based on the flow logs and issuing the monitoring management strategy to control the internet outlet link.
The embodiment of the application provides an internet security monitoring system of series-parallel connection integrated deployment, and the convergence shunt board card and the service processing calculation board which support series-parallel connection deployment are integrated into a whole in the system, so that the convergence shunt board card and the service processing calculation board can be uniformly and efficiently managed, the series-parallel connection deployment of the system can be conveniently switched on line, and the flexibility and the reliability of the system are further improved. In addition, once a user has a service request, the system can realize quick deployment and quick service opening, so that the manpower, material resources and construction cost at the initial construction stage are greatly reduced, and the system can realize series-parallel integrated deployment, thereby reducing the later-stage network reconstruction cost and improving the utilization rate of equipment.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the internet egress link is provided with the optical protection device, the controller is configured to determine, according to the instruction of the internet egress link flow, that the deployment manner of the aggregation and offloading board card is the tandem deployment and an operating system used by the service processing computing board is an operating system corresponding to the tandem deployment; correspondingly, the service processing computing board is specifically configured to perform message identification, parsing, restoration, extraction, and log data generation on the filtered traffic data; then compressing the log data, and encrypting the compressed log data to obtain the flow log; correspondingly, the traffic supervision platform is used for decrypting the traffic log, generating the monitoring management strategy based on the decrypted traffic log, and sending the monitoring management strategy to the service processing computing board, so that the service processing computing board manages and controls the filtered traffic data based on the monitoring management strategy, and transmits the managed and controlled traffic data to the internet outlet link through the convergence shunting board card.
In the embodiment of the application, when the internet exit link is provided with the optical protection device, the deployment mode of the system is determined to be tandem deployment. When the traffic monitoring platform is deployed in series, the traffic monitoring platform sends the monitoring management strategy to the service processing computing board, so that the service processing computing board controls the filtered traffic data based on the monitoring management strategy, and transmits the controlled traffic data to the internet outlet link through the convergence shunting board card. By the method, accurate real-time control over the flow outlet during serial deployment is realized. The service processing computing board identifies, analyzes, restores, extracts and generates log data for the filtered flow data; and then compressing the log data, and encrypting the compressed log data to obtain the flow log. By the method, the transmission efficiency is improved, and meanwhile, the transmission safety is also improved.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, when the internet egress link is provided with an optical splitter, the controller is configured to determine, according to the instruction of the internet egress link traffic, that the deployment manner of the aggregation and offloading board card is the parallel deployment and an operating system used by the service processing computing board is an operating system corresponding to the parallel deployment; correspondingly, the service processing computing board is specifically configured to perform message identification, parsing, restoration, extraction, and log data generation on the filtered traffic data; then compressing the log data, and encrypting the compressed log data to obtain the flow log; correspondingly, the traffic monitoring platform is used for decrypting the traffic log, generating the monitoring management strategy based on the decrypted traffic log, and sending the monitoring management strategy to the internet outlet link in the form of local area network broadcasting, TCP resetting or pseudo-packaging.
In the embodiment of the application, when the internet exit link is provided with the optical splitter, the deployment mode of the system is determined to be parallel deployment. When the monitoring management strategy is deployed in parallel, the flow monitoring platform issues the monitoring management strategy to an internet outlet link in the form of local area network broadcasting, TCP resetting or pseudo-packaging. By the method, accurate real-time control over the flow outlet during parallel deployment is realized. The service processing computing board identifies, analyzes, restores, extracts and generates log data for the filtered flow data; and then compressing the log data, and encrypting the compressed log data to obtain the flow log. By the method, the transmission efficiency of the flow logs is improved, and meanwhile, the transmission safety of the flow logs is also improved.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the service processing computing board is a card-inserted service processing computing board.
In the embodiment of the application, the service processing computing board adopts a card-inserting type service processing computing board, and during specific implementation, rapid deployment and rapid service opening can be realized only by mirroring the hard disk of the card-inserting type service processing computing board. Compared with the traditional rack-mounted server, the plug-in card type service processing computer board greatly saves the space of a machine room, reduces the power consumption, saves the cost of an optical fiber optical module between the traditional deployment convergence shunting device and the rack-mounted service processing server, and reduces the problem of network supervision failure caused by physical link failure.
With reference to the technical solution provided by the first aspect, in some possible implementation manners, the internet security monitoring system further includes a control server; the control server is respectively connected with the business processing computing board and the flow monitoring platform; the control server is used for reporting the flow log sent by the service processing computing board to the flow monitoring platform and sending the monitoring management strategy received from the flow monitoring platform to the internet exit link.
In the embodiment of the application, the internet security monitoring system further comprises a control server, and the control server can reasonably manage the transmission data between the service processing computing board and the flow monitoring platform so as to improve the reliability of the system.
In a second aspect, an embodiment of the present application provides an internet security monitoring method, which is applied to a controller in an integrated all-in-one machine of an internet security monitoring system, where the integrated all-in-one machine further includes: a convergence and shunt board card and a service processing and calculating board; the controller is connected with the service processing calculating board and the convergence splitter plate card respectively; the service processing computing board is connected with the convergence splitter board card; the deployment modes of the convergence and shunt board cards comprise serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems; the Internet security monitoring system also comprises a flow monitoring platform, and the flow monitoring platform is connected with the business processing computing board; the method comprises the following steps: determining a deployment mode of the convergence and shunt board card and an operating system used by the service processing computing board according to an instruction of internet outlet link flow; controlling the convergence and shunt board card to filter the traffic data output by the internet exit link based on the determined deployment mode, and sending the filtered traffic data to the service processing computing board; and controlling the service processing computing board to process the filtered flow data based on the determined operating system, generating a flow log, sending the flow log to the flow monitoring platform, so that the flow monitoring platform generates a monitoring management strategy based on the flow log, and issues the monitoring management strategy to control the internet exit link.
With reference to the technical solution provided by the second aspect, in some possible implementation manners, when the internet egress link is provided with an optical protection device, the determining, according to the instruction of the internet egress link traffic, a deployment manner of the aggregation/offloading board card and determining an operating system used by the service processing computing board include: when the internet exit link is detected to work on the main road of the optical protection device, determining that the deployment mode of the convergence and shunt board card is the serial deployment and the operating system used by the service processing computing board is the operating system corresponding to the serial deployment according to the instruction of the internet exit link flow; correspondingly, the sending the traffic log to the traffic monitoring platform to enable the traffic monitoring platform to generate a monitoring management policy based on the traffic log, and issue the monitoring management policy to control the internet exit link includes: sending the flow log to the flow supervision platform so that the flow supervision platform generates the monitoring management strategy based on the flow log; and receiving the monitoring management strategy sent by the flow monitoring platform through the service processing computing board, managing and controlling the filtered flow data based on the monitoring management strategy, and transmitting the managed and controlled flow data to the internet outlet link through the convergence shunting board card.
With reference to the technical solution provided by the second aspect, in some possible implementation manners, when the internet egress link is provided with an optical splitter, the determining, according to the instruction of the internet egress link traffic, a deployment manner of the aggregation/offloading board card and determining an operating system used by the service processing computing board include: according to the internet exit link flow instruction, determining that the deployment mode of the convergence and shunt board card is the parallel deployment and the operating system used by the service processing computing board is the operating system corresponding to the parallel deployment; correspondingly, the sending the traffic log to the traffic monitoring platform to enable the traffic monitoring platform to generate a monitoring management policy based on the traffic log, and issue the monitoring management policy to control the internet exit link includes: and sending the flow log to the flow monitoring platform so that the flow monitoring platform generates the monitoring management strategy based on the flow log, and sends the monitoring management strategy to the internet outlet link in the form of local area network broadcasting, TCP resetting or pseudo-packaging.
In a third aspect, an embodiment of the present application provides an integrated all-in-one machine, including: the system comprises a convergence and shunt board card, a service processing calculation board and a controller; the controller is connected with the service processing calculating board and the convergence splitter board respectively; the service processing computing board is connected with the convergence splitter board card; the deployment modes of the convergence and shunt board cards comprise serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems; the controller is used for determining the deployment mode of the convergence and shunt board card and the operating system used by the service processing computing board according to the instruction of the internet outlet link flow; the convergence and shunt board card is used for filtering flow data output by an internet exit link based on the determined deployment mode and sending the filtered flow data to the service processing computing board, and the service processing computing board is used for processing the filtered flow data based on the determined operating system, generating a flow log and sending the flow log to a flow monitoring platform connected with the service processing computing board.
With reference to the technical solution provided by the third aspect, in some possible implementation manners, the service processing computer board is a card-inserted service processing computer board.
In a fourth aspect, embodiments of the present application provide a storage medium having a computer program stored thereon, where the computer program, when executed by a processor, performs a method as provided in the second aspect embodiment described above and/or in connection with some possible implementations of the second aspect embodiment described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an internet security monitoring system according to an embodiment of the present application.
Fig. 2 is a schematic connection diagram of an internet security monitoring system in tandem deployment according to an embodiment of the present disclosure.
Fig. 3 is a schematic connection diagram of an internet security monitoring system when deployed in parallel according to an embodiment of the present application.
Fig. 4 is a block diagram of a module of an integrated all-in-one machine according to an embodiment of the present application.
Fig. 5 is a schematic structural diagram of another internet security monitoring system according to an embodiment of the present application.
Fig. 6 is a flowchart illustrating steps of an internet security monitoring method according to an embodiment of the present disclosure.
Fig. 7 is a flowchart illustrating steps of another internet security monitoring method according to an embodiment of the present disclosure.
Icon: 100-internet security monitoring system; 10-an integrated all-in-one machine; 101-converging and shunting board card; 102-a business processing computing board; 103-a controller; 20-a traffic supervision platform; 30-a light protection device; 40-a beam splitter; 50-control server.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
In view of the problems that a large amount of manpower and material resources are required to be invested for investigation at the initial stage of construction of the existing internet security monitoring system, the construction cost is high, the later stage network transformation cost is high, the utilization rate of old equipment is low and the like, through research and exploration, the inventor of the application provides the following embodiments to solve the problems.
Referring to fig. 1, an internet security monitoring system 100 is provided according to an embodiment of the present disclosure. The system comprises an integrated all-in-one machine 10 and a flow supervision platform 20.
The all-in-one integrated machine 10 is connected to the flow monitoring platform 20 (for example, connected to a local area network for communication). The all-in-one machine 10 is used for connecting with an internet outlet link.
In the embodiment of the application, the integrated all-in-one machine 10 can support tandem deployment and parallel deployment at the same time, and the integrated all-in-one machine 10 is specifically used for filtering and processing internet outlet flow data to generate a flow log. The flow monitoring platform 20 is configured to receive a flow log generated by the all-in-one integrated machine 10, generate a monitoring management policy based on the flow log, and issue the monitoring management policy to control an internet exit link.
Referring to fig. 2, when the internet security monitoring is deployed in tandem, the optical protection device 30 is installed on the internet egress link (i.e., the optical protection device 30 is installed on the link between the backbone router and the internet egress router). The all-in-one integrated machine 10 is connected with the light protection device 30. The internet outlet flow data is transmitted to the all-in-one integrated machine 10 after passing through the optical protection device 30. The integrated all-in-one machine 10 is used for filtering and processing internet outlet flow data to generate a flow log. The all-in-one machine 10 then sends the flow log to the flow monitoring platform 20, so that the flow monitoring platform 20 outputs a corresponding monitoring management strategy to control the internet exit link.
Referring to fig. 3, when the internet security monitoring is deployed in parallel, an optical splitter 40 is installed on an internet egress link (i.e., the optical splitter 40 is installed on a link between a backbone router and an internet egress router). The integrated all-in-one machine 10 is connected with the optical splitter 40, internet outlet flow data are copied through the optical splitter 40, one part of the copied data are still connected to the routing equipment connected to the internet through the original link, and the other part of the copied data are transmitted to the integrated all-in-one machine 10. The integrated all-in-one machine 10 is used for filtering and processing the received internet outlet flow data to generate a flow log. The all-in-one machine 10 then sends the flow log to the flow monitoring platform 20, so that the flow monitoring platform 20 outputs a corresponding monitoring management strategy to control the internet exit link.
That is, the all-in-one integrated machine 10 provided in the embodiment of the present application may manage a serial-parallel deployment manner according to a configuration situation of an internet exit link.
Specifically, referring to fig. 4, in the embodiment of the present application, the integrated all-in-one machine 10 specifically includes: a convergence/shunt board card 101, a service processing computing board 102, and a controller 103.
The controller 103 is respectively connected with the service processing computing board 102 and the convergence and shunt board card 101, and the service processing computing board 102 is connected with the convergence and shunt board card 101; the business process computing board 102 is also connected to the traffic policing platform 20.
The deployment modes of the convergence and shunt board card 101 include serial deployment and parallel deployment. The business processing computing board 102 supports dual operating systems, and the serial deployment and the parallel deployment correspond to different operating systems respectively. The controller 103 is configured to determine a deployment manner of the convergence/shunt board card 101 and an operating system used by the service processing computing board 102 according to an instruction of internet exit link flow; the convergence and shunt board card 101 is configured to filter traffic data output by an internet exit link based on the determined deployment manner, and send the filtered traffic data to the service processing computing board 102, where the service processing computing board 102 is configured to process the filtered traffic data based on the determined operating system, and generate a traffic log.
It should be noted that the functions of the convergence/shunt board 101 in the two deployment modes are different, for example, when the convergence/shunt board 101 is deployed in series, the optical protection device 30 is configured on an internet exit link, and at this time, the convergence/shunt board 101 needs to have a heartbeat control function corresponding to the optical protection device.
Similarly, since the configurations of the internet egress links are different in the serial-parallel deployment, the service processing computing board 102 also adapts to the corresponding operating systems according to two different deployment modes. In addition, under the tandem deployment of the service processing computing board 102, the corresponding system also supports functions of active defense, flow editing, analysis processing and the like, so that accurate and effective real-time control over the tandem flow is realized, and the attack is blocked out of an internet outlet at the first time. Under the parallel deployment of the service processing computing board 102, the corresponding system thereof can support intrusion detection so as to identify various attack attempts, attack behaviors or attack results, and for the traffic with the attack attempts or behaviors, domain name tampering and destination IP (Internet Protocol, Internet interconnection Protocol) replacement are performed and then injected into the network, so as to achieve real-time control of the user traffic.
In addition, in the embodiment of the present application, in order to improve the transmission efficiency of the traffic log of the service processing computing board 102, the security of the transmission of the traffic log is improved at the same time. The processing process of the service processing computing board 102 on the filtered traffic data specifically includes: carrying out message identification, analysis, restoration, extraction and log data generation on the filtered flow data; and then compressing the log data, and encrypting the compressed log data to obtain the flow log. At this time, when the traffic policing platform 20 receives the traffic log, it needs to use the same encryption algorithm for decryption. The encryption algorithm includes, but is not limited to, an Ipsec (Internet Protocol Security) encryption algorithm, an SSL (Secure Sockets Layer) encryption algorithm, and the like.
The above instruction may be determined according to actual conditions, for example, the instruction may be set to be an instruction corresponding to different links, and when the link of the all-in-one machine is connected with the optical protection device or the optical splitter, different instructions may be triggered. For example, the command may be set according to the format of the detected data, and the traffic data transmitted by the optical protection device 30 and the optical splitter 40 may have different formats.
The controller 103 may be an integrated circuit chip having signal processing capabilities. The controller 103 may also be a general-purpose Processor, for example, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a discrete gate or transistor logic device, or a discrete hardware component, which can implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application. Further, a general purpose processor may be a microprocessor or any conventional processor or the like.
Optionally, the business process computing board 102 is a card-type business process computing board. In specific implementation, rapid deployment and rapid service opening can be realized only by mirroring the hard disk of the card-type service processing computing board. Compared with the traditional rack-mounted server, the plug-in card type service processing computer board greatly saves the space of a machine room, reduces the power consumption, saves the cost of an optical fiber optical module between the traditional deployment convergence shunting device and the rack-mounted service processing server, and reduces the network supervision failure caused by physical link failure.
Optionally, referring to fig. 5, the internet security monitoring system further includes a control server 50. The control server 50 is respectively connected with the business processing computing board 102 and the flow monitoring platform 20; the control server 50 is connected to the service processing computing board 102 through a local area network.
The control server 50 is configured to report the traffic log sent by the service processing computing board 102 to the traffic monitoring platform 20, and issue the monitoring management policy received from the traffic monitoring platform 20 to the internet egress link. The control server 50 can reasonably manage the transmission data between the business processing computing board 102 and the traffic monitoring platform 20, so as to improve the reliability of the system.
Referring to fig. 2 to 5, a monitoring process of the internet security monitoring system 100 will be fully described. First, the controller 103 in the integrated all-in-one machine 10 determines the deployment mode of the aggregation/offloading board 101 and determines the operating system used by the service processing computing board 102 according to an instruction of the internet egress link flow.
When the internet security monitoring is deployed in tandem, the optical protection device 30 is installed on the internet egress link (i.e., the optical protection device 30 is installed on the link between the backbone router and the internet egress router). The integrated all-in-one machine 10 is connected with the optical protection device 30, and at this time, the integrated all-in-one machine 10 receives internet outlet flow data according to a serial deployment mode. Specifically, the internet outlet flow data is transmitted to the all-in-one integrated machine 10 after passing through the optical protection device 30. The convergence and shunt board card 101 in the integrated all-in-one machine 10 is used for filtering internet outlet flow data to screen out data needing management and control. The aggregation and offloading board card 101 then sends the filtered traffic data to the service processing computing board 102. The service processing computing board 102 processes the filtered traffic data to generate a traffic log. The service processing computing board 102 then reports to the traffic policing platform 20 via the control server 50 via the local area network. The traffic policing platform 20 generates a corresponding monitoring management policy based on the traffic log. The traffic monitoring platform 20 issues the monitoring management policy to the control server 50, and the control server 50 issues the policy to the service processing computing board 102 in a unified manner, so that the service processing computing board 102 manages and controls the filtered traffic data, and transmits the managed and controlled traffic data to the internet exit link through the convergence and offloading board 101. It should be noted that the managed traffic data is normal traffic data, and the dangerous traffic or the aggressive traffic is blocked at the service processing computing board 102 to prevent the dangerous traffic or the aggressive traffic from entering the internet outlet.
When the internet security monitoring is deployed in a parallel configuration, an optical splitter 40 is installed on the internet egress link (i.e., the optical splitter 40 is installed on the link between the backbone router and the internet egress router). The integrated all-in-one machine 10 is connected with the optical splitter 40, and at this time, the integrated all-in-one machine 10 receives internet outlet flow data according to a parallel deployment mode. Specifically, the internet outlet traffic data is copied by the optical splitter 40, and after the two parts of copied data are copied, one part of data is still connected to the routing device connected to the internet through the original link, and the other part of data is transmitted to the integrated all-in-one machine 10. The convergence and shunt board card 101 in the integrated all-in-one machine 10 is used for filtering internet outlet flow data to screen out data needing management and control. The aggregation and offloading board card 101 then sends the filtered traffic data to the service processing computing board 102. The service processing computing board 102 processes the filtered traffic data to generate a traffic log. The service processing computing board 102 then reports to the traffic policing platform 20 via the control server 50 via the local area network. The traffic policing platform 20 generates a corresponding monitoring management policy based on the traffic log. The traffic monitoring platform 20 issues the monitoring management policy to the control server 50, and the control server 50 manages and schedules the policy in a unified manner. When an intrusion attempt or an intrusion behavior is detected or identified, the control server issues the strategy to the internet outlet link in the form of local area network broadcasting, TCP Reset (Reset) or pseudo-package, so as to realize accurate real-time control on the flow.
To sum up, the embodiment of the present application provides an internet security monitoring system 100 deployed in a serial-parallel connection manner, in which a convergence/shunt board card 101 and a service processing computing board 102 supporting serial-parallel connection deployment are integrated into a whole, so that the convergence/shunt board card 101 and the service processing computing board 102 can be uniformly and efficiently managed, and online switching of serial-parallel connection deployment of the system is facilitated, thereby improving flexibility and reliability of the system. In addition, once a user has a service request, the system can realize quick deployment and quick service opening, so that the manpower, material resources and construction cost at the initial construction stage are greatly reduced, and the system can realize series-parallel integrated deployment, thereby reducing the later-stage network reconstruction cost and improving the utilization rate of equipment.
It should be noted that the structures shown in fig. 1 and fig. 4 are only schematic, and the internet security monitoring system 100 and the all-in-one integrated machine 10 provided in the embodiment of the present application may have fewer or more components or have a different configuration from that shown in the figures. In addition, each component shown in fig. 1 and 4 may be implemented by software, hardware, or a combination thereof.
Based on the same inventive concept, please refer to fig. 6, an embodiment of the present application further provides an internet security monitoring method, which is applied to a controller in an integrated all-in-one machine. It should be noted that, the internet security monitoring method provided in the embodiment of the present application is not limited by the sequence shown in fig. 6 and the following, and the method includes: step S101-step S103.
Step S101: and determining the deployment mode of the convergence and shunt board card and determining an operating system used by the service processing computing board according to the instruction of the internet outlet link flow.
When the optical protection device is arranged on the internet exit link, the controller determines that the deployment mode of the convergence and shunt board card is tandem deployment and the operating system used by the service processing computing board is the operating system corresponding to the tandem deployment according to the instruction of the internet exit link flow.
When the internet exit link is provided with the optical splitter, the controller determines that the deployment mode of the convergence splitter board card is parallel deployment and the operating system used by the service processing computing board is the operating system corresponding to the parallel deployment according to the instruction of the internet exit link flow.
Step S102: and the control convergence shunting board card filters the flow data output by the internet outlet link based on the determined deployment mode and sends the filtered flow data to the service processing computing board.
Step S103: and the control service processing computing board processes the filtered flow data based on the determined operating system, generates a flow log, sends the flow log to a flow monitoring platform, so that the flow monitoring platform generates a monitoring management strategy based on the flow log, and issues the monitoring management strategy to control an internet exit link.
It should be noted that, for the step flow of the internet security monitoring method, reference may be made to the description in the foregoing embodiments, which are not described herein again.
The following describes the internet security monitoring method with reference to the detailed processes of the tandem deployment and the parallel deployment.
Referring to fig. 7, when the internet normally communicates with Internrt (internet), the internet security monitoring system determines the deployment mode according to the instruction of the internet exit link flow.
If the deployment is tandem connection, the optical protection switching engine in the system judges whether the link works in the main path or the bypass. The judgment logic is divided into line switching logic and software switching logic. The line switching logic includes: judging port state up/down, link light attenuation change, link FCS (Fieldbus Control System), error code and the like; the software switching logic includes: the method comprises the following events of equipment power failure, service forwarding program suspension, performance packet loss, heartbeat interruption, equipment work abnormity and the like. Since the above-mentioned judgment logic is well known in the art, the detailed description is omitted here.
When the link works on the bypass, it indicates that the main road is abnormal, and the original traffic on the bypass returns according to the original path, that is, the internet security monitoring system does not perform traffic control on the original traffic.
When the link works on the main road, the internet security monitoring system receives and identifies the traffic according to the serial deployment mode. Firstly, filtering internet outlet flow data through a convergence and shunt board card in the integrated all-in-one machine 10, and screening out flow data needing to be processed; that is, the convergence and shunt board card performs regulation matching on the accessed flow data, and if the regulation is hit, the convergence and shunt board card operates according to the matching service number. Then, the convergence and shunt board card inquires each service number action for subsequent operation, wherein the service number action comprises: transparent transmission, mirroring, reflow and discarding. And if the service action is taken as backflow or mirror image, the data is sent to a service processing computing board, and meanwhile, the flow of the mirror image action and the flow of the transparent transmission action are returned according to the original path. If the traffic action is drop, the traffic is dropped directly.
And after receiving the flow data, the service processing computing board generates Internet related call ticket log data, wherein the process comprises the steps of Internet message identification, analysis, reduction, extraction and log call ticket generation. Then, the service processing computing board compresses the log data, and the compression mode comprises the following steps: jzip (a compression tool), rar (a compression tool), etc. Then, the service processing computing board encrypts log data, wherein the encryption types include Ipsec (Internet Protocol Security), SSL (Secure Sockets Layer), and the like. And finally, the service processing computing board transmits the processed log to a flow monitoring platform through a VPN channel. After the flow monitoring platform decrypts the logs, the logs are processed, analyzed and modeled through the big data platform, the monitoring management strategy is finally issued to the control server, the control server issues the strategy to the service processing computing board in a unified mode, so that the service processing computing board can control the filtered flow data, and the controlled flow data are transmitted to an internet outlet link through the convergence shunting board card.
If the deployment is parallel, the Internet security monitoring system receives and identifies the traffic according to the parallel deployment mode. It should be noted that, the internet outlet traffic data is copied by the optical splitter 40, and after copying, one part of the data is still connected to the routing device connected to the internet through the original link, and the other part of the data is transmitted to the all-in-one integrated machine 10. A convergence and shunt board card in the integrated all-in-one machine 10 filters the internet outlet flow data and screens out the flow data to be processed; that is, the convergence and shunt board card performs regulation matching on the accessed flow data, and if the regulation is hit, the hit data flow is sent to the service processing computing board. The execution process of the business processing computing board also comprises the following steps: the method comprises the steps of internet related call ticket log data, log data compression and log data encryption (the process can refer to the steps). And finally, the service processing computing board transmits the processed log to a flow monitoring platform through a VPN channel. After decrypting the flow, the flow monitoring platform processes, analyzes and models the flow through the big data platform, and finally issues the monitoring management strategy to the control server, and the control server manages and schedules the strategy in a unified way. When an intrusion attempt or an intrusion behavior is detected or identified, the control server issues the strategy to the internet outlet link in the form of local area network broadcasting, TCP Reset (Reset) or pseudo-package, so as to realize accurate real-time control on the flow.
It should be noted that, as those skilled in the art can clearly understand, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
Based on the same inventive concept, embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the computer program performs the methods provided in the above embodiments.
The storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. An internet security monitoring system, comprising:
an integrated all-in-one machine comprising: the system comprises a convergence and shunt board card, a service processing calculation board and a controller; the controller is connected with the service processing calculating board and the convergence splitter plate card respectively, and the service processing calculating board is connected with the convergence splitter plate card; the deployment modes of the convergence and shunt board cards comprise serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems; the controller is used for determining the deployment mode of the convergence and shunt board card and the operating system used by the service processing computing board according to the instruction of the internet outlet link flow; the convergence and shunt board card is used for filtering flow data output by an internet exit link based on the determined deployment mode and sending the filtered flow data to the service processing computing board, and the service processing computing board is used for processing the filtered flow data based on the determined operating system to generate a flow log;
and the flow monitoring platform is connected with the service processing computing board and used for receiving the flow logs from the service processing computing board, generating a monitoring management strategy based on the flow logs and issuing the monitoring management strategy to control the internet outlet link.
2. The internet security monitoring system according to claim 1, wherein when the internet egress link is provided with an optical protection device, the controller is configured to determine, according to an instruction of the internet egress link traffic, that the deployment manner of the aggregation and offloading board card is the tandem deployment and that an operating system used by the service processing computing board is an operating system corresponding to the tandem deployment;
correspondingly, the service processing computing board is specifically configured to perform message identification, parsing, restoration, extraction, and log data generation on the filtered traffic data; then compressing the log data, and encrypting the compressed log data to obtain the flow log;
correspondingly, the traffic supervision platform is configured to decrypt the traffic log, generate the monitoring management policy based on the decrypted traffic log, and send the monitoring management policy to the service processing computing board, so that the service processing computing board manages and controls the filtered traffic data based on the monitoring management policy, and transmits the managed and controlled traffic data to the internet exit link through the aggregation and offloading board card;
when the controller detects that the internet exit link works on the side of the optical protection device, the internet safety monitoring system does not monitor the flow.
3. The internet security monitoring system according to claim 1, wherein when the internet egress link is provided with an optical splitter, the controller is configured to determine, according to the instruction of the internet egress link traffic, that the deployment manner of the aggregation and offloading board card is the parallel deployment and an operating system used by the service processing computing board is an operating system corresponding to the parallel deployment;
correspondingly, the service processing computing board is specifically configured to perform message identification, parsing, restoration, extraction, and log data generation on the filtered traffic data; then compressing the log data, and encrypting the compressed log data to obtain the flow log;
correspondingly, the traffic monitoring platform is used for decrypting the traffic log, generating the monitoring management strategy based on the decrypted traffic log, and sending the monitoring management strategy to the internet outlet link in the form of local area network broadcasting, TCP resetting or pseudo-packaging.
4. The internet security monitoring system of claim 1, wherein the business process computing board is a card-plug business process computing board.
5. The internet security monitoring system of claim 1, further comprising a control server;
the control server is respectively connected with the business processing computing board and the flow monitoring platform; the control server is used for reporting the flow log sent by the service processing computing board to the flow monitoring platform and sending the monitoring management strategy received from the flow monitoring platform to the internet exit link.
6. An internet security monitoring method is characterized in that the method is applied to a controller in an integrated all-in-one machine of an internet security monitoring system, and the integrated all-in-one machine further comprises the following steps: a convergence and shunt board card and a service processing and calculating board; the controller is connected with the service processing calculating board and the convergence splitter plate card respectively; the service processing computing board is connected with the convergence splitter board card; the deployment modes of the convergence and shunt board cards comprise serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems; the Internet security monitoring system also comprises a flow monitoring platform, and the flow monitoring platform is connected with the business processing computing board; the method comprises the following steps:
determining a deployment mode of the convergence and shunt board card and an operating system used by the service processing computing board according to an instruction of internet outlet link flow;
controlling the convergence and shunt board card to filter the traffic data output by the internet exit link based on the determined deployment mode, and sending the filtered traffic data to the service processing computing board;
and controlling the service processing computing board to process the filtered flow data based on the determined operating system, generating a flow log, sending the flow log to the flow monitoring platform, so that the flow monitoring platform generates a monitoring management strategy based on the flow log, and issues the monitoring management strategy to control the internet exit link.
7. The method according to claim 6, wherein when the internet egress link is provided with an optical protection device, the determining, according to the instruction of the internet egress link traffic, the deployment manner of the aggregation and offloading board card and the determining of the operating system used by the service processing computing board include:
when the internet exit link is detected to work on the main road of the optical protection device, determining that the deployment mode of the convergence and shunt board card is the serial deployment and the operating system used by the service processing computing board is the operating system corresponding to the serial deployment according to the instruction of the internet exit link flow;
correspondingly, the sending the traffic log to the traffic monitoring platform to enable the traffic monitoring platform to generate a monitoring management policy based on the traffic log, and issue the monitoring management policy to control the internet exit link includes:
sending the flow log to the flow supervision platform so that the flow supervision platform generates the monitoring management strategy based on the flow log;
and receiving the monitoring management strategy sent by the flow monitoring platform through the service processing computing board, managing and controlling the filtered flow data based on the monitoring management strategy, and transmitting the managed and controlled flow data to the internet outlet link through the convergence shunting board card.
8. The method according to claim 6, wherein when the internet egress link is provided with an optical splitter, the determining a deployment manner of the convergence/offloading board card and the determining an operating system used by the service processing computing board according to the instruction of the internet egress link traffic includes:
according to the internet exit link flow instruction, determining that the deployment mode of the convergence and shunt board card is the parallel deployment and the operating system used by the service processing computing board is the operating system corresponding to the parallel deployment;
correspondingly, the sending the traffic log to the traffic monitoring platform to enable the traffic monitoring platform to generate a monitoring management policy based on the traffic log, and issue the monitoring management policy to control the internet exit link includes:
and sending the flow log to the flow monitoring platform so that the flow monitoring platform generates the monitoring management strategy based on the flow log, and sends the monitoring management strategy to the internet outlet link in the form of local area network broadcasting, TCP resetting or pseudo-packaging.
9. An integrated all-in-one machine, comprising: the system comprises a convergence and shunt board card, a service processing calculation board and a controller;
the controller is connected with the service processing calculating board and the convergence splitter board respectively; the service processing computing board is connected with the convergence splitter board card; the deployment modes of the convergence and shunt board cards comprise serial deployment and parallel deployment; the service processing computing board supports double operating systems, and the serial deployment and the parallel deployment respectively correspond to different operating systems;
the controller is used for determining the deployment mode of the convergence and shunt board card and the operating system used by the service processing computing board according to the instruction of the internet outlet link flow; the convergence and shunt board card is used for filtering flow data output by an internet exit link based on the determined deployment mode and sending the filtered flow data to the service processing computing board, and the service processing computing board is used for processing the filtered flow data based on the determined operating system, generating a flow log and sending the flow log to a flow monitoring platform connected with the service processing computing board.
10. The all-in-one machine of claim 9, wherein the business process computer board is a card-plug business process computer board.
CN202110650766.4A 2021-06-11 2021-06-11 Internet security monitoring system and method and integrated all-in-one machine Active CN113259377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110650766.4A CN113259377B (en) 2021-06-11 2021-06-11 Internet security monitoring system and method and integrated all-in-one machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110650766.4A CN113259377B (en) 2021-06-11 2021-06-11 Internet security monitoring system and method and integrated all-in-one machine

Publications (2)

Publication Number Publication Date
CN113259377A CN113259377A (en) 2021-08-13
CN113259377B true CN113259377B (en) 2021-09-21

Family

ID=77187525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110650766.4A Active CN113259377B (en) 2021-06-11 2021-06-11 Internet security monitoring system and method and integrated all-in-one machine

Country Status (1)

Country Link
CN (1) CN113259377B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6161201A (en) * 1998-02-26 2000-12-12 3Com Corporation Method and apparatus for concurrent interaction with a modem having an open connection
CN102420651A (en) * 2011-08-31 2012-04-18 天津七所信息技术有限公司 Comprehensive service optical-transmission platform
CN109921848A (en) * 2019-04-15 2019-06-21 北京盟力星科技有限公司 A kind of configuration management system based on optical cable on-line monitoring
CN109934361A (en) * 2019-02-25 2019-06-25 江苏电力信息技术有限公司 A kind of automation operation platform model based on container and big data
CN111628981A (en) * 2020-05-21 2020-09-04 公安部第三研究所 Network security system and method capable of being linked with application system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11271950B2 (en) * 2018-04-04 2022-03-08 Sophos Limited Securing endpoints in a heterogenous enterprise network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6161201A (en) * 1998-02-26 2000-12-12 3Com Corporation Method and apparatus for concurrent interaction with a modem having an open connection
CN102420651A (en) * 2011-08-31 2012-04-18 天津七所信息技术有限公司 Comprehensive service optical-transmission platform
CN109934361A (en) * 2019-02-25 2019-06-25 江苏电力信息技术有限公司 A kind of automation operation platform model based on container and big data
CN109921848A (en) * 2019-04-15 2019-06-21 北京盟力星科技有限公司 A kind of configuration management system based on optical cable on-line monitoring
CN111628981A (en) * 2020-05-21 2020-09-04 公安部第三研究所 Network security system and method capable of being linked with application system

Also Published As

Publication number Publication date
CN113259377A (en) 2021-08-13

Similar Documents

Publication Publication Date Title
JP3968724B2 (en) Network security system and operation method thereof
CN111752795A (en) Full-process monitoring alarm platform and method thereof
US7289988B2 (en) Method and system for managing events
US8185651B2 (en) Multi-segment network application monitoring and correlation architecture
US20170272510A1 (en) System and method for providing data and application continuity in a computer system
CN101227329B (en) System, apparatus and method for managing network device
US20120005538A1 (en) Dynamic Discovery Algorithm
CN101635652B (en) Method and equipment for recovering fault of multi-core system
US9813448B2 (en) Secured network arrangement and methods thereof
US20080168242A1 (en) Sliding Window Mechanism for Data Capture and Failure Analysis
WO2008083890A1 (en) Method, system and program product for alerting an information technology support organization of a security event
US9019863B2 (en) Ibypass high density device and methods thereof
WO2020121293A1 (en) Orchestration of activities of entities operating in a network cloud
CN114553537A (en) Abnormal flow monitoring method and system for industrial Internet
US8099489B2 (en) Network monitoring method and system
US6931357B2 (en) Computer network monitoring with test data analysis
KR101421086B1 (en) Apparatus and Method for Firewall System Integrated Management
CN113259377B (en) Internet security monitoring system and method and integrated all-in-one machine
Goyal et al. FCAPS in the business services fabric model
US20230060758A1 (en) Orchestration of Activities of Entities Operating in a Network Cloud
WO2016170664A1 (en) Abnormal-packet filtering apparatus and abnormal-packet filtering method
WO2019241199A1 (en) System and method for predictive maintenance of networked devices
CN116781312A (en) Security protection method, cloud security platform and storage medium
WO2005064854A1 (en) System for integrated security management based on the network
CN113190364A (en) Remote call management method and device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant