[go: up one dir, main page]

WO2004051929A1 - Audit platform system for application process based on components - Google Patents

Audit platform system for application process based on components Download PDF

Info

Publication number
WO2004051929A1
WO2004051929A1 PCT/CN2003/001027 CN0301027W WO2004051929A1 WO 2004051929 A1 WO2004051929 A1 WO 2004051929A1 CN 0301027 W CN0301027 W CN 0301027W WO 2004051929 A1 WO2004051929 A1 WO 2004051929A1
Authority
WO
WIPO (PCT)
Prior art keywords
audit
application
business
security
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2003/001027
Other languages
French (fr)
Chinese (zh)
Inventor
Jun Lv
Weiqi Li
Weishen Xue
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NANJING GOLDEN EAGLE INTERNATIONAL GROUP SOFTWARE SYSTEM CO Ltd
Original Assignee
NANJING GOLDEN EAGLE INTERNATIONAL GROUP SOFTWARE SYSTEM CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NANJING GOLDEN EAGLE INTERNATIONAL GROUP SOFTWARE SYSTEM CO Ltd filed Critical NANJING GOLDEN EAGLE INTERNATIONAL GROUP SOFTWARE SYSTEM CO Ltd
Priority to AU2003289636A priority Critical patent/AU2003289636A1/en
Publication of WO2004051929A1 publication Critical patent/WO2004051929A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes

Definitions

  • the invention is an audit platform system which is directed to and applied to the operation tracking and monitoring of computer information systems in various industries, and in particular relates to real-time scanning processing and auditing of trace information left by various behaviors during the operation of various computer information systems.
  • the platform system belongs to the field of computer information security prevention technology.
  • Firewall technology This is an important security technology developed in recent years. It is characterized by checking network communication at the network entry point, and providing internal and external network communication under the premise of protecting the security of the internal network according to the security rules set by the customer.
  • Virus protection technology has always been one of the main problems of information system security. The characteristics of virus protection technology are to prevent the spread of viruses, check and remove viruses, upgrade virus databases, and install on firewalls, proxy servers, and PCs. Java and ActiveX control scanning software. Unauthorized control download and installation are prohibited.
  • Intrusion detection technology-Intrusion detection system is a new type of network security technology that has appeared in recent years. It can be divided into host-based and network-based. The purpose is to provide real-time intrusion detection and take corresponding protection measures, such as recording evidence for tracking. And recovery, disconnection of network connections, etc., which are characterized by protocol analysis and detection capabilities, complete security, accuracy and integrity, anti-spoofing capabilities, and
  • Security scanning technology is security scanning technology, which also has server-based and network-based distinctions. When it cooperates with firewalls and security monitoring systems, it can greatly improve the network.
  • the server-based scanner mainly scans server-related security vulnerabilities and proposes corresponding solutions; while the network-based security scanner mainly scans and sets servers, routers, bridges, switches, access servers, firewalls, etc. in the network.
  • the security vulnerability of the device can be set to simulate attacks to test the defense capabilities of the system.
  • E-mail system security technology This technology guarantees the security of e-mail.
  • Operating system security technology Many kinds of operating systems are usually run in the information network.
  • the technologies include access control, security policies, data integrity, and auditing technologies.
  • the purpose of the present invention is to propose a component-based application process audit platform system that uses information technology as a means to apply systems, application processes, and application results to various specific industries on the rationality and process of system security.
  • the component-based application process audit platform system of the present invention includes a known computer system, and further includes:
  • AGENT installed in the user business application environment, manages the download of user business audit rule configuration information and component packages, schedules management data probes (Probe), and data collection agents connected to the control server.
  • the data collection agent (AGENT) provides The data probe (Probe) component management scheduling function;
  • Probe also known as probe: a data probe installed on the data collection node, based on componentization, collecting data according to the user's configuration, and uploading it to the control server in real time;
  • Control Server Installed on an independent system, managed by the internal control department, providing management of rule configuration libraries and component libraries, dynamically calling various types of data analyzers, data miners and other auxiliary component function packages for data analysis and mining
  • a control server including:
  • a business database storing the audit record data collected by the probe, filtered by the filter, and formatted
  • F Define an audit rule base for probe data collection strategies, real-time analyzer filtering, analysis strategies, and how post-mortem data analysis tools work;
  • User Console A graphical user console for users to configure rules and view reports and other related information.
  • the above user business application environment is a computer business information system of various industries.
  • the data probe includes server probes for monitoring application servers, network probes for monitoring networks, database probes for monitoring databases, monitoring application software, and applications for monitoring business processes. Layer probes, etc.
  • the platform uses ORB and complies with the C0RBA specification. It uses faceted description methods to describe application components, and adopts library management and automatic release technology. Based on the domain engineering method, the platform establishes a domain audit component library, and uses reusable software components as assembly blocks to assemble audit data collection, analysis, and reporting functions. On the Agent side, the platform uses network transparent interception to intercept various data packets on the network, and analyzes and processes various log records of system activities. On the Control Server side, information is collected, analyzed, and processed through the application of process audits, and specific activity characteristics implied in the system activity information are identified and extracted, and various existing and potential violations are identified.
  • the data collection node installed in the existing business application environment downloads user business audit rule configuration information and component packages, starts the data detector, and completes the scheduling and management of the data detector; the data detector is scheduled according to the user's configuration
  • the probe collects data and uploads it to the control server in real time; the control server stores the probe collection from the business database according to the probe data collection strategy, real-time analyzer filtering, analysis strategy, and post-mortem data analysis tool definition defined by the audit rule base.
  • the present invention is a security audit platform for specific business process applications, which comprehensively applies component technology, security management and security architecture technology, security audit and intrusion detection and early warning technology, adopts the application process audit method, and provides a A common platform for application of security audit in the field, introducing security audit based on business rules into the security management system, providing auditors with complete in-event and post-event system audit tools, which are provided by componentization, rule configuration, and knowledge base
  • the flexibility and composability provided guarantee conditions for adapting to the wide variety of industry applications; the openness and scalability of the component library, audit rule database, and knowledge management database provided technical support for adapting to the changing development of different industry applications.
  • the present invention has various internal and external behavior processes in the operation process of the business system through in-process audits at various levels of the information system (application system, database, operating system, network).
  • the characteristics of the trace information left behind are real-time and quasi-real-time scanning, analysis, and early warning. Therefore, various violations and suspicious events can be found in time, and then computer crime can be fundamentally prevented and eliminated to ensure the security of the information system.
  • various post-mortem monitoring systems currently used by commercial banks that fall into the scope of post-mortem audit, it has obvious characteristics and substantial progress.
  • General basic software systems such as non-standard operations, non-orthodox systems, databases, and other operating systems in the business process, and common business behaviors conduct audit data according to business rules and do not care about specific business characteristics and behaviors. Only care about common network behaviors (such as illegal browsing of web management objects, sending E-mail, FTP, shared files, etc.) whether there is a way to implement behaviors that endanger the basic network.
  • Application process analysis Content filtering, rule matching. Focus on business applications. For the central network, the system is the central user, business auditors, network administrators are not related to the specific business on the basic network, and only manage the bearer network. Domain applications are targeted by componentized and modular basic networks that are suitable for all industries. Object
  • FIG. 1 is a schematic diagram of a system structure according to the first embodiment of the present invention.
  • FIG. 2 is a topology diagram of the first embodiment of FIG. 1.
  • FIG. 2 is a topology diagram of the first embodiment of FIG. 1.
  • FIG. 3 is a schematic diagram of an application environment of a bank deposit and withdrawal service in Embodiment 1.
  • FIG. 3 is a schematic diagram of an application environment of a bank deposit and withdrawal service in Embodiment 1.
  • FIG. 4 is a schematic diagram of a bank deposit and withdrawal business decomposition process in Embodiment 1.
  • FIG. 4 is a schematic diagram of a bank deposit and withdrawal business decomposition process in Embodiment 1.
  • FIG. 5 is a schematic diagram of a topology according to a second embodiment of the present invention. detailed description
  • This embodiment is a component-based application process audit platform system applied to a large-scale financial network system. Its basic structure is shown in the figure, and the following main parts are composed:
  • Control Server which installs an independent operating system and provides management of automatic configuration libraries and component libraries, and dynamically calls various types of data analyzers, data miners and other auxiliary component function packages for data analysis and mining, including:
  • a business database storing the audit record data collected by the probe, filtered by the filter, and formatted
  • F. Including the management of probe component deployment and automatic component generation tools, users can easily expand the system to meet the complexity and variability of the audit component library of the application system;
  • G. An audit rule library that defines probe data collection strategies, real-time analyzer filtering, analysis strategies, and how post-mortem data analysis tools work;
  • a visual user console for users to configure rules and view reports and other related information.
  • Data collection agent-installed on the central server cluster of the existing large financial network system the data collection agent (Agent) provides a component-based data collection probe operation management support platform, and the data collection agent (Agent) is installed After that, all data collection probe components and data collection rule configuration information are uniformly configured and deployed in the user console and distributed to the data collection agent
  • Agent The supported operating systems are UNIX, SCO UNIX, UNIWARE, WIN98 / NT / 2000 / XP, etc. All data collection agents are connected to independent information audit control servers.
  • Control server " ⁇ ⁇ It is installed on an independent server and is the core of the entire system. It completes the filtering, formatting, storage, analysis, and alarm functions of the audit data.
  • the database server that stores the audit data can be subject to data pressure. Use a stand-alone server or merge with the control server.
  • User Console a visual graphical user terminal for users to configure rules and view reports and other related information. All management is performed on the user console.
  • bank deposit and withdrawal service is taken as an example to specifically describe the system working situation of this embodiment.
  • the application environment of the complete bank deposit and withdrawal service in this example is shown in Figure 3, and the business process is broken down as shown in Figure 4.
  • the component-based application process audit platform system of this embodiment passes the following key domain element pairs:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention focuses on an audit platform system for trailing and/or monitoring the operation of computer information systems in various fields, which belongs to the field of computer information security technology. The chief components of this system include a data acquisition proxy connected to a control server, a control server operating on the data acquisition proxy which includes probes , a service database, real-time analyzer, an ex-post-data analyzing tool, a auto report tool, an audit policy library, and an audit knowledge management library, and user consoles. The invention characterizes in the analysis process and early-warning by real-time or quasi real-time scanning the trail information which is left by various interior and exterior behavior procedures on each layers of the service system during the operational process of the service system.

Description

基于构件的应用过程审计平台系统 技术领域  Component-based application process audit platform system Technical field

本发明是针对并应用于各种行业的计算机信息系统的运行跟踪、 监测的 审计平台系统, 尤其是一种对各种计算机信息系统运行过程中各种行为遗留 的痕迹信息进行实时扫描处理、 审计的平台系统, 属于计算机信息安全防范 技术领域。 技术背景  The invention is an audit platform system which is directed to and applied to the operation tracking and monitoring of computer information systems in various industries, and in particular relates to real-time scanning processing and auditing of trace information left by various behaviors during the operation of various computer information systems. The platform system belongs to the field of computer information security prevention technology. technical background

与计算机信息安全有关的安全防范技术发展至今, 已经形成如下典型有 效的技术方案:  Since the development of security technology related to computer information security, the following typical and effective technical solutions have been formed:

1、 防火墙技术——这是近年发展起来的重要安全技术, 其特点是在网络 入口点检査网络通讯, 根据客户设定的安全规则, 在保护内部网络安全的前 提下, 提供内外网络通讯。  1. Firewall technology-This is an important security technology developed in recent years. It is characterized by checking network communication at the network entry point, and providing internal and external network communication under the premise of protecting the security of the internal network according to the security rules set by the customer.

2、 病毒防护技术——病毒历来是信息系统安全的主要问题之一, 病毒防 护技术的特点是可以阻止病毒的传播、 检查和清除病毒、 病毒数据库的升级、 在防火墙、 代理服务器及 PC上安装 Java及 ActiveX控件扫描软件、 禁止未 许可的控件下载和安装。  2. Virus protection technology—Virus has always been one of the main problems of information system security. The characteristics of virus protection technology are to prevent the spread of viruses, check and remove viruses, upgrade virus databases, and install on firewalls, proxy servers, and PCs. Java and ActiveX control scanning software. Unauthorized control download and installation are prohibited.

3、 入侵检测技术——入侵检测系统是近年出现的新型网络安全技术, 可 分为基于主机和基于网络两类, 目的是提供实时的入侵检测及采取相应的防 护手段, 如记录证据用于跟踪和恢复、 断开网络连接等, 其特点是具有协议 分析及检测能力、 自身安全的完备性、 精确度及完整度、 防欺骗能力以及解  3. Intrusion detection technology-Intrusion detection system is a new type of network security technology that has appeared in recent years. It can be divided into host-based and network-based. The purpose is to provide real-time intrusion detection and take corresponding protection measures, such as recording evidence for tracking. And recovery, disconnection of network connections, etc., which are characterized by protocol analysis and detection capabilities, complete security, accuracy and integrity, anti-spoofing capabilities, and

1 1

替换页(细则第 26条) 码效率和模式更新速度快。 Replacement page (Article 26) Code efficiency and fast mode update.

4、安全扫描技术——网络安全技术中,另一类重要技术为安全扫描技术, 该技术也有基于服务器和基于网络之分, 当与防火墙、 安全监控系统互相配 合时, 能够极大的提高网络的安全性。 基于服务器的扫描器主要扫描服务器 相关的安全漏洞, 并给出相应的解决办法建议; 而基于网络的安全扫描器主 要扫描设定网络内的服务器、 路由器、 网桥、 交换机、 访问服务器、 防火墙 等设备的安全漏洞, 并可设定模拟攻击, 以测试系统的防御能力。  4. Security scanning technology-Another important technology in network security technology is security scanning technology, which also has server-based and network-based distinctions. When it cooperates with firewalls and security monitoring systems, it can greatly improve the network. Security. The server-based scanner mainly scans server-related security vulnerabilities and proposes corresponding solutions; while the network-based security scanner mainly scans and sets servers, routers, bridges, switches, access servers, firewalls, etc. in the network The security vulnerability of the device can be set to simulate attacks to test the defense capabilities of the system.

此外还有:  Beside this there is:

5、 电子邮件系统安全技术——该技术保证电子邮件的安全。  5. E-mail system security technology-This technology guarantees the security of e-mail.

6、操作系统安全技术——信息网内通常会运行许多种操作系统, 该技术 包括访问控制、 安全策略、 数据完整、 审计技术等。  6. Operating system security technology-Many kinds of operating systems are usually run in the information network. The technologies include access control, security policies, data integrity, and auditing technologies.

计算机信息系统在各个行业的普及应用, 使得这些行业的信息化程度迅 速提高, 同时利用计算机犯罪和信息系统的安全问题越来越突出。 据申请人 了解, 各行业中的越轨计算机犯罪行为大多有如下一些特点: 常利用职务便 利条件(这一点同许多犯罪的主体是特殊主体有关) ; 常使用捏造事实、 隐 瞒真相的诈骗手段; 大多使用积极行动的作为方式实施犯罪; 职务上的渎职 行为较为多见; 大多数都以数额较大、 金额巨大或造成重大损失为犯罪既遂 的标准。 而上述行业中的计算机犯罪与传统犯罪手段相比, 又有以下特点- 一是高智能、 高技术、 高攫取; 二是作案手段多样化; 三是不受时间和地域 的限制; 四是隐蔽性强、 潜伏期长、 低风险, 毁灭犯罪证据容易、 取证与侦 破难等特点, 它所产生的影响和后果比其它手段的犯罪严重得多。  The widespread application of computer information systems in various industries has led to a rapid increase in the level of informatization in these industries. At the same time, the use of computer crimes and the security of information systems have become increasingly prominent. According to the applicant's understanding, most transgressive computer crimes in various industries have the following characteristics: Frequent use of job convenience (this is related to the fact that many crime subjects are special subjects); often used fraudulent methods to fabricate facts and hide the truth; most Use aggressive action to commit crimes; misconduct on the job is more common; most of them use large amounts, huge amounts or cause significant losses as the standard for completed crimes. Compared with traditional criminal methods, computer crimes in the above industries have the following characteristics-one is high intelligence, high technology and high capture; the other is the diversity of crime methods; the third is not restricted by time and area; the fourth is concealment Strong sex, long incubation period, low risk, easy to destroy criminal evidence, difficult to obtain evidence and detect, and other characteristics, it has far more serious impact and consequences than other methods of crime.

尽管为了保障计算机信息系统的安全,可以采取一些预防控制措施,如: 防火墙、 网络隔离、 访问控制技术等, 也可以综合采用加密技术、 身份鉴别 技术等。 然而, 分析应用系统面对的安全问题可以发现, 来自内部的基于业 务流程的烕胁目前还没有有效的措施来预防,这些烕胁有: 非法登录、 违规操 作、 擅自修改数据、 擅自恢复历史数据、 擅自删除数据、 程序、 系统配置、 非法修改软件、 擅自改变软件部署和更新软件版本、 擅自删除日志文件、 故 意钻业务操作空子、 内部联手作案等等 系列为取得非法经济利益或 达到非法目的而泛用合法业务操作系统权的行为。 Although in order to ensure the security of the computer information system, some preventive control measures can be taken, such as: firewall, network isolation, access control technology, etc., encryption technology and identity authentication can also be used in combination. Technology, etc. However, analysis of the security problems facing the application system reveals that there are currently no effective measures to prevent threats based on internal business processes. These threats include: illegal login, illegal operations, unauthorized modification of data, and unauthorized restoration of historical data. , Unauthorized deletion of data, programs, system configuration, illegal modification of software, unauthorized change of software deployment and update of software version, unauthorized deletion of log files, deliberate drilling of business operations, internal co-operation, etc. The widespread use of legitimate business operating system rights.

因为传统的信息安全防范措施往往是基于网络通信、 操作系统和传输层 次的, 很少有针对特定业务流程应用层面的安全防范策略。 而业务信息系统 安全是个多层次多角度的系统工程, 需要综合考虑涉及系统安全的方方面面。 现有的各种解决方案往往都是基于数据通信和数据存储的, 难以做到针对应 用行为过程的信息审计; 同时, 也缺乏一个灵活的能对应用系统中的关键应 用进行多层次、 多角度的事中监管审计平台系统。 发明内容  Because traditional information security precautions are often based on network communications, operating systems, and transport levels, there are few application-level security precautions for specific business processes. And business information system security is a multi-level and multi-angle system engineering, which needs to consider all aspects related to system security. Various existing solutions are often based on data communication and data storage, and it is difficult to perform information auditing on application behavior processes. At the same time, there is also a lack of flexibility to perform multi-level and multi-angle on key applications in application systems. Supervise the audit platform system. Summary of the Invention

本发明的目的在于: 提出一种基于构件的应用过程审计平台系统, 该系 统以信息技术为手段, 可以对各种特定行业应用系统、 应用过程、 应用结果, 就其系统安全的合理性、 过程行为的合法性、 结果数据的真实性, 按照业务 处理的安全、 规范、 真实性等要求进行客观、 适时的监测与审核, 将各种违 规、 可疑事件及时报警, 并提交各种审计报告, 从而有效预防和制止计算机 业务犯罪。  The purpose of the present invention is to propose a component-based application process audit platform system that uses information technology as a means to apply systems, application processes, and application results to various specific industries on the rationality and process of system security. The legitimacy of the behavior, the authenticity of the resulting data, objective and timely monitoring and auditing in accordance with the requirements of security, standardization, and authenticity of business processing, timely notification of various violations and suspicious events, and submission of various audit reports, thereby Effectively prevent and stop computer business crime.

研究表明, 任何对业务信息系统安全构成威胁的行为, 在其发生的过程 中, 总会在应用系统的各个层面上留下一些痕迹信息, 借助于这些痕迹信息, 采取适当的审计策略, 就可以及时地发现系统中正在实施或即将实施的业务 犯罪隐患, 避免犯罪等事件的发生。 具体说, 在来自内部的业务系统安全问 题中, 对业务信息系统的使用过程中必然会在系统层或应用层留下如身份、 地点、 时间、 事件操作痕迹、 事件发生频度、 操作动作时序信息、 关键数据 项的突变信息等等痕迹信息, 通过监测和审计这些信息便可及时发现业务信 息系统安全问题, 预防和制止计算机业务犯罪。 此即本发明使用的应用过程 审计方法。 Studies have shown that any behavior that poses a threat to the security of business information systems will always leave some trace information on all levels of the application system. With the help of these trace information, an appropriate audit strategy can be adopted. Discover in a timely manner what business is or will be implemented in the system Hidden crimes, to avoid the occurrence of crimes and other incidents. Specifically, in the internal business system security issues, the use of business information systems will inevitably leave behind at the system or application layer such as identity, place, time, event operation traces, event occurrence frequency, and operation action timing. Trace information such as information, sudden changes in key data items, and so on. By monitoring and auditing this information, you can discover business information system security problems in a timely manner, and prevent and stop computer business crimes. This is the application process audit method used by the present invention.

在此认识基础上, 为了达到以上目的, 本发明基于构件的应用过程审计 平台系统包括公知计算机系统, 还包括:  Based on this knowledge, in order to achieve the above objectives, the component-based application process audit platform system of the present invention includes a known computer system, and further includes:

^ AGENT: 安装在用户业务应用环境中、 管理用户业务审计规则配置信 息和构件包的下载、 调度管理数据探测器 (Probe)、 与控制服务器连接的数 据采集代理, 该数据采集代理 (AGENT) 提供了数据探测器 (Probe) 构件管 理调度功能;  ^ AGENT: installed in the user business application environment, manages the download of user business audit rule configuration information and component packages, schedules management data probes (Probe), and data collection agents connected to the control server. The data collection agent (AGENT) provides The data probe (Probe) component management scheduling function;

—— Probe (又称为探针): 安装在数据采集节点上、 基于构件化、 根据 用户的配置情况进行数据采集并实时上传控制服务器的数据探测器;  —— Probe (also known as probe): a data probe installed on the data collection node, based on componentization, collecting data according to the user's configuration, and uploading it to the control server in real time;

—— Control Server: 安装在独立的系统上、 由内控部门管理、 提供规 则配置库和构件库的管理、 动态调用各类数据分析器、 数据挖掘器等辅助构 件功能包进行数据的分析和挖掘的控制服务器, 其中包含:  —— Control Server: Installed on an independent system, managed by the internal control department, providing management of rule configuration libraries and component libraries, dynamically calling various types of data analyzers, data miners and other auxiliary component function packages for data analysis and mining A control server including:

A、 存放探针采集的、 经过过滤器过滤以及格式化后的审计记录数据的业 务数据库;  A. A business database storing the audit record data collected by the probe, filtered by the filter, and formatted;

B、完成对采集的数据按审计规则库定义的分析策略进行实时分析处 理、 判定风险等级并触发审计事件的实时分析器;  B. Complete the real-time analyzer for real-time analysis and processing of the collected data according to the analysis strategy defined by the audit rule base, determine the risk level, and trigger the audit event;

C、 按审计规则完成对采集的数据以及应用系统原始数据库的进一步挖 掘、 分析的功能的事后数据分析工具; D、 根据用户需要定制报表、 生成信息审计报告的自动报表工具; C. Post-event data analysis tools that complete the function of further digging and analyzing the collected data and the original database of the application system according to the audit rules; D. An automatic reporting tool that customizes reports and generates information audit reports according to user needs;

E、 用以与其他系统连接的实时报警或 SNMP接口;  E. Real-time alarm or SNMP interface for connecting with other systems;

F 定义探针数据采集策略、 实时分析器的过滤、 分析策略以及事后数据 分析工具工作方式的审计规则库;  F Define an audit rule base for probe data collection strategies, real-time analyzer filtering, analysis strategies, and how post-mortem data analysis tools work;

—— User Console: 供用户配置规则和查看报表以及其它相关信息的可 视化图形的用户控制台。  —— User Console: A graphical user console for users to configure rules and view reports and other related information.

以上用户业务应用环境为各种行业的计算机业务信息系统, 数 据探测器包括监控应用服务器的服务器探针、 监控网络的网络探针、 监控数 据库的数据库探针、 监控应用软件以及监控业务流程的应用层探针等。  The above user business application environment is a computer business information system of various industries. The data probe includes server probes for monitoring application servers, network probes for monitoring networks, database probes for monitoring databases, monitoring application software, and applications for monitoring business processes. Layer probes, etc.

平台使用 ORB并符合 C0RBA规范, 对构件使用刻面描述方法描述应用构 件, 采用库方式管理与并使用自动发布技术。 平台通过领域工程方法, 建立 领域审计构件库, 以可复用软件构件为组装块, 组装完成审计数据采集、 分 析、 报表功能。 在 Agent端, 平台使用网络透明侦听方式截获网络上的各种 数据包, 并对系统活动的各种日志记录信息进行分析和处理。 在 Control Server端,通过应用过程审计的方法对信息进行搜集、分析和处理, 并从中识 别并提取出系统活动信息中所隐含的特定活动特征并识别各种已发生的和潜 在的违规活动。  The platform uses ORB and complies with the C0RBA specification. It uses faceted description methods to describe application components, and adopts library management and automatic release technology. Based on the domain engineering method, the platform establishes a domain audit component library, and uses reusable software components as assembly blocks to assemble audit data collection, analysis, and reporting functions. On the Agent side, the platform uses network transparent interception to intercept various data packets on the network, and analyzes and processes various log records of system activities. On the Control Server side, information is collected, analyzed, and processed through the application of process audits, and specific activity characteristics implied in the system activity information are identified and extracted, and various existing and potential violations are identified.

工作时, 安装在现有业务应用环境中的数据采集节点下载用户业务审计 规则配置信息和构件包、 启动数据探测器, 并完成数据探测器的调度和管理; 数据探测器根据用户的配置情况调度探针进行数据采集, 并实时上传到控制 服务器; 控制服务器根据审计规则库定义的探针数据采集策略、 实时分析器 的过滤、 分析策略以及事后数据分析工具工作方式, 由业务数据库存放探针 采集的、 经过过滤器过滤以及格式化后的审计记录数据; 实时分析器完成对 采集的数据按审计规则库定义的分析策略进行实时分析处理、 判定风险等级 并触发审计事件; 事后数据分析工具按审计规则完成对采集的数据以及应用 系统原始数据库的进一步挖掘、 分析; 自动报表工具根据用户需要定制报表、 生成信息审计报告; 通过实时报警 /S丽 P接口传输到用户控制台, 供用户配置 规则和查看报表以及其它相关信息, 从而实现对各种应用系统、 应用过程、 应用结果安全的合理性、 过程行为的合法性、 结果数据的真实性进行客观、 适时的监测与审核, 将各种违规、 可疑事件及时报警, 并提交各种审计报告。 When working, the data collection node installed in the existing business application environment downloads user business audit rule configuration information and component packages, starts the data detector, and completes the scheduling and management of the data detector; the data detector is scheduled according to the user's configuration The probe collects data and uploads it to the control server in real time; the control server stores the probe collection from the business database according to the probe data collection strategy, real-time analyzer filtering, analysis strategy, and post-mortem data analysis tool definition defined by the audit rule base. , Filtered and formatted audit log data; real-time analyzer The collected data is analyzed and processed in real time according to the analysis strategy defined by the audit rule base, the risk level is determined and the audit event is triggered; the post-mortem data analysis tool completes the further mining and analysis of the collected data and the original database of the application system according to the audit rules; automatic reporting tools Customize reports and generate information audit reports according to user needs; transmit them to the user console through the real-time alarm / SIP interface for users to configure rules and view reports and other related information, so as to achieve various application systems, application processes, and application results The rationality of safety, the legitimacy of process behavior, and the authenticity of the result data are subject to objective and timely monitoring and auditing. Various violations and suspicious events are reported to the police in time, and various audit reports are submitted.

由此可见, 本发明是面向特定业务流程应用的安全审计平台, 综合应用 了构件技术、 安全管理和安全体系架构技术、 安全审计和入侵检测预警技术, 采用了应用过程审计的方法, 提供了面向领域应用安全审计的一个通用平台, 把基于业务规则的安全审计引入安全管理体系, 为审计人员提供了完整的事 中、 事后系统审计的工具, 其构件化、 规则配置化、 知识库化所提供的灵活 性与可组合性为适应千差万别的行业运用提供了保障条件; 构件库、 审计规 则库、 知识管理库的开放性、 可升级性为适应不同行业运用的变化发展提供 了技术保障。  It can be seen that the present invention is a security audit platform for specific business process applications, which comprehensively applies component technology, security management and security architecture technology, security audit and intrusion detection and early warning technology, adopts the application process audit method, and provides a A common platform for application of security audit in the field, introducing security audit based on business rules into the security management system, providing auditors with complete in-event and post-event system audit tools, which are provided by componentization, rule configuration, and knowledge base The flexibility and composability provided guarantee conditions for adapting to the wide variety of industry applications; the openness and scalability of the component library, audit rule database, and knowledge management database provided technical support for adapting to the changing development of different industry applications.

与上述各种现有计算机安全防范技术相比, 本发明具有通过事中过程审 计对业务系统运行过程中各种内部、 外部行为过程在信息系统各个层面上 (应 用系统、 数据库、 操作系统、 网络)所遗留的痕迹信息进行实时和准实时扫描 分析处理和预警的特点, 因此可以及时发现各种违规、 可疑事件, 进而从根 本上预防和杜绝计算机犯罪, 确保信息系统的安全。 与目前商业银行使用的 各种属于事后结果审计范畴的事后监髻系统相比, 显然具有显著的特点和实 质性的进步。  Compared with the above-mentioned various existing computer security protection technologies, the present invention has various internal and external behavior processes in the operation process of the business system through in-process audits at various levels of the information system (application system, database, operating system, network The characteristics of the trace information left behind are real-time and quasi-real-time scanning, analysis, and early warning. Therefore, various violations and suspicious events can be found in time, and then computer crime can be fundamentally prevented and eliminated to ensure the security of the information system. Compared with various post-mortem monitoring systems currently used by commercial banks that fall into the scope of post-mortem audit, it has obvious characteristics and substantial progress.

与入侵检测系统相比可以下表反映其本质区别: 比较项目 APA系统 入侵检测系统 应用层中的应用软件系统、数 针对 0SI七层协议中链路层、 据库、操作系统及网络电子业 网络层及上四层中除应用软件 关注的内容 Compared with intrusion detection systems, the following table reflects the essential differences: Compare the application software system in the application layer of the APA system intrusion detection system, and the data layer in the seven layers of the 0SI protocol. The link layer, the database, the operating system, and the network electronics industry and the upper four layers except the application software concern

务流程中的非规范操作、非正 系统、数据库等外的操作系统、 常业务行为等 通用基本软件系统 对审计数据按业务规则进行 不关心具体业务特性及行为, 分析和关联,发现行为特性的 只关心通用网络行为 (如 WEB 管理的对象 非法性 浏览、发 E- mail、 FTP、共享文 件等) 中是否蕴含危及基本网 络的行为 实现的方式 应用过程分析 内容过滤、 规则匹配 关注的焦点 业务应用为中心 网络、 系统为中心 用户 业务审计人员 网络管理人员 针对基本网络之上的特定领 与业务无关, 只管理承载网, 域应用, 由构件化、模块化的 适应于各行各业的基本网络 针对的对象  General basic software systems such as non-standard operations, non-orthodox systems, databases, and other operating systems in the business process, and common business behaviors conduct audit data according to business rules and do not care about specific business characteristics and behaviors. Only care about common network behaviors (such as illegal browsing of web management objects, sending E-mail, FTP, shared files, etc.) whether there is a way to implement behaviors that endanger the basic network. Application process analysis. Content filtering, rule matching. Focus on business applications. For the central network, the system is the central user, business auditors, network administrators are not related to the specific business on the basic network, and only manage the bearer network. Domain applications are targeted by componentized and modular basic networks that are suitable for all industries. Object

灵活性来适应各种行业的不  Flexibility to adapt to various industries

同应用 适应性 构件化平台, 可二次开发 功能单一, 不可二次开发 可调整审计规则描述或进行 不能应对应用系统的多样性 可演化性 构件调整,适应需求变化,具  Same application Adaptability Componentized platform, secondary development can be single, not secondary development Adjustable audit rules can be described or carried out Cannot respond to the diversity of application systems Evolvability Component adjustment to adapt to changes in demand, with

有良好的演化性  Good evolutionary

附图说明 BRIEF DESCRIPTION OF THE DRAWINGS

下面结合附图对本发明作进一步的说明:  The invention is further described below with reference to the drawings:

图 1为本发明实施例一的系统结构示意图。  FIG. 1 is a schematic diagram of a system structure according to the first embodiment of the present invention.

图 2是图 1实施例一的拓朴示意图。  FIG. 2 is a topology diagram of the first embodiment of FIG. 1. FIG.

图 3是实施例一中银行储蓄取款业务应用环境示意图。  FIG. 3 is a schematic diagram of an application environment of a bank deposit and withdrawal service in Embodiment 1. FIG.

图 4是实施例一中银行储蓄取款业务分解过程示意图。  FIG. 4 is a schematic diagram of a bank deposit and withdrawal business decomposition process in Embodiment 1. FIG.

图 5是本发明实施例二的拓朴示意图。 具体实施方式 FIG. 5 is a schematic diagram of a topology according to a second embodiment of the present invention. detailed description

实施例一 Example one

本实施例为应用于金融大型网络系统基于构件的应用过程审计平台系 统, 其基本构成如图所示, 以下主要部分构成:  This embodiment is a component-based application process audit platform system applied to a large-scale financial network system. Its basic structure is shown in the figure, and the following main parts are composed:

——安装在现有中央服务器集群上、 下载用户业务审计规则配置信息和构件 包、 调度和管理数据探测器, 并与控制服务器连接的数据采集代理; ——位于包括服务器网络、 分支机构服务器、 分支机构网络在内的各数据采 集节点上、 基于构件化、 根据用户的配置情况进行数据采集并实时上传控制 服务器的数据探测器;  ——Data collection agents installed on existing central server clusters, downloading user business audit rule configuration information and component packages, scheduling and managing data probes, and connecting to control servers; ——located on server networks, branch office servers, On each data collection node including the branch network, component-based data collection is performed based on the configuration of the user and the data detector of the control server is uploaded in real time;

——安装独立操作系统并提供自动配置库和构件库的管理、 动态调用各类数 据分析器、 数据挖掘器等辅助构件功能包进行数据的分析和挖掘的控制服务 器 (Control Server) , 其中包含:  ——Control Server, which installs an independent operating system and provides management of automatic configuration libraries and component libraries, and dynamically calls various types of data analyzers, data miners and other auxiliary component function packages for data analysis and mining, including:

A、 存放探针采集的、 经过过滤器过滤后以及格式化后的审计记录数据的业务 数据库;  A. A business database storing the audit record data collected by the probe, filtered by the filter, and formatted;

B、 完成对采集的数据按审计规则库定义的分析策略进行实时分析处理、 判 定风险等级并触发审计事件的实时分析器;  B. Complete the real-time analysis of the collected data according to the analysis strategy defined by the audit rule base, determine the risk level and trigger the audit event;

C、 按审计规则完成对采集的数据以及应用系统原始数据库的进一步挖掘、 分 析的功能的事后数据分析工具;  C. Post hoc data analysis tools that complete the function of further digging and analyzing the collected data and the original database of the application system according to the audit rules;

D、 根据用户需要定制报表、 生成信息审计报告的自动报表工具;  D. An automatic reporting tool that customizes reports and generates information audit reports according to user needs;

E、 集成了多种事件响应接口、 可以提供自动程序运行、 S丽 P安全事件报警、 移动短消息、 EMAIL报警等方式的实时报警 /SNMP接口;  E. Integrated multiple event response interfaces, real-time alarm / SNMP interface that can provide automatic program operation, SIP security event alarm, mobile short message, EMAIL alarm and other methods;

F、 包含探针构件部署的管理以及构件自动生成工具在内、 可以由用户方便地 对系统进行扩充、 以应对应用系统复杂性和多变性的审计构件库; G、 定义探针数据采集策略、 实时分析器的过滤、 分析策略以及事后数据分析 工具工作方式的审计规则库; F. Including the management of probe component deployment and automatic component generation tools, users can easily expand the system to meet the complexity and variability of the audit component library of the application system; G. An audit rule library that defines probe data collection strategies, real-time analyzer filtering, analysis strategies, and how post-mortem data analysis tools work;

H、 保存领域(行业)应用审计模板、审计业务描述、审计事件风险等级定义、 审计事件的处理结果等内容的审计知识管理库, 从而通过模板组合、 审计 知识管理库更新来适应各种不同业务领域;  H. The audit knowledge management library that applies audit templates, audit business descriptions, audit event risk level definitions, audit event processing results, etc. in the field (industry), so as to adapt to various different businesses through template combination and audit knowledge management database update Field

一一供用户配置规则和查看报表以及其它相关信息的可视化用户控制台 (User Console)。 A visual user console for users to configure rules and view reports and other related information.

该系统可以用形象的拓朴图 2表示, 其具体的配置情况如下:  This system can be represented by the topological image of Figure 2. The specific configuration is as follows:

1、 数据采集代理——安装在现有金融大型网络系统的中央服务器集群 上, 数据采集代理 (Agent )提供了基于构件的数据采集探针的运行管理支持 平台, 数据采集代理 (Agent) 安装完成后, 所有数据采集探针构件以及数据 采集规则配置信息都在用户控制台统一配置部署分发到数据采集代理  1. Data collection agent-installed on the central server cluster of the existing large financial network system, the data collection agent (Agent) provides a component-based data collection probe operation management support platform, and the data collection agent (Agent) is installed After that, all data collection probe components and data collection rule configuration information are uniformly configured and deployed in the user console and distributed to the data collection agent

(Agent ) 。 支持的操作系统有 UNIX、 SCO UNIX, UNIWARE, WIN98/NT/2000/XP 等, 所有的数据采集代理均连接到独立的信息审计控制服务器上。  (Agent). The supported operating systems are UNIX, SCO UNIX, UNIWARE, WIN98 / NT / 2000 / XP, etc. All data collection agents are connected to independent information audit control servers.

2、 控制服务器" ~~ ^装在一台独立的服务器上,是整个系统的核心,完成 审计数据的过滤、 格式化、 存储、 分析、 报警等功能, 存储审计数据的数据 库服务器视数据压力可以使用独立服务器或与控制服务器合并。  2. Control server "~~ ^ It is installed on an independent server and is the core of the entire system. It completes the filtering, formatting, storage, analysis, and alarm functions of the audit data. The database server that stores the audit data can be subject to data pressure. Use a stand-alone server or merge with the control server.

3、 用户控制台 (User Console)——可视化的图形用户终端, 供用户配 置规则和查看报表以及其它相关信息。 所有的管理都在用户控制台上进行。  3. User Console-a visual graphical user terminal for users to configure rules and view reports and other related information. All management is performed on the user console.

下面以银行储蓄取款业务为例, 具体说明本实施例的系统工作情况。 本 例完整的银行储蓄取款业务可以应用环境如图 3所示, 业务过程分解如图 4所 本实施例基于构件的应用过程审计平台系统通过以下几个关键域要素对  In the following, a bank deposit and withdrawal service is taken as an example to specifically describe the system working situation of this embodiment. The application environment of the complete bank deposit and withdrawal service in this example is shown in Figure 3, and the business process is broken down as shown in Figure 4. The component-based application process audit platform system of this embodiment passes the following key domain element pairs:

Claims

过程行为进行安全审计: Safety audit of process behavior: 1、 身份。 通常应用系统根据用户的身份决定是否执行其提出的访问要求, 用 户身份是安全策略的核心问题之一。  1. Identity. Generally, the application system decides whether to implement the access requirements proposed by the user. The user identity is one of the core issues of the security policy. 2、 地点。 通过网络设备的识别码建立起一个可管理的网络, 从而可以准确了 解和控制访问设备的访问位置及访问权限。  2. Location. A manageable network is established through the identification code of the network device, so that the access location and access right of the access device can be accurately understood and controlled. 3、 时间。 操作时间常常与应用行为的合理性相关联。  3. Time. Operating time is often associated with the rationality of application behavior. 4、 行为过程特征: 事件发生频度、 关键数据项的突变、 操作动作时序信息等 业务动作行为特征。  4. Behavioral process characteristics: Frequency of events, sudden changes in key data items, timing information of operation actions, and other business action behavior characteristics. 当银行储蓄取款业务开展时, 在终端前置机、 中心交换机网络、 业务主机上 部署的相应探针构件从审计知识管理库中调入相应的领域应用审计规则模 板、 配置完数据采集策略和实时分析策略后, 可以通过 ΑΡΑ监控以下各业务 环节并实时审计其中的可疑行为: '  When the bank deposit and withdrawal business is carried out, the corresponding probe components deployed on the terminal front-end, the central switch network, and the business host are transferred from the audit knowledge management library into the corresponding field, applying the audit rule template, configuring the data collection strategy, and real-time After analyzing the strategy, you can monitor the following business links through APA and audit the suspicious behavior in real time: '' . 1、 操作员登录, 该动作的合法性与身份、 地点、 时间、 过程行为特征相 关, 如有人在柜台终端正常工作时间 8 : 30-5 : 30以外登录储蓄应用系统、 反 复尝试登录 5次以上、 一个登录名在多个柜台终端登录等。  1. The operator logs in. The legitimacy of the action is related to the identity, location, time, and process behavior characteristics. For example, if someone logs in the savings application system outside the normal working hours of the counter terminal 8: 30-5: 30, and tries to log in 5 times repeatedly. Above, one login name is registered at multiple counter terminals, etc. 2、 输入取款操作, 该动作的合法性与身份、 地点、 时间、 过程行为特征 相关, 如有人在柜台终端在工作日的 8 : 30-5 : 30以外时间进行取款操作、 取 款金额大于 5000以上等。  2. Enter the withdrawal operation. The legitimacy of the action is related to the identity, location, time, and process behavior characteristics. For example, if someone performs a withdrawal operation at the counter terminal outside 8: 30-5: 30 on working days, the withdrawal amount is greater than 5000. Wait. 3、 连接数据库操作, 如在信息中心外直接连接后台数据库、 反复尝试登 录 5次以上等。  3. Connect to the database, such as directly connecting to the background database outside the information center, and repeatedly trying to log in more than 5 times. 4、 扣除账户操作, 如取款金额大于 5000、 一日累加扣除账户操作大于 10000、 在多个地点以相同账户取款间隔时间小于 1分钟等。  4. Deduction of account operations, such as withdrawal amount greater than 5000, accumulated deduction account operation greater than 10,000 in one day, and the interval between withdrawals of the same account in multiple locations is less than 1 minute. 一旦安装在终端前置机、 中心交换机网络、 业务主机各数据采集节点上 的相应探针构件发现以上可疑事件, 即实时上传到控制服务器, 并由控制服 务器(Control Server)通过实时报警 /SNMP接口向用户控制台(User Console) 发出相应报警信号以及所需的报表或其他相关的可视化图形信息。 Once installed on the terminal front end, central switch network, and business host data collection nodes The corresponding probe component of the above finds the suspicious event, that is, it is uploaded to the control server in real time, and the control server sends the corresponding alarm signal and the required report or other information to the User Console through the real-time alarm / SNMP interface. Related visual graphical information. 由此可以看出, 本实施例的系统具有如下创新之处:  It can be seen that the system of this embodiment has the following innovations: 1、 对各种领域应用系统运行过程中存在的各种安全隐患和业务风险, 建 立基于应用行为过程的审计体系。 通过对业务系统运行过程中各种内部、 外 部行为过程在信息系统各个层面上 (应用系统、 数据库、 操作系统、 网络)所 遗留的痕迹信息进行实时和准实时扫描处理, 并依据业务处理的合理性、 合 法性、 真实性审计策略和方法, 进行信息的实时分析和预警。  1. Establish an audit system based on the application behavior process for various security risks and business risks in the application system operation process in various fields. Real-time and quasi-real-time scanning and processing of trace information left at various levels of the information system (application system, database, operating system, network) by various internal and external behavior processes during the operation of the business system, and based on the reasonableness of business processing And legitimacy, authenticity, and authenticity audit strategies and methods for real-time analysis and early warning of information. 2、 将领域应用的业务处理特性与安全审计规则相结合。 通过可视化的审 计规则定制, 定义探针的数据采集策略、 实时分析器的过滤、 分析策略以及 事后数据分析工具的工作方式, 驱动探针、 分析器工作; 并与主机层、 网络 层安全措施结合, 可以形成一套完整的信息安全审计体系。  2. Combine the business processing characteristics of the domain application with security audit rules. Through the customization of visual audit rules, define the data collection strategy of the probe, the filtering of the real-time analyzer, the analysis strategy, and the working method of the post-mortem data analysis tool, drive the probe and analyzer to work; and combine with the host layer and network layer security measures , Can form a complete information security audit system. 3、 实现构件化的信息审计平台。 平台融入了软件框架技术、 分布式计算 模型和接口标准的先进思想, 可以在平台基础上快速开发、 部署新的探针、 分析器等构件, 从而灵活扩展系统功能, 适应各种应用的复杂性。  3. A component-based information audit platform. The platform incorporates advanced ideas of software framework technology, distributed computing models, and interface standards. It can quickly develop and deploy new probes, analyzers, and other components based on the platform, thereby flexibly expanding system functions and adapting to the complexity of various applications. . 4、 建立领域应用审计知识管理库。 知识管理库中保存了领域应用审计规 则模板、 审计业务描述、 审计事件风险等级定义、 审计事件的处理结果等内 容, 从而不断地积累安全审计知识, 实现信息审计知识的复用。 ' 简言之, 本实施例采用应用行为过程审计的方法, 对业务系统的应用行为特征, 就其 业务处理的安全、 规范、 真实性等要求进行监测与审核, 并对各种违规、 可 疑事件进行报警。  4. Establish a domain application audit knowledge management database. The knowledge management database stores the domain application audit rule template, audit business description, audit event risk level definition, and audit event processing results, etc., so as to continuously accumulate security audit knowledge and realize the reuse of information audit knowledge. '' In short, this embodiment uses the method of application behavior process audit to monitor and audit the application behavior characteristics of the business system, the security, standardization, and authenticity requirements of its business processing, and to monitor various violations and suspicious events. Make an alarm. 通过以上对本实施例的描述可见, 首先基于构件的应用过程审计平台系 统是针对领域应用系统的基于应用行为过程的审计平台。 由于应用系统本身 千差万别、 开放程度有限以及关注点不同等因素, 使得针对领域应用系统的 信息审计非常困难, 传统的对计算机信息系统进行的审计跟踪、 保存审计记 录和维护审计日志工作主要集中在网络层、 系统层, 而且更多的是针对日志。 虽然应用系统自身或多或少都实现了部分日志功能, 但日志的全面性很难保 证, 而且缺乏相应的日志分析、 预警处理手段, 日志的存储管理、 防止篡改 也存在问题。 而基于构件的应用过程审计平台系统采用平台化的手段, 通过 对业务系统应用行为过程审计的方法, 超越单纯的事后日志审计。 It can be seen from the above description of this embodiment that, first, the component-based application process audit platform system System is an auditing platform based on application behavior process for domain application systems. Due to the wide variety of application systems, limited openness, and different concerns, it is very difficult to audit information on application systems in the field. The traditional audit trails for computer information systems, the preservation of audit records, and the maintenance of audit logs are mainly concentrated on the network. Layer, system layer, and more for logs. Although the application system itself has more or less implemented some log functions, the comprehensiveness of the log is difficult to guarantee, and there is no corresponding log analysis and early-warning processing means. There are also problems with log storage management and tamper prevention. The component-based application process audit platform system adopts a platform-based approach, and applies behavioral process audit methods to business systems to go beyond simple post-event log audits. 其次, 基于构件的应用过程审计平台系统将领域应用的业务处理特性与 安全审计规则相结合。 在现实环境中, 存在大量的以合法用户的身份非法使 用信息系统的案例, 对其单纯按照传统的安全审计方法进行审计是无效的。 而结合领域应用的业务处理特性和业务规则, 可以将这些可疑、 异常的业务 操作甄别出来。 然而, 由于业务系统的复杂性, 需要对整个领域应用有比较 透彻的理解并且有一套方法来实现审计规则定制。 基于构件的应用过程审计 平台系统与主机层、 网络层安全措施结合, 可以形成一套完整的信息安全审 计体系。  Second, the component-based application process audit platform system combines the business processing characteristics of domain applications with security audit rules. In the real environment, there are a large number of cases in which information systems are used illegally as legitimate users, and it is not effective to audit them based on traditional security audit methods. Combined with the business processing characteristics and business rules of the domain application, these suspicious and abnormal business operations can be identified. However, due to the complexity of business systems, a thorough understanding of the entire field of application and a set of methods to customize audit rules are required. The combination of component-based application process auditing platform system and host layer and network layer security measures can form a complete information security auditing system. 另外, 基于构件的应用过程审计平台系统是构件化的信息审计平台。 基 于构件的应用过程审计平台系统是面向应用的, 为了应对应用的复杂性和变 化, 构件化是自然的选择。 基于构件的应用过程审计平台系统是一个分布式 系统, 平台需要实现构件的集中管理、 自动部署以及快速开发、 组装能力, 基于构件的应用过程审计平台系统在因为构件化而大大提高了安全审计的产 品化程度和可扩展性的同时, 也给系统实现带来了一定的复杂性。 实施例二 In addition, the component-based application process audit platform system is a component-based information audit platform. The component-based application process audit platform system is application-oriented. In order to cope with the complexity and changes of applications, componentization is a natural choice. The component-based application process audit platform system is a distributed system. The platform needs to implement the centralized management, automatic deployment, and rapid development and assembly capabilities of components. The component-based application process audit platform system has greatly improved the security audit due to componentization. At the same time as the degree of productization and scalability, it also brings certain complexity to the system implementation. Example two 本实施例为应用于企业、 政府内部局域网络中的基于构件的应用过程审 计平台系统, 其构成参见图 5, 基本结构与实施例一相同, 不同之处在于: This embodiment is a component-based application process auditing platform system applied to an intranet of an enterprise or a government. The structure is shown in FIG. 5. The basic structure is the same as that of the first embodiment, except that: 1、 数据不是集中式管理, 应用也是分布式的, 即分布在各应用系统中; 相应的网络也分成几个功能子网; 所以需要在每个子网上部署单独的网络探 针, 在应用服务器上部署相对应的应用探针; 1. Data is not centrally managed, and applications are also distributed, that is, distributed in various application systems; the corresponding network is also divided into several functional subnets; therefore, a separate network probe needs to be deployed on each subnet, on the application server Deploy corresponding application probes; 2、 应用主要是电子政务、 企业 ERP、 办公自动化等。 由于与上例金融领 域的业务有所不同, 安全需求也不一样, 所以审计规则不同。  2. Applications are mainly e-government, enterprise ERP, office automation, etc. Since the business in the financial field is different from the previous example and the security requirements are different, the audit rules are different. 本实施例的具体工作情况可以结合不同的审计规则、 根据实施例一类推, 不另赘述。  The specific working conditions of this embodiment may be combined with different auditing rules, and so on according to the embodiment, and are not described in detail. 除上述实施例外, 本发明还可以有其他实施方式。 凡采用等同替换或等 效变换形成的技术方案, 均落在本发明要求的保护范围内。  In addition to the above embodiments, the present invention may have other embodiments. Any technical solution formed by equivalent replacement or equivalent transformation falls within the protection scope claimed by the present invention.
PCT/CN2003/001027 2002-12-03 2003-12-01 Audit platform system for application process based on components Ceased WO2004051929A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2003289636A AU2003289636A1 (en) 2002-12-03 2003-12-01 Audit platform system for application process based on components

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 02148414 CN1417690A (en) 2002-12-03 2002-12-03 Application process audit platform system based on members
CN02148414.7 2002-12-03

Publications (1)

Publication Number Publication Date
WO2004051929A1 true WO2004051929A1 (en) 2004-06-17

Family

ID=4751405

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2003/001027 Ceased WO2004051929A1 (en) 2002-12-03 2003-12-01 Audit platform system for application process based on components

Country Status (3)

Country Link
CN (1) CN1417690A (en)
AU (1) AU2003289636A1 (en)
WO (1) WO2004051929A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110023084A1 (en) * 2006-10-11 2011-01-27 Kraemer Jeffrey A Protection of computer resources

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100359495C (en) * 2003-09-04 2008-01-02 上海格尔软件股份有限公司 Information system auditing method based on data storehouse
CN1321509C (en) * 2004-02-19 2007-06-13 上海复旦光华信息科技股份有限公司 Universal safety audit strategies customing method based on mapping table
CN100456692C (en) * 2004-10-29 2009-01-28 北京航空航天大学 Extensible broad-spectrum security scanning analysis system and method of use thereof
SG138498A1 (en) * 2006-06-29 2008-01-28 Nanyang Polytechnic Configurable multi-lingual advisory system and method thereof
US8028048B2 (en) * 2007-02-27 2011-09-27 International Business Machines Corporation Method and apparatus for policy-based provisioning in a virtualized service delivery environment
CN101426008B (en) * 2007-10-30 2011-06-22 北京启明星辰信息技术股份有限公司 Audit method and system based on back display
CN101562534B (en) * 2009-05-26 2011-12-14 中山大学 Network behavior analytic system
CN102411561A (en) * 2010-09-21 2012-04-11 上海众融信息技术有限公司 Dynamic generation and preview information processing method for financial service report
TWI492171B (en) * 2012-09-13 2015-07-11 Trustview Holding Ltd System and method of automatically generating audit reports for client data processing apparatus
CN104392297A (en) * 2014-10-27 2015-03-04 普元信息技术股份有限公司 Method and system for realizing non-business process irregularity detection in large data environment
CN105306460A (en) * 2015-10-13 2016-02-03 国家电网公司 Unified vulnerability patch management system
WO2017166154A1 (en) * 2016-03-31 2017-10-05 Oracle International Corporation System and method for integrating transactional middleware platform with centralized audit framework
CN107659539A (en) * 2016-07-26 2018-02-02 中国电信股份有限公司 Method for auditing safely and device
CN109635267A (en) * 2018-12-27 2019-04-16 广东电网有限责任公司 A kind of fishing expedition report-generating method and device
CN112925663B (en) * 2021-03-25 2024-06-14 支付宝(杭州)信息技术有限公司 Business data calculation method and device
CN115185790B (en) * 2022-09-09 2022-12-27 北京中科江南信息技术股份有限公司 Data monitoring method and equipment for auditing business software

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000025214A1 (en) * 1998-10-28 2000-05-04 Crosslogix, Inc. Maintaining security in a distributed computer network
WO2002014988A2 (en) * 2000-08-18 2002-02-21 Camelot Information Technologies Ltd. A method and an apparatus for a security policy

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000025214A1 (en) * 1998-10-28 2000-05-04 Crosslogix, Inc. Maintaining security in a distributed computer network
WO2002014988A2 (en) * 2000-08-18 2002-02-21 Camelot Information Technologies Ltd. A method and an apparatus for a security policy

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110023084A1 (en) * 2006-10-11 2011-01-27 Kraemer Jeffrey A Protection of computer resources
US8225373B2 (en) * 2006-10-11 2012-07-17 Cisco Technology, Inc. Protection of computer resources

Also Published As

Publication number Publication date
CN1417690A (en) 2003-05-14
AU2003289636A1 (en) 2004-06-23

Similar Documents

Publication Publication Date Title
CN109587174B (en) Collaborative defense method and system for network protection
Ashoor et al. Importance of intrusion detection system (IDS)
CN101803337B (en) Intrusion detection method and system
US7398389B2 (en) Kernel-based network security infrastructure
CN118054973B (en) Active defense method, system, equipment and medium based on internet access lock
US20040015719A1 (en) Intelligent security engine and intelligent and integrated security system using the same
CN118337540B (en) Internet of things-based network intrusion attack recognition system and method
WO2004051929A1 (en) Audit platform system for application process based on components
CN101582883A (en) System and method for managing security of general network
KR101282297B1 (en) The apparatus and method of unity security with transaction pattern analysis and monitoring in network
CN116827675A (en) Network information security analysis system
CN113783886A (en) A smart grid operation and maintenance method and system based on intelligence and data
Kim et al. DSS for computer security incident response applying CBR and collaborative response
White et al. Cooperating security managers: Distributed intrusion detection systems
Krishnan et al. An adaptive distributed intrusion detection system for cloud computing framework
CN118503962A (en) Computer information security protection security inspection device
Bhati et al. A comprehensive study of intrusion detection and prevention systems
KR20020075319A (en) Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same
Bolzoni et al. ATLANTIDES: an architecture for alert verification in network intrusion detection systems
CN116668166A (en) Software and hardware cooperated data security monitoring system
Anwar et al. A proposed preventive information security system
Kishore et al. Intrusion detection system a need
Fanfara et al. Autonomous hybrid honeypot as the future of distributed computer systems security
CN119051977B (en) Safety arrangement, control and automatic treatment method for multiple equipment types
US20250071126A1 (en) Method of threat detection in a threat detection network and threat detection network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP