[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102724068B - Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network - Google Patents

Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network Download PDF

Info

Publication number
CN102724068B
CN102724068B CN201210193161.8A CN201210193161A CN102724068B CN 102724068 B CN102724068 B CN 102724068B CN 201210193161 A CN201210193161 A CN 201210193161A CN 102724068 B CN102724068 B CN 102724068B
Authority
CN
China
Prior art keywords
address
ipv6
log
source
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210193161.8A
Other languages
Chinese (zh)
Other versions
CN102724068A (en
Inventor
范渊
杨永清
谈修竹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201210193161.8A priority Critical patent/CN102724068B/en
Publication of CN102724068A publication Critical patent/CN102724068A/en
Application granted granted Critical
Publication of CN102724068B publication Critical patent/CN102724068B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of computer application safety management, and aims at providing a method for identifying audit log asset in an internet protocol version 6 (IPv6) mixed network. The method comprises the steps that receiving a log message based on an external IPv6 to IPv4 double-stack protocol stack; acquiring a log source address from the log message, and analyzing a source address and a target address; normalizing the log source address, the source address and the target address, and restoring the variation in the transmission process of each tunnel; and identifying the log resource asset, the source asset and the target asset of corresponding log from the normalized log source address, the source address and the target address. Due to the adoption of the method, the log audit can be performed in the IPv6 and the IPv4 mixed network environment, and simultaneously the asset identification of the IPv6 address and the IPv4 address is supported. The precise address identification is supported. The address normalization processing is supported in different double-stack tunnel schemes, so that different address format information of the asset can be guaranteed and can be associated to the same asset.

Description

A kind of method of carrying out audit log asset identification in IPv6 hybrid network
Technical field
The present invention relates to computer application safety management technology field, particularly a kind of method of carrying out audit log asset identification in IPv6 hybrid network.
Technical background
Log Audit System, by the daily record of various equipment in network environment in collection organization, reaches the audit to IT assets whole in tissue, to find various security threat, carry out internal control, and conjunction rule is analyzed.
Along with the continuous distribution of the IPv4 network address, the IPv4 address space in the whole world almost exhausts, and whole the Internet starts the very long slow transition process from IPv4 to IPv6.According to relevant research, in order to protect existing IT to invest, transition process may continue a lot of year.
This also just means in various enterprise network, Operation Network, the situation of meeting long-term existence IPv6, IPv4 mixed deployment.The situation of IPv6, IPv4 mixed deployment includes but not limited to following form: in isolated IPv6 site tunnel access IPv4 network, isolated IPv6 site carries out interconnecting through IPv4 network tunnel, IPv4 main frame is by tunnel access IPv6 network, various 6to4 gateway deployment schemes etc.
But existing Log Audit System does not design for this IPv6, IPv4 hybrid network environment, especially in this hybrid network environment, how to carry out asset identification to audit log.
In this IPv6 hybrid network environment, for auditing system, need the audit log receiving various IPv4 equipment, IPv6 equipment or two stack equipment.On the one hand, these audit logs itself may send in IPv6 mode, also may send in IPv4 mode.On the other hand, the address information that may exist in audit log content, is also decided by the protocol version, the topological path that communicate, and there is different statement forms.So for auditing system, address information is very diversified.
In non-mixed network environment, audit log asset identification is generally all directly undertaken by address information coupling.This method, in hybrid network environment, has a lot of problem, as: two stack main frame may be identified as two different assets, equipment cannot carry out asset identification etc. behind the two stack border of leap.The problem of these asset identification, can badly influence further process such as auditing system follow-up various analyses, statistics, association etc. to audit log, the serious effect reducing audit, even has influence on various attack, the reviewing of malicious act.
Summary of the invention
The technical problem to be solved in the present invention is, overcomes deficiency of the prior art, provides a kind of method of carrying out audit log asset identification in IPv6 hybrid network.
For solving this technical problem, solution of the present invention is:
A kind of method of carrying out audit log asset identification in IPv6 hybrid network is provided, comprises the steps:
A, receive the daily record message of the various forms of all Log Source equipment, this receiving action is based on an outside IPv6-IPv4 dual stack stack;
B, from the daily record message received, obtain Log Source address, and from log content, parse source address and destination address; Address, described source or destination address are IPv4 address or IPv6 address;
C, Log Source address, source address, destination address to be normalized, the change that reduction Log Source address, address, source and destination address occur in various tunnel transmission process;
D, carry out daily record identifying processing, from the Log Source address after normalization, address, source and destination address identify the Log Source assets of corresponding daily record, source assets and desired asset.
In the present invention, the agreement that described daily record message uses is any one agreement of Syslog, SNMP, OPSEC or NetFlow.
In the present invention in step B, based on described IPv6-IPv4 dual stack stack, when receiving IPv4 daily record message, its address, source is IPv4 address, and when receiving IPv6 daily record message, its address, source is IPv6 address.
In the present invention, the form of described daily record message is any one in text formatting, 16 system forms, 2 system forms or abbreviation form.
In the present invention in step D, described identification is based on an outside asset addresses storehouse; Comprise the address information of assets in asset addresses storehouse, this address information comprises the IPv4 address of assets, IPv6 address or other any information relevant to asset identification.
Relative to prior art, beneficial effect of the present invention is:
1, can be supported in IPv6, IPv4 hybrid network environment and carry out log audit, support the asset identification of IPv6 address, IPv4 address simultaneously.
2, accurate Address Recognition can be supported.In various pairs of stack tunnel schemes, address normalized can be supported, thus guarantees the various address format information of assets, same assets can be associated with.
Accompanying drawing explanation
Fig. 1 is overall procedure block diagram audit log being carried out to asset identification in IPv6, IPv4 hybrid network environment;
Fig. 2 is operation block diagram audit log being carried out to asset identification in IPv6, IPv4 hybrid network environment.
Embodiment
First it should be noted that, the present invention relates to computer technology, is that computer technology is applied in the one of field of information security technology.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely.Aforementioned software functional module comprises but is not limited to: IPv6-IPv4 dual stack stack, daily record message source address acquisition module, address resolution module, address normalization module, asset identification module, asset addresses library module, assets find module etc. automatically, this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
About IPv6-IPv4 dual stack stack:
In order to support IPv6, IPv4 two kinds of agreements simultaneously, node runs IPv6 protocol stack simultaneously, IPv4 protocol stack two overlaps protocol stack, system can according to the data message IP head version information received, which judge to use protocol stack to process, finally message is delivered to upper level applications process, and corresponding message address information (IPv6 address or IPv4 address) is provided.
For auditing system, dual stack stack must be adopted both could to support to receive the audit log of IPv6 equipment transmission, also support the audit log receiving the transmission of IPv4 equipment.
The process of the address information diverse problems of application, and dual stack stack does not have direct relation, but there is relation closely with various across two stack tunneling technique.
Quote:
RFC?3513:?Internet?Protocol?Version?6?(IPv6)?Addressing?Architecture
RFC?4291:?IP?Version?6?Addressing?Architecture
RFC?3542:?Advanced?Sockets?Application?Program?Interface?(API)?for?IPv6
General principle in the present invention is, after receiving the daily record message in IPv4 and IPv6 hybrid network environment, by daily record message source address acquisition module, gets Log Source address; From the load of daily record message, get daily record, address resolution is carried out to log content, get address, source, destination address; Address normalized is carried out to Log Source address, address, source, destination address, then carries out asset identification process, thus identify Log Source assets, source assets, the desired asset information of daily record.
Describe the present invention below in conjunction with instantiation.
Describe the process of audit log being carried out to asset identification in IPv6, IPv4 hybrid network environment in Fig. 1, concrete process is as follows:
201 receive daily record: receive daily record message 102.
202 obtain Log Source address: according to the message IPv4 in daily record message 102 or IPv6 header information, get Log Source address 104 by daily record message source address acquisition module 103.
203 resolve address, source, destination address: according to the content of daily record 105, by address resolution module 106, parse source address 107, destination address 108.
204 address normalizeds: address normalized is carried out to Log Source address 104, address 107, source, destination address 108.
205 asset identification: go to retrieve asset addresses storehouse 111 according to the address information after normalization, recognize the Log Source assets 114 of daily record, source assets 112, desired asset 113.
206 assets relevant subsequent process: read the daily record after asset identification and carry out follow-up relevant treatment, as the association analysis of assets fragility, the analysis of assets significance level, asset threats impact analysis etc.
Fig. 2 describes an object lesson of address process in the present invention, asset identification, and relevant other entity part, mutual information.
First from various application safety equipment 101, as application safety scanner, database audit system, intruding detection system (IDS) etc., daily record message 102 is received.These daily record message protocols may be Syslog, SNMP, OPSEC, NetFlow etc., also may be other log protocols.
These daily record messages 102 through the process of daily record message source address acquisition module 103, from header acquisition of information to Log Source address 104.Log Source address 104 may be IPv4 address, also may be IPv6 address.
By extracting the load information of daily record message 102, obtaining daily record 105, through the dissection process of address resolution module 106, parsing source address 107, destination address 108.In the RFC standard that address resolution is mainly correlated with according to IPv4, IPv6, the definition of IP address format, by supporting all address formats, can get the address information existed in message.
The Log Source address 104 more than obtained, address 107, source, destination address 108, be normalized by address normalization module 109.Mainly according to various tunneling technique in the relevant RFC standard of IPv4, IPv6 in normalized process, the address be resolved to is normalized.
Here various tunnel to be processed is needed to include but not limited to: IPv4 compatible address automatic tunnel, 6to4 automatic tunnel, ISATAP automatic tunnel, IPv6 over IPv4 gre tunneling, tunnel agent technology, 6over4 tunnel, BGP tunnel etc.
Address after normalization, recognizes source assets 112, desired asset 113, Log Source assets 114 respectively by asset identification module 110.Asset identification module completes asset identification by retrieving an outside asset addresses storehouse 111.In asset addresses storehouse 111, each assets can comprise multiple address information, can be IPv4 forms, also can be IPv6 forms, or other any information relevant to asset identification.
Asset addresses storehouse 111 can be safeguarded by the mode of manual entry, also can automatically find that module 115 obtains by assets.Assets find to adopt the various modes such as network port scanning, network traffics topological analysis to carry out automatically.

Claims (5)

1. in IPv6 hybrid network, carry out a method for audit log asset identification, it is characterized in that, comprise the steps:
A, receive the daily record message of the various forms of all Log Source equipment, this receiving action is based on an outside IPv6-IPv4 dual stack stack;
B, from the daily record message received, obtain Log Source address, and from log content, parse source address and destination address; Address, described source or destination address are IPv4 address or IPv6 address;
C, Log Source address, source address, destination address to be normalized, the change that reduction Log Source address, address, source and destination address occur in various tunnel transmission process; Described normalized refers to, is normalized the address be resolved to according to the tunneling technique in the RFC standard that IPv4 or IPv6 is correlated with;
D, carry out daily record identifying processing, from the Log Source address after normalization, address, source and destination address identify the Log Source assets of corresponding daily record, source assets and desired asset.
2. method according to claim 1, is characterized in that, the agreement that described daily record message uses is any one agreement of Syslog, SNMP, OPSEC or NetFlow.
3. method according to claim 1, is characterized in that, in stepb, based on described IPv6-IPv4 dual stack stack, when receiving IPv4 daily record message, its address, source is IPv4 address, and when receiving IPv6 daily record message, its address, source is IPv6 address.
4. method according to claim 1, is characterized in that, the form of described daily record message is any one in text formatting, 16 system forms, 2 system forms or abbreviation form.
5. method according to claim 1, is characterized in that, in step D, described identification is based on an outside asset addresses storehouse; Comprise the address information of assets in asset addresses storehouse, this address information comprises the IPv4 address of assets, IPv6 address or other any information relevant to asset identification.
CN201210193161.8A 2012-04-05 2012-06-08 Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network Active CN102724068B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210193161.8A CN102724068B (en) 2012-04-05 2012-06-08 Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201210098303 2012-04-05
CN201210098303.2 2012-04-05
CN201210193161.8A CN102724068B (en) 2012-04-05 2012-06-08 Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network

Publications (2)

Publication Number Publication Date
CN102724068A CN102724068A (en) 2012-10-10
CN102724068B true CN102724068B (en) 2014-12-31

Family

ID=46949737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210193161.8A Active CN102724068B (en) 2012-04-05 2012-06-08 Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network

Country Status (1)

Country Link
CN (1) CN102724068B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580546B (en) * 2014-12-22 2017-11-24 北京蓝汛通信技术有限责任公司 The acquisition methods and device of IP address properties information
CN110417841B (en) * 2018-04-28 2022-01-18 阿里巴巴集团控股有限公司 Address normalization processing method, device and system and data processing method
CN110535727B (en) * 2019-09-02 2021-06-18 杭州安恒信息技术股份有限公司 Asset identification method and device
CN114268583B (en) * 2021-11-26 2024-01-23 网络通信与安全紫金山实验室 SDN-based dual-stack backbone management method and device and electronic equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237326A (en) * 2008-02-29 2008-08-06 华为技术有限公司 Method, device and system for real time parsing of device log

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1564542A (en) * 2004-04-20 2005-01-12 清华大学 Tunnel set-up method for carrying out internet of IPV4 network on IPV6 network
KR100825758B1 (en) * 2006-06-19 2008-04-29 한국전자통신연구원 Apparatus and Method on network-based mobility support for dual stack nodes
CN101610174B (en) * 2009-07-24 2011-08-24 深圳市永达电子股份有限公司 Log correlation analysis system and method
CN102006338B (en) * 2010-12-23 2013-01-09 山东大学 Concurrent communication method for embedded equipment supporting IPv4/IPv6 protocol

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101237326A (en) * 2008-02-29 2008-08-06 华为技术有限公司 Method, device and system for real time parsing of device log

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于IPv4/IPv6双协议栈的联动防御系统研究与设计;王源;《中国优秀硕士学位论文全文数据库 信息科技辑》;20091015(第10期);第24-34页 *

Also Published As

Publication number Publication date
CN102724068A (en) 2012-10-10

Similar Documents

Publication Publication Date Title
Beverly et al. Forensic carving of network packets and associated data structures
US8875296B2 (en) Methods and systems for providing a framework to test the security of computing system over a network
Rafique et al. Firma: Malware clustering and network signature generation with mixed network behaviors
US20090182864A1 (en) Method and apparatus for fingerprinting systems and operating systems in a network
KR101239401B1 (en) Log analysys system of the security system and method thereof
US9411957B2 (en) Method and device for optimizing and configuring detection rule
US20090287788A1 (en) Network asset tracker
EP3232359B1 (en) Identification device, identification method, and identification program
CN102724068B (en) Method for identifying audit log asset in internet protocol version 6 (IPv6) mixed network
US8386409B2 (en) Syslog message routing systems and methods
CN108063833B (en) HTTP DNS analysis message processing method and device
CN103475746A (en) Terminal service method and apparatus
US10523549B1 (en) Method and system for detecting and classifying networked devices
CN115865525A (en) Log data processing method and device, electronic equipment and storage medium
CN112887289B (en) Network data processing method, device, computer equipment and storage medium
CN114363053A (en) Attack identification method and device and related equipment
CN103220188B (en) A kind of HTTP data acquisition equipment
US11916942B2 (en) Automated identification of false positives in DNS tunneling detectors
CN108959659A (en) A kind of log access parsing method and system of big data platform
CN109274551A (en) A kind of accurate efficient industry control resource location method
CN112640392B (en) Trojan horse detection method, device and equipment
CN115086068B (en) Network intrusion detection method and device
CN105635225A (en) Method and system of using mobile terminal to access mobile internet-based server and mobile terminal
KR20060079782A (en) Security system to improve the interoperability in ipv4 and ipv6 coexistence network
WO2011135181A1 (en) Method and arrangement for message analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Patentee after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Patentee before: Dbappsecurity Co.,ltd.

CP01 Change in the name or title of a patent holder