【作者】 李扬；

【导师】 杨义先；

【作者基本信息】 北方工业大学 ， 信号与信息处理， 2010， 硕士

【摘要】 基于插件技术的网络数据采集器是信息安全综合管理平台的关键部分之一,在其中担任日志采集工作,负责从网络安全设备中采集日志,然后将日志格式化为统一的格式,最后发送至数据库。网络数据采集器采用的是日志归一化技术,即将日志中不同内容描述方法、不同字段顺序按照事先制定的标准格式来转换。由于企业中的网络安全设备(IDS、防火墙、路由器、交换机等)往往来自不同的厂商,各自为政,相互之间缺乏关联,这些设备的日志又都基于厂商自己定义的格式,如果不对这些日志进行归一化处理,将难以进行关联分析,使得网络安全管理工作事倍功半。本课题针对现有技术中数据采集技术存在的一些问题,提出了一种改进方案,主要研究内容包括：1)在现有技术中,每格式化一份日志都需要经过查找判断过程,这在有大量日志产生的网络环境中,会影响系统的执行效率。本课题设计了一种改进架构,将插件与设备和端口进行绑定,使得无需经过查找判断过程便可进行日志格式化,从而提高了系统架构的执行效率。2)在现有技术中,数据采集器在遇到设备日志类型发生改变或者加入了新的设备时,会导致查找判断过程失败,从而丢弃当前日志。本课题设计了自动更新模块,在遇到上述情况时,能够自动从插件库下载对应的插件继续完成日志格式化,避免了重要安全信息的丢失。3)使用PHP、MySql Perl对设计的数据采集器进行开发。开发的内容包括插件、自动更新程序、插件调用程序、后台管理界面。基于本课题自己定义的标准格式,输入数据采集器的是原始的设备日志,从数据采集器输出的是格式统一的日志,并作为信息安全综合管理平台的数据源。虽然本课题设计的基于插件技术的网络数据采集器是信息安全综合管理平台中的一部分,但也可用于其他的数据采集环境。更多还原

【Abstract】 The data acquisition device based on plug-in technology belongs to one of the important part of the information security integrated management platform and works as a log collector which is responsible for data acquisition from network security devices and log format then sends the unified format logs to the central database. The data acquisition device uses a log format technique by which the different ways of content representation and different order of fields in logs are translated according to the pre-established stander format. Currently varieties of network security devices(IDS, firewalls, routers, switches, etc.) in enterprises may come from different manufacturers. Therefore the devices deal with the problems in their own way but lack of correlation among them. In addition the logs from them are based on the format defined by manufacturers. Without formatting these logs security experts will analyze security incidents doubly difficult. Accordingly network security management gets half the result with twice the effort.Aimming at some problems in current data acquisition device, this project presents an improved scheme which are listed in the aspects below:1) In the existing technology each log format has to go through to find the process to judge which will affect the efficiency of the system implementation when a large number of logs arise. This project presents an improved scheme in which log format can run without the judging process by the bind of the plug and the device and port. Accordingly the efficiency of the system implementation is improved.2) When log type changed or new equipment added, the judging process will fail and discard the current log. This project designs a automatic update module which can automatically download the corresponding plug-in from library to complete the log format in the face of the above which avoids the loss of important information.3) Developing the data acquisition device including plug-in, automatic updates module, plug-in called procedures, admin interface by PHP, Mysql and Perl.Based on the standard format defined by the project, the input into the data acquisition device is the original log and the output from the data collector is a unified log format, which work as the data source in information security integrated management platform. Although the data acquisition device based on plug-in technology belongs to information security integrated management platform, but can also be used for other data acquisition environment.更多还原