Online service abnormity monitoring method and monitoring system thereof

Abstract

The invention relates to an online service abnormity monitoring method. The method comprises the following steps that a service reliability experience module, a simulation terminal user access monitoring module and a local service end security agent assistive monitoring and reporting module, respectively intensively and widely sample needed all-level information and relative history online service information of a network layer, an operating system layer, an online Web system and application layer, a database layer and a file system layer which are related to online services, and then, according to sampling results, expert knowledge base information and user feedback base information, determines whether an abnormal event is generated, transmits a determination result to an event management server, an expert feedback module and a user feedback module; and if an abnormal event is generated, a post hoc log analysis and remote local end linked module automatically analyzes every system log, and the event management server gives alarms or displays monitoring results according to analysis results. Compared with the prior art, the method and the system are comprehensive, and have the advantages of high accuracy, high adaptability and the like.

Description

technical field [0001] The invention relates to an online service monitoring method and system, in particular to an online service abnormality monitoring method and a monitoring system thereof. Background technique [0002] Online services refer to Internet or local area network service providers providing computing, storage, information query and other information services to users through the network. Online services need to keep the network online. However, due to various reasons, abnormalities may occur in online services. There are many reasons for the abnormality of online services, including server software and hardware failures, network failures, etc., and a very important part of the reason is that online services have been maliciously attacked and security issues have occurred. For example: the server is attacked or even completely controlled, the domain name resolution of the online service is destroyed (polluted or hijacked), the static part of the online servi...

AI Technical Summary

Problems solved by technology

Although the current monitoring system can complete these functions, these means of dealing with security threats are implemented by different systems without direct connection, which makes it inconvenient for service operators to use and maintain, and the cost is high

[0006] 2) Insufficient functionality

Another example is a monitoring system that simulates users accessing online services to analyze and find problems on web pages. It ignores the file system of the server itself, the online service database, etc., which can easily cause false positives. For example, if an attacker installs a backdoor on the server, the Generally, the backdoor cannot be accessed through other web links, and can only be discovered when the explicit link method is known

This kind of problem cannot be found only by simulated user access

[0007] 3) Low efficiency

This method requires a lot of computing resources to implement, which is slow and inefficient

[0008] 4) Poor accuracy

If the malicious code attack fails and there is no malicious operation, this method cannot successfully detect the problem, resulting in false positives

Lower-end approaches don't use virtual machines, or even simulate a visitor's real-world environment, resulting in a lot of false negatives and false positives

In addition to virtual machine technology, another common and complementary monitoring method is based on purely static judgment of whether there are suspicious sentences in online content scripts, resulting in a large number of false positives

None of these current methods can effectively solve the accuracy problem of false negatives and false positives

[0009] 5) The monitoring report is complicated and the event correlation is poor

Various monitoring methods are used to issue different reports, and the descriptions of the security problems found in various reports are also very complicated and the terminology is different. It is difficult for users who are not familiar with the security field to understand the comprehensive security status of the website

Although there are different forms of linkage technologies (mainly based on SNMP) to solve the linkage between different manufacturers' equipment, such as firewalls and intrusion detection, the linkage effect is affected by the natural differences of different platforms and cannot achieve perfect event correlation, thus affecting the linkage effect.

Insufficient report form and poor event linkage effect prevent users from responding and giving feedback quickly on events, which affects the quick resolution of events

Images