CN105812324A - Method, device and system for IDC information safety management - Google Patents

Abstract

Embodiments of the present invention provide a method, device, and system for IDC information security management. The method includes: the log synthesis server identifies the access logs to be compensated, and caches the access logs to be compensated, wherein the to-be-compensated access logs are cached. The information security log generated by the user access corresponding to the compensated access log needs to be compensated for the URL of the uniform resource locator; the log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL; further Specifically, the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated, so as to realize the compensation of the information security log of the missing URL in the same-source and same-destination scenario.

Description

Method, device and system for IDC information security management

technical field

Embodiments of the present invention relate to communication technologies, and in particular to a method, device and system for IDC information security management.

Background technique

The network topology of the same source and the same destination is generally more complicated, such as including asymmetric routing devices and multiple Deep Packet Inspection (DPI) devices. At this time, the same Internet Data Center (IDC) node network device and the same There are multiple physical links between the backbone network devices, and the routing devices of the links have the same priority. The routing devices at both ends usually use load sharing to balance traffic on multiple physical links. As a result, the uplink traffic and downlink traffic of the same session will reach the peer routing device through different physical links, that is, the uplink traffic and downlink traffic of the same session go through different information security detection devices, resulting in the information that the downlink traffic passes through The information security log reported by the security detection device lacks a resource locator (UniformResourceLocator, referred to as URL), and cannot meet the requirements of the information security log in the relevant IDC information security management specifications (that is, the information security log should contain a URL).

Therefore, the technical problem to be solved by the present invention is how to compensate the information security log of the missing URL in the same-source and same-destination scenario so as to realize IDC information security management.

Contents of the invention

Embodiments of the present invention provide a method, device, and system for IDC information security management, which realizes compensation for information security logs missing URLs in a same-source and same-destination scenario.

In a first aspect, an embodiment of the present invention provides a method for Internet data center IDC information security management, including:

The log synthesis server identifies the access log to be compensated, and caches the access log to be compensated, wherein the access log to be compensated is the access log reported by the deep packet inspection DPI device, and the access log to be compensated corresponds to Uniform resource locator URL compensation is required for information security logs generated by user access;

The log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL, wherein the information security log of the missing URL is the information security log reported by the information security detection device;

The log synthesis server compensates the information security log of the missing URL according to the access log to be compensated.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the log synthesis server identifies the access log to be compensated, including:

The log synthesis server identifies the access log to be compensated according to the to-be-compensated identifier in the to-be-compensated access log, wherein the to-be-compensated identifier is used to indicate that the user accessing the corresponding access log to be compensated The generated information security logs need to be compensated by URL.

With reference to the first aspect or the first possible implementation of the first aspect, in the second possible implementation of the first aspect, the log synthesis server identifying information security logs with missing URLs includes:

The log synthesis server identifies the information security log of the missing URL according to the abnormal identifier in the information security log of the missing URL, wherein the abnormal identifier is used to indicate that URL compensation is required for the information security log.

With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the exception identifier includes: a missing URL log identifier and a pending result log identifier.

With reference to the first aspect and any one of the first to third possible implementations of the first aspect, in the fourth possible implementation of the first aspect, the log synthesis server according to the access to be compensated The log compensates for the information security log of the missing URL, including:

The log synthesis server determines the key identification field of any information security log of the missing URL;

The log synthesis server traverses all the access logs to be compensated in the query cache according to the key identification field until the access log to be compensated that matches the key identification field is determined;

The log synthesis server acquires the URL of the access log to be compensated that matches the key identification field, and compensates the URL for the information security log of any missing URL.

With reference to the fourth possible implementation of the first aspect, in the fifth possible implementation of the first aspect, the key identification field includes: protocol IP, destination IP, source port, Destination port and device transaction ID.

In combination with any of the third to fifth possible implementations of the first aspect, in the sixth possible implementation of the first aspect, if the abnormal identification of the information security log of the missing URL is a result pending log After the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated, it further includes:

The log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL. If the matching is successful, the policy hits; wherein, the information security of the missing URL The policy information corresponding to the log includes a policy domain name and/or a policy URL, and the policy information is added to the information security log of the missing URL by the information security detection device.

With reference to the sixth possible implementation of the first aspect, in the seventh possible implementation of the first aspect, if the policy information includes a policy domain name, the log synthesis server The corresponding URL and the policy information corresponding to the information security log of the missing URL are matched, and if the match is successful, the policy hits, including:

The log synthesis server acquires the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

The log synthesis server matches the domain name corresponding to the information security log of the missing URL with the policy domain name, and if the domain name corresponding to the information security log of the missing URL is the same as the policy domain name, the policy hits.

With reference to the sixth possible implementation of the first aspect, in the eighth possible implementation of the first aspect, if the policy information includes a policy URL, the log synthesis server The corresponding URL and the policy information corresponding to the information security log of the missing URL are matched, and if the match is successful, the policy hits, including:

The log synthesis server matches the URL corresponding to the information security log with the missing URL with the policy URL, and if the URL corresponding to the information security log with the missing URL is the same as the policy URL, the policy hits.

With reference to the sixth possible implementation of the first aspect, in the ninth possible implementation of the first aspect, if the policy information includes a policy domain name and a policy URL, the log synthesis server The URL corresponding to the information security log and the policy information corresponding to the information security log of the missing URL are matched. If the match is successful, the policy hits, including:

The log synthesis server acquires the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

The log synthesis server matches the URL and domain name corresponding to the information security log of the missing URL with the policy URL and the policy domain name respectively, if the URL corresponding to the information security log of the missing URL matches the policy If the URLs are the same, and the domain name corresponding to the information security log with the missing URL is the same as the domain name of the policy, the policy is matched.

In a second aspect, an embodiment of the present invention provides a method for Internet data center IDC information security management, including:

The information security detection device adds an abnormality identifier to the information security log that detects the missing uniform resource locator URL, wherein the information security log containing the abnormal identifier is an information security log with a missing URL, and the abnormal identifier is used to indicate the URL compensation is required for information security logs with missing URLs;

The information security detection device reports the information security log of the missing URL to the log synthesis server, so that the log synthesis server can ensure the information security of the missing URL according to the access log to be compensated reported by the deep packet inspection DPI device. log for compensation.

With reference to the second aspect, in a first possible implementation manner of the second aspect, the method further includes:

The information security detection device uses a hash algorithm to ensure that the information security logs accessed by the same user are reported to the same log synthesis server.

With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the exception identifier includes: a missing URL log identifier and a pending result log identifier.

With reference to the second possible implementation of the second aspect, in the third possible implementation of the second aspect, if the abnormal identification of the information security log of the missing URL is the result pending log identification, the information security detection After the device reports the information security log of the missing URL to the log synthesis server, it also includes:

The information security detection device performs keyword detection on the information security log of the missing URL, and acquires policy information corresponding to the information security log of the missing URL according to keywords of the information security log of the missing URL, wherein the The policy information includes a policy domain name and/or a policy URL;

The information security detection device adds the policy information to the information security log of the missing URL, and reports the information security log of the missing URL including the policy information to a log synthesis server.

In a third aspect, the embodiment of the present invention provides a method for Internet data center IDC information security management, including:

The deep packet inspection DPI device judges whether the uplink and downlink of the user's access has passed through the DPI device, and if not, adds the identifier to be compensated in the access log corresponding to the user's access, wherein the access log containing the identifier to be compensated is The log to be compensated, the identifier to be compensated is used to indicate that the information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the uniform resource locator URL;

The DPI device reports the access log to be compensated to the log synthesis server, so that the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated.

With reference to the third aspect, in a first possible implementation manner of the third aspect, the method further includes:

The DPI device uses a hash algorithm to ensure that the access logs accessed by the same user are reported to the same log synthesis server.

In a fourth aspect, an embodiment of the present invention provides a log synthesis server, including:

The first identification module is used to identify the access log to be compensated, and cache the access log to be compensated, wherein the access log to be compensated is the access log reported by the deep packet inspection DPI device, and the access log to be compensated The information security log generated by the user access corresponding to the access log needs to be compensated for the uniform resource locator URL;

The second identification module is used to identify the information security log of the missing URL, and cache the information security log of the missing URL, wherein the information security log of the missing URL is the information security log reported by the information security detection device;

A compensation module, configured to compensate the information security log of the missing URL according to the access log to be compensated.

With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the first identification module is specifically configured to:

Identify the access log to be compensated according to the to-be-compensated identifier in the to-be-compensated access log, wherein the to-be-compensated identifier is used to indicate the information security log generated by the user access corresponding to the to-be-compensated access log Need to do URL compensation.

With reference to the fourth aspect or the first possible implementation manner of the fourth aspect, in the second possible implementation manner of the fourth aspect, the second identification module is specifically configured to:

The information security log of the missing URL is identified according to the abnormal identifier in the information security log of the missing URL, wherein the abnormal identifier is used to indicate that URL compensation is required for the information security log.

With reference to the second possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, the exception identifier includes: a missing URL log identifier and a pending result log identifier.

In combination with the fourth aspect and any one of the first to third possible implementations of the fourth aspect, in the fourth possible implementation of the fourth aspect, the compensation module includes:

The first determination unit is used to determine the key identification field of the information security log of any of the missing URLs;

The second determination unit is configured to traverse all the access logs to be compensated in the query cache according to the key identification field until the access log to be compensated that matches the key identification field is determined;

A compensating unit, configured to obtain the URL of the access log to be compensated that matches the key identification field, and compensate the URL to the information security log of any missing URL.

With reference to the fourth possible implementation of the fourth aspect, in the fifth possible implementation of the fourth aspect, the key identification field includes: protocol IP, destination IP, source port, Destination port and device transaction ID.

In combination with any of the third to fifth possible implementations of the fourth aspect, in the sixth possible implementation of the fourth aspect, if the abnormal identification of the information security log of the missing URL is a result pending log Identifies, the log synthesis server, further comprising:

The matching module is configured to perform matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL. If the matching is successful, the policy hits; wherein, the information security of the missing URL The policy information corresponding to the log includes a policy domain name and/or a policy URL, and the policy information is added to the information security log of the missing URL by the information security detection device.

With reference to the sixth possible implementation of the fourth aspect, in the seventh possible implementation of the fourth aspect, if the policy information includes a policy domain name, the matching module is specifically configured to:

Obtaining the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

The domain name corresponding to the information security log of the missing URL is matched with the domain name of the policy, and if the domain name corresponding to the information security log of the missing URL is the same as the domain name of the policy, the policy hits.

With reference to the sixth possible implementation of the fourth aspect, in the eighth possible implementation of the fourth aspect, if the policy information includes a policy URL, the matching module is specifically configured to:

The URL corresponding to the information security log of the missing URL is matched with the policy URL, and if the URL corresponding to the information security log of the missing URL is the same as the policy URL, the policy hits.

With reference to the sixth possible implementation of the fourth aspect, in the ninth possible implementation of the fourth aspect, if the policy information includes a policy domain name and a policy URL, the matching module is specifically configured to:

Obtaining the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

Match the URL and domain name corresponding to the information security log of the missing URL with the policy URL and the policy domain name respectively, if the URL corresponding to the information security log of the missing URL is the same as the policy URL, and the If the domain name corresponding to the information security log with the missing URL is the same as the domain name of the policy, the policy is matched.

In a fifth aspect, an embodiment of the present invention provides an information security detection device, including:

An identification module, configured to add an abnormal identifier to an information security log that detects a missing uniform resource locator URL, wherein the information security log containing the abnormal identifier is an information security log that lacks a URL, and the abnormal identifier is used to indicate the URL compensation is required for information security logs with missing URLs;

The first reporting module is used to report the information security log of the missing URL to the log synthesis server, so that the log synthesis server can analyze the information of the missing URL according to the access log to be compensated reported by the deep packet inspection DPI device Security log for compensation.

With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the first reporting module is further specifically configured to: use a hash algorithm to ensure that information security logs accessed by the same user are reported to the same log synthesis server.

With reference to the fifth aspect or the first possible implementation manner of the fifth aspect, in a second possible implementation manner of the fifth aspect, the exception identifier includes: a missing URL log identifier and a pending result log identifier.

With reference to the second possible implementation of the fifth aspect, in the third possible implementation of the fifth aspect, if the abnormal identification of the information security log of the missing URL is the result pending log identification, the information security detection Equipment also includes:

A detection module, configured to perform keyword detection on the information security log of the missing URL, and obtain policy information corresponding to the information security log of the missing URL according to keywords of the information security log of the missing URL, wherein the Policy information includes policy domain name and/or policy URL;

The second reporting module is configured to add the policy information to the information security log of the missing URL, and report the information security log of the missing URL including the policy information to the log synthesis server.

In a sixth aspect, an embodiment of the present invention provides a deep packet inspection DPI device, including:

The judging module is used to judge whether the uplink and downlink of the user's access pass through the DPI device, if not, add the identifier to be compensated in the access log corresponding to the user's access, wherein the access log containing the identifier to be compensated is The log to be compensated, the identifier to be compensated is used to indicate that the information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the uniform resource locator URL;

The reporting module is configured to report the access log to be compensated to the log synthesis server, so that the log synthesis server can compensate the information security log of the missing URL according to the access log to be compensated.

With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the reporting module is further specifically configured to: use a hash algorithm to ensure that the access logs accessed by the same user are reported to the same log synthesis server.

In the seventh aspect, the embodiment of the present invention provides an Internet data center IDC information security management system, including:

The log synthesis server described in any implementation manner of the above-mentioned fourth aspect, the information security detection device described in any implementation manner of the above-mentioned fifth aspect, and the deep package as described in any implementation manner of the above-mentioned sixth aspect Detect DPI devices as well as routing devices.

In the present invention, the log synthesis server identifies the access log to be compensated, and caches the access log to be compensated, wherein the information security log generated by the user access corresponding to the access log to be compensated needs to be unified resource location URL compensation; further, the log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL; further, the log synthesis server uses the access log to be compensated for The information security log of the missing URL is compensated, that is, the compensation of the information security log of the missing URL in the same-origin and same-destination scenario is realized.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.

1 is a schematic diagram of an application scenario of the IDC information security management method of the present invention;

FIG. 2 is a schematic flow diagram of Embodiment 1 of the method for IDC information security management of the present invention;

3 is a schematic flow diagram of Embodiment 2 of the method for IDC information security management of the present invention;

4 is a schematic flow diagram of Embodiment 3 of the method for IDC information security management of the present invention;

5 is a schematic flow diagram of Embodiment 4 of the method for IDC information security management of the present invention;

FIG. 6 is a schematic structural diagram of Embodiment 1 of the log synthesis server of the present invention;

FIG. 7 is a schematic structural diagram of Embodiment 2 of the log synthesis server of the present invention;

FIG. 8 is a schematic structural diagram of Embodiment 1 of the information security detection device of the present invention;

FIG. 9 is a schematic structural diagram of Embodiment 2 of the information security detection device of the present invention;

FIG. 10 is a schematic structural diagram of Embodiment 1 of a deep packet inspection DPI device according to the present invention;

11 is a schematic structural diagram of Embodiment 2 of the deep packet inspection DPI device of the present invention;

Fig. 12 is a schematic structural diagram of an embodiment of the IDC information security management system of the Internet data center of the present invention.

detailed description

In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

At the end of 2012, the Ministry of Industry and Information Technology of China issued two relevant specifications on IDC information security management system - "IDCISP Information Security Management System Technical Requirements" and "IDCISP Information Security Management System Interface Specifications" to realize the information supervision of IDC. In the above specification, it is clearly required that the information security management system (Information Security Management System, referred to as ISMS) should monitor the two-way flow data of IDC/Internet Service Provider (Internet Service Provider, referred to as ISP), record and deal with the illegal information found, so as to realize Monitor and filter logs. According to the specification, a system that meets the requirements should at least meet the following conditions: 1) It can detect or filter sessions according to the combined conditions of the interconnection protocol between networks (Internet Protocol, referred to as IP), domain name, URL, and keywords; 2), when the strategy is hit, the source/destination IP, source/destination port, illegal information, collection time and triggered instruction identification can be included in the reported log, wherein, the hypertext transfer protocol (HyperTextTransferProtocol, referred to as HTTP) also needs to Record the URL.

In the prior art, when the network topology is relatively simple, the uplink and downlink traffic of the same session can pass through the same DPI device, therefore, the detection, generation and reporting of access logs can all meet the above two requirements. However, the network structure is more complicated. For example, if there are asymmetric routing devices and multiple DPI devices, the uplink and downlink traffic of the same session will pass through different information security detection devices, resulting in the information security detection devices that the downlink traffic passes cannot be reported to meet IDC information security requirements. Manage relevant standardized information security logs (such as missing URLs). Therefore, how to compensate the information security logs for missing URLs in the same-source and same-destination scenario to realize IDC information security management is an urgent technical problem to be solved.

In the existing technology, although the uplink and downlink traffic accessed by the same user can be mirrored to the same information security detection device by adding a front-end switch/distribution device for aggregation and distribution, so as to ensure that the uplink and downlink traffic accessed by the same user passes through the same information Safety detection equipment is used for detection, but in the prior art, additional shunting equipment needs to be configured, which increases user costs, and at the same time, the physical distance of the shunting equipment requires high requirements. Therefore, an embodiment of the present invention provides a technical solution for compensating information security logs for missing URLs in a same-source and same-destination scenario.

Figure 1 is a schematic diagram of the application scenario of the IDC information security management method of the present invention, as shown in Figure 1, the network structure in the embodiment of the present invention includes: router 1, router 2, DPI device 1, DPI device 2, information security detection device 1 , an information security detection device 2, a log synthesis server 1 and an application server. Optionally, the specific process is as follows: (1), the upstream traffic (ie request information) accessed by the user is distributed to the DPI device 1 through the router 1; Full detection, generate access log and report the access log to the log synthesis server 1; (3), the downstream traffic (ie response message) accessed by the user is distributed to the DPI device 2 through the router 2; (4), The DPI device 2 mirrors the downlink traffic to the information security detection device 2, wherein, since the uplink traffic does not pass through the DPI device 2, the security detection device 2 cannot obtain the URL accessed by the user; (5) , the information security detection device 2 realizes keyword detection, generates the information security log of the missing URL and reports the information security log to the log synthesis server 1; (6), the log synthesis server 1 according to the access log and The information security log synthesizes a complete information security log.

Fig. 2 is a schematic flow diagram of Embodiment 1 of the method for IDC information security management of the present invention. As shown in Fig. 2, the method of this embodiment may include:

S201. The log synthesis server identifies access logs to be compensated, and caches the access logs to be compensated.

In the embodiment of the present invention, the log synthesis server receives all the access logs reported by the DPI device. Since the uplink and downlink traffic accessed by some users passes through the same DPI device, the information security logs generated by the part of the user access are complete. No need to do URL compensation. Optionally, in this embodiment of the present invention, the log synthesis server identifies the access logs to be compensated among all the access logs, and only caches the access logs to be compensated, so that the log synthesis server can The access log to be compensated compensates the information security log of the missing URL, thereby reducing the amount of access log cached by the log synthesis server and improving matching efficiency; wherein, the access log corresponding to the user access The generated information security logs need to be compensated by URL.

Optionally, said S201 includes:

The log synthesis server identifies the access log to be compensated according to the to-be-compensated identifier in the to-be-compensated access log, wherein the to-be-compensated identifier is used to indicate that the user accessing the corresponding access log to be compensated The generated information security logs need to be compensated by URL.

In the embodiment of the present invention, the log synthesis server may use the information security log generated by the user access corresponding to the access log to be compensated to indicate that URL compensation needs to be performed according to the to-be-compensated access log contained in the to-be-compensated access log ID, identifying the access log to be compensated. Optionally, when the log synthesis server receives an access log, the log synthesis server may first determine whether the access log contains an identifier to be compensated, and if so, determine that the access log is an access log to be compensated , further, cache the access log to be compensated; otherwise, determine that the information security log generated by the user access corresponding to the access log is a complete log, URL compensation is not required, and further, directly report the The above access logs do not need to be cached.

S202. The log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL.

In the embodiment of the present invention, the log synthesis server receives all information security logs reported by the information security detection device. Optionally, the information security log reported by the information security detection device includes two parts, wherein the first part is indeed information security logs. log (the first part includes the complete information security log, and the information security log of the missing URL), and the second part is that the information security detection device does not determine whether the log is an information security log (the second part is the missing URL and the log A log of undetermined type, that is, the information security detection device is not sure whether the log is an information security log or other legal log). Wherein, the uplink and downlink traffic of the user access corresponding to the complete information security log all pass through the same DPI device, therefore, the information security log generated by the user access is complete. Optionally, in this embodiment of the present invention, the log synthesis server identifies information security logs with missing URLs in all information security logs (including information security logs with missing URLs that can be determined by the information security detection device, and the The information security log of the missing URL that is not determined by the information security detection device), and only caches the information security log of the missing URL, so that the log synthesis server can analyze the missing URL according to the cached access log to be compensated The information security log of the URL is compensated, which not only reduces the amount of logs cached by the log synthesis server, but also reduces the amount of logs that need to be compensated, thereby improving the matching efficiency.

Optionally, said S202 includes:

The log synthesis server identifies the information security log of the missing URL according to the abnormal identifier in the information security log of the missing URL, wherein the abnormal identifier is used to indicate that URL compensation is required for the information security log.

In the embodiment of the present invention, the log composition server may identify the information security log with the missing URL according to the abnormality identifier included in the information security log with the missing URL indicating that the information security log needs URL compensation, Optionally, the abnormality identification includes: a missing URL log identification and a pending result log identification, wherein the abnormal identification is an information security log with a missing URL log identification, which can be determined by the information security detection device as an information security log; The information security log identified as the result pending log is not only missing the URL, but also the log type is pending, that is, the information security detection device is not sure whether the log is an information security log or other legal log, and the purpose of marking the log as the result pending log It is for the convenience of allowing the log synthesis server to further determine the type of the log to determine whether the log is an information security log or other legal logs. Optionally, if the exception identifier is 1, it means that the information security log is an information security log with a missing URL, and if the exception identifier is 2, it means that the information security log is an information security log whose result is pending.

That is to say, the information security log of the missing URL includes an information security log corresponding to the missing URL log identifier (the information security detection device can determine that the log is an information security log) with an abnormal identifier, and an abnormal identifier corresponding to the result pending log identifier. Information security log (the information security detection device does not determine whether the log is an information security log or other legal log). Optionally, when the log synthesis server receives an information security log, the log synthesis server may first determine whether the information security log contains an abnormal identifier, and if so, determine that the information security log is missing a URL The information security log further caches the information security log of the missing URL; otherwise, it is determined that the information security log is a complete log, and no URL compensation is required.

S203. The log synthesis server compensates the information security log of the missing URL according to the access log to be compensated.

In the embodiment of the present invention, the DPI device and the information security detection device ensure that the corresponding logs accessed by the same user are sent to the same log synthesis server through a hash (Hash) algorithm, such as: according to the aforementioned Figure 1, the DPI device 1 will The access log of the user access 1 is reported to the log synthesis server 1 , and correspondingly, the information security detection device 2 reports the information security log of the missing URL corresponding to the user access 1 to the log synthesis server 1 . Since the access log to be compensated includes the URL accessed by the user, optionally, the log synthesis server may first determine the access log to be compensated corresponding to an information security log with a missing URL, and secondly, The URL contained in the access log to be compensated corresponding to the information security log of the missing URL is obtained, and finally, the information security log of the missing URL is compensated according to the obtained URL.

Optionally, said S203 includes:

The log synthesis server determines the key identification field of any information security log of the missing URL;

The log synthesis server traverses all the access logs to be compensated in the query cache according to the key identification field until the access log to be compensated that matches the key identification field is determined;

The log synthesis server acquires the URL of the access log to be compensated that matches the key identification field, and compensates the URL for the information security log of any missing URL.

In the embodiment of the present invention, the log synthesis server first uses a keyword detection method to determine the key identification field of any information security log of the missing URL; further, the log synthesis server according to the key identification field, Traverse all the access logs to be compensated in the query cache until the access log to be compensated that matches the key identification field is determined. Optionally, since the five key identification fields can uniquely determine any access, the log synthesis The server determines the access log to be compensated that matches the key identification field through a quintuple matching method. Specifically, the log synthesis server traverses all the access logs to be compensated in the query cache according to the five key identification fields, Until the access log to be compensated matching the five key identification fields is determined, optionally, the key identification fields include: protocol IP, destination IP, source port, destination port, and device transactions interconnected between source networks Identification (Identity, referred to as ID); further, the log synthesis server obtains the URL of the access log to be compensated that matches the key identification field, and compensates the URL for the information of any missing URL Security log, so as to get a complete information security log.

Optionally, in this embodiment of the present invention, the sequence of S201 and S202 is not limited. Optionally, S201 may be performed before S202, after S202, or S201 and S202 are performed simultaneously. Optionally, in the embodiment of the present invention, the log synthesis server may also save the access log to be compensated and/or the information security log of the missing URL in other ways. In the embodiment of the present invention, this Not limiting.

In the embodiment of the present invention, the log synthesis server identifies the access log to be compensated, and caches the access log to be compensated, wherein the information security log generated by the user access corresponding to the access log to be compensated needs to be unified resource locator URL compensation; further, the log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL; further, the log synthesis server according to the access to be compensated The log compensates the information security log of the missing URL, that is, realizes the compensation of the information security log of the missing URL in the scenario of the same source and same destination.

In the same-source and same-destination scenario in the prior art, since the uplink and downlink traffic accessed by the same user does not pass through the same information security detection device, the information security log reported by the information security detection device is a log with a missing URL, so that the log synthesis server cannot Correlation detection is performed based on multiple combination conditions, that is, it does not meet the relevant specifications of IDC information security management.

Further, in the embodiment of the present invention, if the abnormality identification of the information security log with the missing URL is the result pending log identification, that is, the information security detection device is not sure whether the log is an information security log or other legal log, therefore, The log synthesis server needs to further determine the type of the log to determine whether the log is an information security log or other legal log. Further, after the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated, it further includes:

The log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL, and if the matching is successful, the policy is matched.

In the embodiment of the present invention, if the log synthesis server determines that the abnormal identification of the information security log with the missing URL is the result pending log identification (the log lacks a URL, and the log type is to be determined), further, the log synthesis server will have The obtained URL corresponding to the information security log of the missing URL is matched with the policy information corresponding to the information security log of the missing URL, and if the matching is successful, it is considered that the policy hits, that is, the association detection of the combination condition is realized, thereby determining The log is indeed an information security log; otherwise, it is determined that the log is a legal log, that is, the access corresponding to the log does not involve information security. Wherein, the policy information corresponding to the information security log of the missing URL includes a policy domain name and/or policy URL, and the policy information is added to the information security log of the missing URL by the information security detection device. Optionally, before the log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL, it further includes: the log synthesis server receiving the An information security log including the missing URL of the policy information reported by the information security detection device.

Optionally, if the policy information includes a policy domain name, the log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL, and if the matching is successful, Then the policy hits, including:

The log synthesis server acquires the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

The log synthesis server matches the domain name corresponding to the information security log of the missing URL with the policy domain name, and if the domain name corresponding to the information security log of the missing URL is the same as the policy domain name, the policy hits.

In the embodiment of the present invention, if the policy information includes a policy domain name (or, the policy information is a policy domain name + keyword), the log synthesis server first obtains the URL corresponding to the information security log of the missing URL. The domain name corresponding to the information security log of the missing URL; secondly, the log synthesis server matches the domain name corresponding to the information security log of the missing URL with the policy domain name, if the information security log corresponding to the missing URL The domain name is the same as the domain name of the policy, that is, the matching is successful, then it is considered that the policy hits, that is, the association detection of the domain name and the keyword is realized, thereby determining that the information security log of the missing URL is indeed an information security log; otherwise, it is determined that the missing URL is an information security log; The information security log of the URL is a legal log.

Optionally, if the policy information includes a policy URL, the log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL, and if the matching is successful, Then the policy hits, including:

The log synthesis server matches the URL corresponding to the information security log with the missing URL with the policy URL, and if the URL corresponding to the information security log with the missing URL is the same as the policy URL, the policy hits.

In the embodiment of the present invention, if the policy information includes a policy URL (or, the policy information is a policy URL+keyword), the log synthesis server combines the URL corresponding to the information security log with the missing URL with the policy URL is matched, if the URL corresponding to the information security log of the missing URL is the same as the policy URL, that is, the matching is successful, then it is considered that the policy hits, that is, the association detection of the URL and the keyword is realized, thereby determining the URL of the missing URL. The information security log is indeed an information security log; otherwise, it is determined that the information security log with the missing URL is a legitimate log.

Optionally, if the policy information includes a policy domain name and a policy URL, the log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL, if If the matching is successful, the policy hits, including:

The log synthesis server acquires the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

The log synthesis server matches the URL and domain name corresponding to the information security log of the missing URL with the policy URL and the policy domain name respectively, if the URL corresponding to the information security log of the missing URL matches the policy If the URLs are the same, and the domain name corresponding to the information security log with the missing URL is the same as the domain name of the policy, the policy is matched.

In the embodiment of the present invention, if the policy information includes a policy domain name and a policy URL (or, the policy information is a policy URL+policy domain name+keyword), the log synthesis server first corresponds to the information security log according to the missing URL. URL to obtain the domain name corresponding to the information security log of the missing URL; secondly, the log synthesis server combines the URL corresponding to the information security log of the missing URL and the domain name with the policy URL and the policy URL respectively. The domain name is matched, if the URL corresponding to the information security log of the missing URL is the same as the policy URL, and the domain name corresponding to the information security log of the missing URL is the same as the policy domain name, that is, the matching is successful, the policy is considered to be hit , that is, the association detection of domain names, URLs and keywords is realized, thereby determining that the information security log of the missing URL is indeed an information security log; otherwise, determining that the information security log of the missing URL is a legitimate log.

Optionally, before the log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL, the log synthesis server further includes: the log synthesis server determines the The exception ID of the information security log with the missing URL is the log ID of pending results.

In the embodiment of the present invention, the log synthesis server identifies the access log to be compensated, and caches the access log to be compensated, wherein the information security log generated by the user access corresponding to the access log to be compensated needs to be unified resource locator URL compensation; further, the log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL; further, the log synthesis server according to the access to be compensated The log compensates the information security log of the missing URL, that is, realizes compensating the information security log of the missing URL in the same source and same destination scenario; further, the log synthesis server uses the information security log of the missing URL The corresponding URL and the policy information corresponding to the information security log of the missing URL are matched. If the match is successful, the policy hits, and the association detection of the combination condition is realized, and the abnormal identification is determined as the result pending. The information security log corresponding to the log identification is indeed is an information security log; otherwise, it is determined that the log is a legitimate log.

FIG. 3 is a schematic flow diagram of Embodiment 2 of the method for IDC information security management of the present invention. As shown in FIG. 3 , the method of this embodiment may include:

S301. The information security detection device adds an abnormality identifier to an information security log in which a missing URL is detected.

In the embodiment of the present invention, in order to facilitate the log synthesis server to quickly identify information security logs with missing URLs, optionally, the information security detection device adds an abnormality identifier to the information security logs that detect missing URLs, wherein , the information security log containing the abnormal identification is an information security log of a missing URL (including an information security log of a missing URL that can be determined by the information security detection device, and an information security log of a missing URL that the information security detection device cannot determine. log), the exception identifier is used to indicate that the information security log of the missing URL needs to be compensated by URL, so that when the log synthesis server receives a certain information security log, it can judge the information security log in the information security log Whether the information security log contains the abnormality identifier quickly determines whether the information security log is an information security log with a missing URL. Optionally, the abnormality identification includes: a missing URL log identification (the information security detection device can determine that the log is an information security log) and a result pending log identification (wherein, the result pending log identification indicates that the log lacks a URL, and the log The type is to be determined, that is, the information security detection device is not sure whether the log is an information security log or other legal log). That is to say, the information security log of the missing URL includes two parts, wherein, the first part is indeed the information security log (that is, the abnormal identification is the information security log corresponding to the missing URL log identification), and the other part is the information security detection log. The device is not sure whether the log is an information security log (that is, the abnormal identification is the information security log corresponding to the result pending log identification); wherein, the purpose of marking the log as the result pending log is to facilitate the log synthesis server to analyze the log The type is further judged to determine whether the log is an information security log or other legal logs. Optionally, if the exception identifier is 1, it means that the information security log is an information security log with a missing URL, and if the exception identifier is 2, it means that the information security log is an information security log whose result is pending.

S302. The information security detection device reports the information security log of the missing URL to the log synthesis server, so that the log synthesis server can analyze the information of the missing URL according to the access log to be compensated reported by the deep packet inspection DPI device. Information security logs for compensation.

In the embodiment of the present invention, the information security monitoring device reports the information security log containing the missing URL of the abnormality identifier to the log synthesis server, so that the log synthesis server can use the information to be compensated reported by the deep packet inspection DPI device The access log compensates the information security log of the missing URL. Optionally, the information security detection device uses a Hash algorithm to ensure that the information security logs accessed by the same user are reported to the same log synthesis server, so that the log synthesis server can realize the URL compensation function.

In the embodiment of the present invention, the information security detection device adds an abnormality identifier to the information security log that detects the missing URL of the uniform resource locator, wherein the information security log containing the abnormal identifier is an information security log that lacks the URL, and the abnormality The information security log for identifying the missing URL needs to be compensated for URL; further, the information security detection device reports the information security log of the missing URL to the log synthesis server, so that the log synthesis server according to the The access log to be compensated reported by the deep packet inspection DPI device compensates the information security log of the missing URL, that is, realizes the compensation of the information security log of the missing URL in the same-source and same-destination scenario.

Further, if the abnormal identification of the information security log of the missing URL is the result pending log identification, after the information security detection device reports the information security log of the missing URL to the log synthesis server, it further includes:

The information security detection device performs keyword detection on the information security log of the missing URL, and acquires policy information corresponding to the information security log of the missing URL according to keywords of the information security log of the missing URL, wherein the The policy information includes a policy domain name and/or a policy URL;

The information security detection device adds the policy information to the information security log of the missing URL, and reports the information security log of the missing URL including the policy information to a log synthesis server.

In the embodiment of the present invention, when the information security detection device determines that the abnormal identification of the information security log of the missing URL is the result pending log identification, that is, the information security detection device is not sure whether the log is an information security log or other legal log, therefore, the log synthesis server needs to further determine the log type to determine whether the log is an information security log or other legal log; optionally, the information security detection device detects the missing URL The information security log of the missing URL performs keyword detection, and obtains the policy information corresponding to the information security log of the missing URL according to the keyword of the information security log of the missing URL, wherein the policy information includes a policy domain name and/or a policy URL , (such as the policy information is policy domain name+keyword, policy URL+keyword, or policy URL+policy domain name+keyword); further, the information security detection device adds the policy information to the missing URL In the information security log, report the information security log containing the missing URL of the policy information to the log synthesis server, so that the log synthesis server can correspond to the information security log of the missing URL obtained according to the above steps S201-S203 The URL of the missing URL is matched with the policy information corresponding to the information security log of the missing URL, thereby implementing association detection.

Fig. 4 is a schematic flow diagram of Embodiment 3 of the method for IDC information security management of the present invention. As shown in Fig. 4, the method of this embodiment may include:

S401. The deep packet inspection DPI device judges whether both the uplink and downlink of the user's access pass through the DPI device, and if not, add an indicator to be compensated to the access log corresponding to the user's access.

In the embodiment of the present invention, in order to facilitate the log synthesis server to quickly identify the access log to be compensated, optionally, the DPI device judges whether the uplink and downlink of the user's access pass through the DPI device, and if not, the An identifier to be compensated is added to the access log corresponding to the user access, wherein the access log containing the identifier to be compensated is a log to be compensated, and the identifier to be compensated is used to indicate that the access log to be compensated corresponds to the Uniform resource locator URL compensation is required for the information security logs, so that when the log synthesis server receives a certain access log, it can quickly determine whether the access log contains the identifier to be compensated. Whether the access log is the access log to be compensated.

S402. The DPI device reports the access log to be compensated to a log synthesis server, so that the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated.

In the embodiment of the present invention, the DPI device reports the access log containing the identifier to be compensated to the log synthesis server, so that the log synthesis server can analyze the information security log of the missing URL according to the access log to be compensated Make compensation. Optionally, the DPI device uses a Hash algorithm to ensure that the access logs accessed by the same user are reported to the same log synthesis server, so that the log synthesis server can realize the URL compensation function.

In the embodiment of the present invention, the deep packet inspection DPI device judges whether the uplink and downlink of the user's access pass through the DPI device, and if not, adds the to-be-compensated identifier to the access log corresponding to the user's access, which includes the to-be-compensated The access log with the compensation identifier is a log to be compensated, and the to-be-compensated identifier is used to indicate that the information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the Uniform Resource Locator URL; further, the The DPI device reports the access log to be compensated to the log synthesis server, so that the log synthesis server can compensate the information security log of the missing URL according to the access log to be compensated, that is, realizes the scenario of same source and same destination Compensated for the information security log under the missing URL.

FIG. 5 is a schematic flow diagram of Embodiment 4 of the method for IDC information security management of the present invention. As shown in FIG. 5, the method of this embodiment may include:

S501. The DPI device reports all access logs.

In the implementation of the present invention, the DPI device identifies user accesses that do not pass through the same DPI device for uplink and downlink, and adds an identifier to be compensated to the access log corresponding to the user access, wherein the access log containing the identifier to be compensated is the The compensated log, that is, the access log reported by the DPI device is divided into two types: a complete access log and an access log to be compensated.

S502. After receiving all the access logs, the log synthesis server synthesizes the access logs meeting the requirements and reports them.

S503. The log synthesis server identifies the access log to be compensated, and caches the access log to be compensated.

S504. The information security monitoring equipment reports to all information security testing equipment.

In the embodiment of the present invention, the information security monitoring device adds an abnormality identifier to the information security log that detects a missing URL, wherein the information security log containing the abnormal identifier is an information security log with a missing URL, and the abnormal identifier uses In order to indicate that the information security log of the missing URL requires URL compensation, optionally, the abnormality identifier includes: a missing URL log identifier and a pending result log identifier, that is, the information security log reported by the information security detection device is divided into Three types: complete information security log, information security log with missing URL, and information security log with pending result, among which, the information security log with pending result not only lacks URL, but also has a log type to be determined.

S505. After receiving all the information security logs, the log synthesis server synthesizes information security logs meeting requirements and reports them.

S506. The log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL.

S507. The log synthesis server compensates the information security log of the missing URL according to the access log to be compensated, so as to obtain a complete information security log.

For the specific implementation process, please refer to the above-mentioned embodiments of the present invention for details, and details will not be repeated here in this embodiment.

FIG. 6 is a schematic structural diagram of Embodiment 1 of the log synthesis server of the present invention. As shown in FIG.

Wherein, the first identification module 601 is configured to identify the access log to be compensated, and cache the access log to be compensated, wherein the access log to be compensated is the access log reported by the deep packet inspection DPI device, the The information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the uniform resource locator URL;

The second identification module 602 is configured to identify the information security log of the missing URL, and cache the information security log of the missing URL, wherein the information security log of the missing URL is the information security log reported by the information security detection device;

The compensation module 603 is configured to compensate the information security log of the missing URL according to the access log to be compensated.

Optionally, the first identification module 601 is specifically configured to:

Identify the access log to be compensated according to the to-be-compensated identifier in the to-be-compensated access log, wherein the to-be-compensated identifier is used to indicate the information security log generated by the user access corresponding to the to-be-compensated access log Need to do URL compensation.

Optionally, the second identification module 602 is specifically configured to:

The information security log of the missing URL is identified according to the abnormal identifier in the information security log of the missing URL, wherein the abnormal identifier is used to indicate that URL compensation is required for the information security log.

Optionally, the exception identifier includes: a missing URL log identifier and a pending result log identifier.

Optionally, the compensation module 603 includes:

The first determination unit is used to determine the key identification field of the information security log of any of the missing URLs;

The second determination unit is configured to traverse all the access logs to be compensated in the query cache according to the key identification field until the access log to be compensated that matches the key identification field is determined;

A compensating unit, configured to obtain the URL of the access log to be compensated that matches the key identification field, and compensate the URL to the information security log of any missing URL.

Optionally, the key identification field includes: protocol IP, destination IP, source port, destination port, and device transaction ID of interconnection between source networks.

Optionally, if the abnormal identification of the information security log of the missing URL is a pending log identification, the log synthesis server further includes:

The matching module is configured to perform matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL. If the matching is successful, the policy hits; wherein, the information security of the missing URL The policy information corresponding to the log includes a policy domain name and/or a policy URL, and the policy information is added to the information security log of the missing URL by the information security detection device.

Optionally, if the policy information includes a policy domain name, the matching module is specifically configured to:

Obtaining the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

The domain name corresponding to the information security log of the missing URL is matched with the domain name of the policy, and if the domain name corresponding to the information security log of the missing URL is the same as the domain name of the policy, the policy hits.

Optionally, if the policy information includes a policy URL, the matching module is specifically configured to:

The URL corresponding to the information security log of the missing URL is matched with the policy URL, and if the URL corresponding to the information security log of the missing URL is the same as the policy URL, the policy hits.

Optionally, if the policy information includes a policy domain name and a policy URL, the matching module is specifically configured to:

Obtaining the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL;

Match the URL and domain name corresponding to the information security log of the missing URL with the policy URL and the policy domain name respectively, if the URL corresponding to the information security log of the missing URL is the same as the policy URL, and the If the domain name corresponding to the information security log with the missing URL is the same as the domain name of the policy, the policy is matched.

The log synthesis server of this embodiment can be used to implement the technical solutions in the first and fourth embodiments of the method for IDC information security management of the present invention, and its implementation principle and technical effect are similar, and will not be repeated here.

FIG. 7 is a schematic structural diagram of Embodiment 2 of the log synthesis server of the present invention. As shown in FIG. 7 , the log synthesis server 70 provided in this embodiment may include a processor 701 and a memory 702 . The log synthesis server 70 may further include a data interface unit 703 , and the data interface unit 703 may be connected to the processor 701 . Wherein, the data interface unit 703 is used to receive/send data, and the memory 702 is used to store execution instructions. When the log synthesis server 70 is running, the processor 701 communicates with the memory 702, and the processor 701 invokes the execution instructions in the memory 702 to execute the operations in Embodiments 1 and 4 of the above-mentioned IDC information security management method.

The log synthesis server of this embodiment can be used to implement the technical solutions in the first and fourth embodiments of the method for IDC information security management of the present invention, and its implementation principle and technical effect are similar, and will not be repeated here.

FIG. 8 is a schematic structural diagram of Embodiment 1 of the information security detection device of the present invention. As shown in FIG. 8 , the information security detection device 80 provided in this embodiment may include: an identification module 801 and a first reporting module 802 .

Wherein, the identification module 801 is configured to add an abnormality identifier to the information security log that detects a missing uniform resource locator URL, wherein the information security log containing the abnormality identifier is an information security log with a missing URL, and the abnormality identifier is used for An information security log indicating that the missing URL requires URL compensation;

The first reporting module 802 is used to report the information security log of the missing URL to the log synthesis server, so that the log synthesis server can analyze the information of the missing URL according to the access log to be compensated reported by the deep packet inspection DPI device Security log for compensation.

Optionally, the first reporting module 802 is further specifically configured to: use a hash algorithm to ensure that information security logs accessed by the same user are reported to the same log synthesis server.

Optionally, the exception identifier includes: a missing URL log identifier and a pending result log identifier.

Optionally, if the abnormal identification of the information security log of the missing URL is a result pending log identification, the information security detection device further includes:

A detection module, configured to perform keyword detection on the information security log of the missing URL, and obtain policy information corresponding to the information security log of the missing URL according to keywords of the information security log of the missing URL, wherein the Policy information includes policy domain name and/or policy URL;

The second reporting module is configured to add the policy information to the information security log of the missing URL, and report the information security log of the missing URL including the policy information to the log synthesis server.

The information security detection device of this embodiment can be used to implement the technical solutions in the second and fourth embodiments of the method for IDC information security management of the present invention, and its implementation principle and technical effect are similar, and will not be repeated here.

FIG. 9 is a schematic structural diagram of Embodiment 2 of the information security detection device of the present invention. As shown in FIG. 9 , the information security detection device 90 provided in this embodiment may include a processor 901 and a memory 902 . The information security detection device 90 may also include a data interface unit 903 , and the data interface unit 903 may be connected to the processor 901 . Wherein, the data interface unit 903 is used to receive/send data, and the memory 902 is used to store execution instructions. When the information security detection device 90 is running, the processor 901 communicates with the memory 902, and the processor 901 invokes the execution instructions in the memory 902 to execute the operations in Embodiments 2 and 4 of the above-mentioned IDC information security management method.

The information security detection device of this embodiment can be used to implement the technical solutions in the second and fourth embodiments of the method for IDC information security management of the present invention, and its implementation principle and technical effect are similar, and will not be repeated here.

FIG. 10 is a schematic structural diagram of Embodiment 1 of the deep packet inspection DPI device of the present invention. As shown in FIG. 10 , the deep packet inspection DPI device 100 provided in this embodiment may include: a judging module 1001 and a reporting module 1002 .

The judging module 1001 is used to judge whether the uplink and downlink of the user's access pass through the DPI device, if not, add the identifier to be compensated in the access log corresponding to the user's access, wherein the access log containing the identifier to be compensated is The log to be compensated, the identifier to be compensated is used to indicate that the information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the uniform resource locator URL;

The reporting module 1002 is configured to report the access log to be compensated to the log synthesis server, so that the log synthesis server can compensate the information security log of the missing URL according to the access log to be compensated.

Optionally, the reporting module is further specifically configured to: use a hash algorithm to ensure that the access logs accessed by the same user are reported to the same log synthesis server.

The deep packet inspection DPI device of this embodiment can be used to implement the technical solutions in the third and fourth embodiments of the method for IDC information security management of the present invention, and its implementation principle and technical effect are similar, and will not be repeated here.

FIG. 11 is a schematic structural diagram of Embodiment 2 of the deep packet inspection DPI device of the present invention. As shown in FIG. 11 , the deep packet inspection DPI device 110 provided in this embodiment may include a processor 1101 and a memory 1102 . The deep packet inspection DPI device 110 may further include a data interface unit 1103 , and the data interface unit 1103 may be connected to the processor 1101 . Wherein, the data interface unit 1103 is used to receive/send data, and the memory 1102 is used to store execution instructions. When the deep packet inspection DPI device 110 is running, the processor 1101 communicates with the memory 1102, and the processor 1101 invokes the execution instructions in the memory 1102 to execute the operations in the third and fourth embodiments of the above-mentioned IDC information security management method.

The deep packet inspection DPI device of this embodiment can be used to implement the technical solutions in the third and fourth embodiments of the method for IDC information security management of the present invention, and its implementation principle and technical effect are similar, and will not be repeated here.

Figure 12 is a schematic structural diagram of an embodiment of the Internet data center IDC information security management system of the present invention, as shown in Figure 12, the IDC information security management system of this embodiment includes: a log synthesis server 1201, an information security detection device 1202, and a deep packet detection The DPI device 1203 and the routing device 1204; wherein, the log synthesis server 1201 can adopt the structure of the above-mentioned log synthesis server embodiment 1 and embodiment 2, and correspondingly, can execute the method embodiment 1 and embodiment 4 of the above-mentioned IDC information security management technical solution; the information security detection device 1202 can adopt the structures of the first and second embodiments of the above-mentioned information security detection device, and correspondingly, can execute the technical solutions of the second and fourth embodiments of the method for IDC information security management; The deep packet inspection DPI device 1203 can adopt the structure of the above-mentioned deep packet inspection DPI device embodiment 1 and embodiment 2, and correspondingly, can implement the technical solutions of the above-mentioned IDC information security management method embodiment 3 and embodiment 4, and its realization The principles and technical effects are similar and will not be repeated here.

Those of ordinary skill in the art can understand that all or part of the steps for implementing the above method embodiments can be completed by program instructions and related hardware. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps including the above-mentioned method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (33)

1. A method for Internet data center IDC information security management, characterized in that, comprising: The log synthesis server identifies the access log to be compensated, and caches the access log to be compensated, wherein the access log to be compensated is the access log reported by the deep packet inspection DPI device, and the access log to be compensated corresponds to Uniform resource locator URL compensation is required for information security logs generated by user access; The log synthesis server identifies the information security log of the missing URL, and caches the information security log of the missing URL, wherein the information security log of the missing URL is the information security log reported by the information security detection device; The log synthesis server compensates the information security log of the missing URL according to the access log to be compensated. 2. The method according to claim 1, wherein the log synthesis server identifies the access log to be compensated, comprising: The log synthesis server identifies the access log to be compensated according to the to-be-compensated identifier in the to-be-compensated access log, wherein the to-be-compensated identifier is used to indicate that the user accessing the corresponding access log to be compensated The generated information security logs need to be compensated by URL. 3. The method according to claim 1 or 2, wherein the log synthesis server identifies information security logs with missing URLs, comprising: The log synthesis server identifies the information security log of the missing URL according to the abnormal identifier in the information security log of the missing URL, wherein the abnormal identifier is used to indicate that URL compensation is required for the information security log. 4 . The method according to claim 3 , wherein the abnormality identifier comprises: a missing URL log identifier and a pending result log identifier. 5. The method according to any one of claims 1-4, wherein the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated, including: The log synthesis server determines the key identification field of any information security log of the missing URL; The log synthesis server traverses all the access logs to be compensated in the query cache according to the key identification field until the access log to be compensated that matches the key identification field is determined; The log synthesis server acquires the URL of the access log to be compensated that matches the key identification field, and compensates the URL for the information security log of any missing URL. 6 . The method according to claim 5 , wherein the key identification field includes: protocol IP, destination IP, source port, destination port, and device transaction ID of interconnection between source networks. 7. The method according to any one of claims 4-6, characterized in that, if the abnormal identification of the information security log of the missing URL is the result pending log identification, the log synthesis server according to the to-be-compensated After the access log compensates for the information security log of the missing URL, it also includes: The log synthesis server performs matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL. If the matching is successful, the policy hits; wherein, the information security of the missing URL The policy information corresponding to the log includes a policy domain name and/or a policy URL, and the policy information is added to the information security log of the missing URL by the information security detection device. 8. The method according to claim 7, wherein if the policy information includes a policy domain name, the log synthesis server uses the URL corresponding to the information security log of the missing URL and the information security log of the missing URL The corresponding policy information is matched. If the match is successful, the policy hits, including: The log synthesis server acquires the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL; The log synthesis server matches the domain name corresponding to the information security log with the missing URL with the policy domain name, and if the domain name corresponding to the information security log with the missing URL is the same as the policy domain name, the policy hits. 9. The method according to claim 7, wherein if the policy information includes a policy URL, the log synthesis server uses the URL corresponding to the information security log of the missing URL and the information security log of the missing URL The corresponding policy information is matched. If the match is successful, the policy hits, including: The log synthesis server matches the URL corresponding to the information security log with the missing URL with the policy URL, and if the URL corresponding to the information security log with the missing URL is the same as the policy URL, the policy hits. 10. The method according to claim 7, wherein if the policy information includes a policy domain name and a policy URL, the log synthesis server uses the URL corresponding to the information security log of the missing URL and the URL corresponding to the missing URL Match the policy information corresponding to the information security log. If the match is successful, the policy hits, including: The log synthesis server acquires the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL; The log synthesis server matches the URL and domain name corresponding to the information security log of the missing URL with the policy URL and the policy domain name respectively, if the URL corresponding to the information security log of the missing URL matches the policy If the URLs are the same, and the domain name corresponding to the information security log with the missing URL is the same as the domain name of the policy, the policy is matched. 11. A method for Internet data center IDC information security management, characterized in that, comprising: The information security detection device adds an abnormality identifier to the information security log that detects the missing uniform resource locator URL, wherein the information security log containing the abnormal identifier is an information security log with a missing URL, and the abnormal identifier is used to indicate the URL compensation is required for information security logs with missing URLs; The information security detection device reports the information security log of the missing URL to the log synthesis server, so that the log synthesis server can ensure the information security of the missing URL according to the access log to be compensated reported by the deep packet inspection DPI device. log for compensation. 12. The method of claim 11, further comprising: The information security detection device uses a hash algorithm to ensure that the information security logs accessed by the same user are reported to the same log synthesis server. 13. The method according to claim 11 or 12, wherein the abnormality identifier comprises: a missing URL log identifier and a pending result log identifier. 14. The method according to claim 13, wherein, if the abnormal identification of the information security log of the missing URL is a result pending log identification, the information security detection device reports the information security log of the missing URL to After the log synthesis server, also include: The information security detection device performs keyword detection on the information security log of the missing URL, and acquires policy information corresponding to the information security log of the missing URL according to keywords of the information security log of the missing URL, wherein the The policy information includes a policy domain name and/or a policy URL; The information security detection device adds the policy information to the information security log of the missing URL, and reports the information security log of the missing URL including the policy information to a log synthesis server. 15. A method for Internet data center IDC information security management, characterized in that, comprising: The deep packet inspection DPI device judges whether the uplink and downlink of the user's access has passed through the DPI device, and if not, adds the identifier to be compensated in the access log corresponding to the user's access, wherein the access log containing the identifier to be compensated is The log to be compensated, the identifier to be compensated is used to indicate that the information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the uniform resource locator URL; The DPI device reports the access log to be compensated to the log synthesis server, so that the log synthesis server compensates the information security log of the missing URL according to the access log to be compensated. 16. The method of claim 15, further comprising: The DPI device uses a hash algorithm to ensure that the access logs accessed by the same user are reported to the same log synthesis server. 17. A log synthesis server, characterized in that, comprising: The first identification module is used to identify the access log to be compensated, and cache the access log to be compensated, wherein the access log to be compensated is the access log reported by the deep packet inspection DPI device, and the access log to be compensated The information security log generated by the user access corresponding to the access log needs to be compensated for the uniform resource locator URL; The second identification module is used to identify the information security log of the missing URL, and cache the information security log of the missing URL, wherein the information security log of the missing URL is the information security log reported by the information security detection device; A compensation module, configured to compensate the information security log of the missing URL according to the access log to be compensated. 18. The log synthesis server according to claim 17, wherein the first identification module is specifically used for: Identify the access log to be compensated according to the to-be-compensated identifier in the to-be-compensated access log, wherein the to-be-compensated identifier is used to indicate the information security log generated by the user access corresponding to the to-be-compensated access log Need to do URL compensation. 19. The log synthesis server according to claim 17 or 18, wherein the second identification module is specifically used for: The information security log of the missing URL is identified according to the abnormal identifier in the information security log of the missing URL, wherein the abnormal identifier is used to indicate that URL compensation is required for the information security log. 20. The log synthesis server according to claim 19, wherein the abnormality identifier comprises: a missing URL log identifier and a pending result log identifier. 21. The log synthesis server according to any one of claims 17-20, wherein the compensation module includes: The first determination unit is used to determine the key identification field of the information security log of any of the missing URLs; The second determination unit is configured to traverse all the access logs to be compensated in the query cache according to the key identification field until the access log to be compensated that matches the key identification field is determined; A compensating unit, configured to obtain the URL of the access log to be compensated that matches the key identification field, and compensate the URL to the information security log of any missing URL. 22. The log synthesis server according to claim 21, wherein the key identification field includes: protocol IP, destination IP, source port, destination port and device transaction ID of interconnection between source networks. 23. The log synthesis server according to any one of claims 20-22, wherein if the abnormal identification of the information security log of the missing URL is a result pending log identification, the log synthesis server further includes: The matching module is configured to perform matching according to the URL corresponding to the information security log of the missing URL and the policy information corresponding to the information security log of the missing URL. If the matching is successful, the policy hits; wherein, the information security of the missing URL The policy information corresponding to the log includes a policy domain name and/or a policy URL, and the policy information is added to the information security log of the missing URL by the information security detection device. 24. The log synthesis server according to claim 23, wherein if the policy information includes a policy domain name, the matching module is specifically used for: Obtaining the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL; The domain name corresponding to the information security log of the missing URL is matched with the domain name of the policy, and if the domain name corresponding to the information security log of the missing URL is the same as the domain name of the policy, the policy hits. 25. The log synthesis server according to claim 23, wherein if the policy information includes a policy URL, the matching module is specifically used for: The URL corresponding to the information security log of the missing URL is matched with the policy URL, and if the URL corresponding to the information security log of the missing URL is the same as the policy URL, the policy hits. 26. The log synthesis server according to claim 23, wherein if the policy information includes a policy domain name and a policy URL, the matching module is specifically used for: Obtaining the domain name corresponding to the information security log of the missing URL according to the URL corresponding to the information security log of the missing URL; Match the URL and domain name corresponding to the information security log of the missing URL with the policy URL and the policy domain name respectively, if the URL corresponding to the information security log of the missing URL is the same as the policy URL, and the If the domain name corresponding to the information security log with the missing URL is the same as the domain name of the policy, the policy is matched. 27. An information security detection device, comprising: An identification module, configured to add an abnormal identifier to an information security log that detects a missing uniform resource locator URL, wherein the information security log containing the abnormal identifier is an information security log that lacks a URL, and the abnormal identifier is used to indicate the URL compensation is required for information security logs with missing URLs; The first reporting module is used to report the information security log of the missing URL to the log synthesis server, so that the log synthesis server can analyze the information of the missing URL according to the access log to be compensated reported by the deep packet inspection DPI device Security log for compensation. 28. The information security detection device according to claim 27, wherein the first reporting module is further specifically configured to: use a hash algorithm to ensure that information security logs accessed by the same user are reported to the same log synthesis server. 29. The information security detection device according to claim 27 or 28, wherein the abnormality identifier includes: a missing URL log identifier and a pending result log identifier. 30. The information security detection device according to claim 29, wherein if the abnormal identification of the information security log of the missing URL is a result pending log identification, the information security detection device further comprises: A detection module, configured to perform keyword detection on the information security log of the missing URL, and obtain policy information corresponding to the information security log of the missing URL according to keywords of the information security log of the missing URL, wherein the Policy information includes policy domain name and/or policy URL; The second reporting module is configured to add the policy information to the information security log of the missing URL, and report the information security log of the missing URL including the policy information to the log synthesis server. 31. A deep packet detection DPI device, characterized in that, comprising: The judging module is used to judge whether the uplink and downlink of the user's access pass through the DPI device, if not, add the identifier to be compensated in the access log corresponding to the user's access, wherein the access log containing the identifier to be compensated is The log to be compensated, the identifier to be compensated is used to indicate that the information security log generated by the user access corresponding to the access log to be compensated needs to be compensated for the uniform resource locator URL; The reporting module is configured to report the access log to be compensated to the log synthesis server, so that the log synthesis server can compensate the information security log of the missing URL according to the access log to be compensated. 32. The deep packet inspection DPI device according to claim 31, wherein the reporting module is further specifically configured to: ensure that access logs accessed by the same user are reported to the same log synthesis server through a hash algorithm. 33. An Internet data center IDC information security management system, characterized in that it comprises: The log synthesis server according to any one of claims 17-26, the information security detection device according to any one of claims 27-30, the deep packet inspection DPI device and routing device according to claim 31 or 32 .