Design And Implementation Of Distributed Web Security Monitor System

For the security threats faced by the Web Server, appropriate protective software or Web application firewall is suitable solution, the current management of safety equipment is designed for one device. As a third-party security services or a system administrator for a large number of Web sites, needs a centralized monitoring platform to monitor and manage these distributed safety equipments’protection. In response to these needs, we designed and implemented a distributed Web security monitoring system, the specific work done includes the following aspects:For centralized monitoring and management requirements, we designed and implemented a distributed Web safety monitoring system, to complete the Web site security log monitoring and early warning. The system can support a variety of protective security log collection and analysis of server performance logs collected for attack warning.For distributed Web security log collection, we designed a distributed log collection frameworks based on the framework of distributed transmission of a number of the data collection points, the architecture contains the log forwarder and the log central server. The log forwarder collects multiple Web security equipment log as SYSLOG. For the transmission security between the log forwarder and the central server, we adopted SSL transmission mode; collected log may lead to the buffer overflow of the log central server, we designed and implemented congestion control mechanism for log transportation, solved the problem of speed imbalance restrictions between data receiving and storing by multi-threading, buffer pool and batch technology, to achieve high-performance distributed log collection.On the basis of the Web security logs collected, we made further analysis. With standardized regular expression mechanism, user can construct corresponding regular expression to support different formats for log parsing and extraction, which can easily be extended to the new format log collection and analysis. Moreover, for the performance logs collected from Web servers, we designed and implemented a DoS early warning mechanism based on server performance. To achieve that, we analyzed the principle of a SYN flood, ACK flood, UDP flood, ICMP flood denial-of-service attack, analyzed the server network data and performance characteristics of change caused by the attack, implement DoS detection and performance early warning function.