Disclosure of Invention
The embodiment of the invention provides a patch updating method, a patch updating device and a patch updating system based on bypass monitoring, which can timely and easily acquire updated patch files so as to provide required patch files for terminals deployed in an intranet.
In a first aspect, an embodiment of the present invention provides a patch update method based on bypass monitoring, which is applied to a server, and the method includes:
Monitoring network flow data packets received by a plurality of terminal devices from an external network through network links in a bypass monitoring mode, and determining whether the monitored network flow data packets have target data packets for updating patches of Windows systems in the corresponding terminal devices;
Performing security inspection on the patch file, and updating patch updating contents to a preset patch library after the inspection is passed, wherein the patch updating contents at least comprise the patch file, the patch information and Windows system versions of corresponding terminal equipment;
and responding to a patch file downloading request sent by an intranet server, and sending a target patch file requested to be downloaded to the intranet server according to the patch library and the downloading request, so that the intranet server can provide a patch file updated by a Windows system for a terminal deployed in the intranet by utilizing the target patch file.
In one possible implementation, the server accesses the network link of each terminal device in parallel by accessing a mirror port of an external switch, wherein each terminal device establishes a network link through the switch;
The bypass monitoring method is used for monitoring network flow data packets received by a plurality of terminal devices from an external network through network links and comprises the steps of receiving the network flow data packets forwarded by the switch through the mirror image port.
In one possible implementation manner, the determining whether the monitored network traffic data packet includes a target data packet for patch update of the Windows system in the corresponding terminal device includes:
Determining whether a network flow data packet has a target data packet for updating the patch of the Windows system in the terminal equipment according to at least one of the IP address of a Microsoft server in the network flow data packet, the HTTP domain name of the Microsoft server in the network flow data packet and the patch information in the content of the network flow data packet, and/or determining a subsequent target data packet according to the data flow length specified by the protocol to which the network flow data packet belongs after determining a first target data packet according to at least one of the IP address of the Microsoft server in the network flow data packet, the HTTP domain name of the Microsoft server in the network flow data packet and the patch information in the content of the network flow data packet;
And/or the number of the groups of groups,
The analysis mode of the patch file comprises the steps of sequencing a plurality of continuously monitored target data packets according to TCP numbers to recover TCP links, restoring files in a TCP data stream corresponding to the TCP links to obtain patch files for patch updating of a Windows system in the terminal equipment;
And/or the number of the groups of groups,
Before updating the patch updating content into the preset patch library, determining whether the patch file is stored in the patch library, and if not, updating the patch updating content into the preset patch library.
In one possible implementation manner, the plurality of terminal devices cover a plurality of different Windows system versions, and the patch library comprises patch files and patch information corresponding to the different Windows system versions.
In one possible implementation manner, the method further comprises the steps of establishing a patch white list, wherein each time the patch library is updated, the patch white list is updated, and the patch white list comprises corresponding relations between different Windows system versions and patch information respectively;
Before the response to receiving the patch file downloading request sent by the intranet server, the method further comprises the steps of responding to receiving a query request of the intranet server and sending the patch white list to the intranet server, so that the intranet server determines whether a patch file needing to be updated exists according to the patch white list and patch installation conditions of terminals deployed in the intranet to request downloading of the patch file needing to be updated, wherein the patch installation conditions comprise Windows system versions corresponding to the terminals deployed in the intranet and patch information of the patch file currently installed.
In a second aspect, an embodiment of the present invention further provides a patch update apparatus based on bypass monitoring, which is located in a server, where the patch update apparatus based on bypass monitoring includes:
The processing module is used for monitoring network flow data packets received by a plurality of terminal devices from an external network through network links in a bypass monitoring mode, and determining whether the monitored network flow data packets have target data packets for updating patches of Windows systems in the corresponding terminal devices;
the updating module is used for carrying out security inspection on the patch file, and updating patch updating contents into a preset patch library after the inspection is passed, wherein the patch updating contents at least comprise the patch file, the patch information and Windows system versions of corresponding terminal equipment;
And the communication module is used for responding to a patch file downloading request sent by the intranet server, and sending a target patch file requested to be downloaded to the intranet server according to the patch library and the downloading request, so that the intranet server can provide a patch file updated by a Windows system for a terminal deployed in the intranet by utilizing the target patch file.
In a third aspect, the embodiment of the invention also provides a patch updating system based on bypass monitoring, which comprises a patch management server and at least one bypass monitoring server, wherein,
The at least one bypass monitoring server is used for monitoring network flow data packets received by a plurality of terminal devices from an external network through network links in a bypass monitoring mode, determining whether the monitored network flow data packets have target data packets for updating the patch of the Windows system in the corresponding terminal device, analyzing patch files and patch information from the target data packets if the monitored network flow data packets exist, and reporting patch updating contents to the patch management server, wherein the patch updating contents at least comprise the patch files, the patch information and the Windows system version of the corresponding terminal device;
The patch management server is used for carrying out security check on the patch files, updating patch updating contents into a preset patch library after the patch files pass the check, responding to a received patch file downloading request sent by the intranet server, and sending a target patch file requested to be downloaded to the intranet server according to the patch library and the downloading request so that the intranet server can provide the patch file updated by the Windows system for a terminal deployed in the intranet by utilizing the target patch file.
In one possible implementation manner, the bypass monitoring server is connected in parallel to the network link of each corresponding terminal device by accessing the mirror image port of the external switch;
the bypass monitoring server is specifically configured to receive the network traffic data packet forwarded by the switch through the mirror port when monitoring the network traffic data packet received by the plurality of terminal devices from the external network through the network link in a bypass monitoring manner.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the method described in any embodiment of the present specification is implemented.
In a fifth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program, which when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a patch updating method, a device and a system based on bypass monitoring, which monitor network flow data packets received by a plurality of terminal devices from an external network through network links by adopting a bypass monitoring mode, so that whether the terminal devices update patches of a Windows system or not can be monitored, when the terminal devices update the patches of the Windows system, patch files and patch information can be obtained to update the patches into a preset patch library, the patch library is used for managing the patch files, thereby providing required patch files for an intranet server, and further providing the patches of the Windows system for the terminals deployed in the intranet by the intranet server. In the scheme, whether the patch updating of the Windows system is carried out on the terminal equipment is monitored by monitoring the network traffic data packet, the difficulty is low, and when the patch updating of the Windows system is carried out on the terminal equipment, the patch file can be quickly updated into the patch library, so that the patch file in the patch library is up-to-date, and the acquisition timeliness of the patch file required by the intranet terminal is ensured.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As described above, the updated patch file is obtained from the external network through the web crawler, if the latest patch file needs to be obtained in time, the web crawler needs to be continuously performed, and the web crawler is not only high in cost but also difficult to crawl, for example, network supervision exists, so that the web crawler can be forbidden. Therefore, the latest patch file can not be timely crawled, and the timeliness is poor, so that the required patch file can not be provided for the terminal deployed in the intranet, and the safety of the intranet terminal is affected.
Based on the above problems, the invention is characterized in that the patch file is obtained from the terminal equipment in the networking state, the terminal equipment needs to download the patch file through the network flow data packet transmitted by the network link when the patch of the Windows system is updated, the network flow data packet received by the terminal equipment from the external network can be obtained in a bypass monitoring mode to monitor the terminal equipment, when the patch of the Windows system is updated by the terminal equipment, the patch file of the patch update is obtained, and the patch library is updated rapidly, so that the required patch file can be provided for the terminal managed by the intranet server, and the security of the intranet terminal is ensured.
Based on the above conception, the system architecture of the embodiment of the present invention will be described.
Referring to fig. 1, one embodiment of the present invention provides a patch update system including a patch management server 10 and at least one bypass listening server 20. Wherein the patch management server 10 may be connected to each bypass listening server 20 as needed. The patch management server 10 may be connected to the intranet server 30 when necessary, and the intranet server 30 is connected to a plurality of terminals 40 through the intranet, and the plurality of terminals 40 are deployed in an intranet environment. The bypass monitoring server 20 is connected in parallel to the network links of the plurality of terminal devices 50 for monitoring the transmission of network traffic packets between each terminal device 50 and the microsoft server 60.
In the embodiment of the invention, the patch management server and the bypass monitoring server can be realized by the same physical server or different physical servers.
Specific implementations of the above concepts are described below.
Referring to fig. 2, an embodiment of the present invention provides a patch updating method based on bypass monitoring, which is applied to a server, and the method includes:
and 200, monitoring network flow data packets received by a plurality of terminal devices from an external network through network links in a bypass monitoring mode, determining whether the monitored network flow data packets have target data packets for updating patches of Windows systems in the corresponding terminal devices, and if so, analyzing patch files and patch information from the target data packets.
In the embodiment of the invention, in order to monitor the network flow data packet received by a plurality of terminal devices from the external network through the network link, the server can be connected in parallel to the network links of the plurality of terminal devices. In particular, when a server is connected in parallel to a network link of a plurality of terminal devices, it can be realized at least in the following two ways:
The first, switch mirroring.
Second, shared HUB.
In the first mode, the server accesses the network link of each terminal device in parallel by accessing the mirror port of the external switch, wherein each terminal device establishes the network link through the switch.
Then, in this step, the network traffic data packets received by the plurality of terminal devices from the external network through the network link are monitored, including the network traffic data packets forwarded by the receiving switch through the mirror port. When the terminal equipment and the outside are connected in a network, the switch is used for forwarding the network flow data packet, and the switch can be used for forwarding the network flow data packet to the server through the mirror image port besides processing normal service on the network flow data packet interacted with the outside by the terminal equipment.
The first mode is more convenient and flexible in deployment, only the mirror image port is required to be configured on the switch, the existing network structure of a plurality of terminal devices is not required to be changed, and the normal operation of the network is not influenced when the server accessed to the mirror image port stops working.
In the second way, the HUB is a multiport repeater, and when the HUB is used as a central device, a fault occurs in one line in the network, and the operation of other lines is not affected. By connecting a plurality of terminal devices and servers to the same HUB, the server can be connected in parallel to the network links of the plurality of terminal devices. Network traffic packets received by the terminal device from the external network may be shared to the server via the HUB.
Similarly, after the second mode is deployed, the server can monitor the network traffic data packet received by each terminal device from the external network through the network link, and the normal operation of the network is not affected when the server stops working.
In one embodiment of the present invention, whether the corresponding terminal device performs patch update of the Windows system may be determined by determining whether a target packet for patch update of the Windows system in the corresponding terminal device exists in the network traffic packet, and if so, determining that the corresponding terminal device performs patch update of the Windows system.
In one embodiment of the present invention, the manner of determining whether the network traffic packet has the target packet for patch update of the Windows system in the terminal device may be at least one of the following manners:
Mode 1, determining whether a network traffic data packet has a target data packet for updating a patch of a Windows system in the terminal device according to whether the network traffic data packet has an IP address of a microsoft server.
And 2, determining whether the network flow data packet has a target data packet for updating the patch of the Windows system in the terminal equipment according to whether the HTTP domain name of the Microsoft server exists in the network flow data packet.
And 3, determining whether the network flow data packet has a target data packet for updating the patch of the Windows system in the terminal equipment according to whether the patch information exists in the content of the network flow data packet.
Mode 4, after determining the first target packet by using at least one of the above three modes, determining the subsequent target packet according to the data flow length specified by the protocol to which the network traffic packet belongs.
Since the terminal device needs to establish a connection with the microsoft server to obtain the patch file from the microsoft server when updating the patch of the Windows system. Therefore, in modes 1 and 2, the IP address of the microsoft server and/or the HTTP domain name of the microsoft server may be preset, and when it is determined that the IP address and/or the HTTP domain name in the network traffic packet is the IP address of the microsoft server and/or the HTTP domain name of the microsoft server, it is determined that the network traffic packet has a target packet for patch update of the Windows system in the corresponding terminal device.
In mode 3, the content of the network traffic packet may be parsed to determine whether patch information exists in the parsed content, and if patch information exists, it is determined that a target packet for patch update of the Windows system in the corresponding terminal device exists in the network traffic packet.
It should be noted that, in the above embodiment 1 or embodiment 2, when it is determined that the IP address in the network traffic packet is the IP address of the microsoft server or the HTTP domain name of the microsoft server, the embodiment 3 may be further utilized to determine whether patch information exists in the content of the network traffic packet, so as to determine whether a target packet for patch update of the Windows system in the terminal device exists in the network traffic packet, thereby further improving the accuracy of determination.
In the embodiment 4, since the data transmission protocol defines the length of the data stream to be transmitted, after the first target packet is determined by any one of the above three methods, if the length of the first target packet does not reach the data stream length defined by the protocol to which the network traffic packet belongs, the target packet also exists in the subsequent network traffic packet, and therefore, the determination of the subsequent target data can be determined according to the data stream length defined by the protocol to which the network traffic packet belongs, and the determination speed of the target packet can be improved.
Whether the target data packet exists in the network flow data packet is determined by adopting the mode, if the network flow data packet does not exist the target data packet for updating the patch of the Windows system in the terminal equipment, the network flow data packet is not processed, and if the target data packet for updating the patch of the Windows system in the terminal equipment exists in the network flow data packet, the patch file and the patch information are analyzed from the target data packet.
Further, the analysis mode of the patch file may include sorting the multiple target data packets monitored continuously according to the TCP numbers to recover the TCP link, and restoring the file in the TCP data stream corresponding to the TCP link to obtain the patch file for patch update of the Windows system in the terminal device.
Since the patch file needs to be sent by a plurality of target data packets, and there may be a problem that the TCP numbers in the target data packets are discontinuous during sending, in order to recover the TCP link, the plurality of continuously intercepted target data packets need to be ordered according to the TCP numbers. After the TCP link is restored, a corresponding TCP data stream can be obtained, and a patch file is obtained through file restoration.
It should be noted that, the patch information may also be parsed from the header of the target data packet. In the embodiment of the invention, the patch information can comprise an operating system to which the patch belongs, a patch list, hardware information and drivers, a patch acquisition path and official information of a patch file.
And 202, performing security inspection on the patch file, and updating patch updating contents to a preset patch library after the inspection is passed, wherein the patch updating contents at least comprise the patch file, the patch information and Windows system versions of corresponding terminal equipment.
In one embodiment of the invention, when the security inspection is performed on the patch file, the threat information center and various antivirus engines can be butted to the outside, and the threat information center and the various antivirus engines are utilized to perform the legal and security inspection on the patch file so as to ensure the security of the patch file.
Because the server monitors the network flow data packets of the plurality of terminal devices, when any one terminal device is monitored to update the patch of the Windows system, the patch file corresponding to the patch update can be obtained. The patch library only needs to maintain one patch file with the same Windows system version, and repeated storage is not needed. Therefore, in one embodiment of the present invention, before updating the patch update content to the preset patch library, determining whether the patch file is stored in the patch library, and if not, updating the patch update content to the preset patch library.
In one embodiment of the present invention, whether the patch file is stored in the patch library may be determined by comparing the hash value of the patch file and/or the patch information.
When the hash value mode is utilized to determine whether the patch files are stored in the patch library, specifically, the server calculates hash values of each patch file stored in the patch library in advance to form a hash value list, after a new patch file is acquired, the hash value of the new patch file is calculated, if the hash value of the new patch file exists in the hash value list, the fact that the patch file is stored in the patch library is indicated, and otherwise, the fact that the patch file is not stored in the patch library is indicated.
When determining whether the patch file is stored in the patch library by using the patch information mode, specifically, the server can compare the parsed patch information with the patch information stored in the patch library, if the patch information exists in the patch library, the patch information indicates that the patch file is already stored in the patch library, otherwise, the server indicates that the patch file is not stored in the patch library.
In one embodiment of the present invention, the Windows system versions of the terminal device are more, the types of patch files are complex, and the Windows system versions correspond to the patch files, so that the Windows system versions of the corresponding terminal device need to be acquired to be stored in the patch library together with the patch files and patch information.
The Windows system version may be Windows XP, windows Vista, windows 7, windows 8/Windows 8.1, windows 10, windows 11, etc.
Further, the patch library needs to provide the required patch files for the terminal managed by the intranet server, and each client managed by the intranet server may correspond to multiple Windows system versions, so in order to enrich the Windows system versions corresponding to the patch files in the patch library, multiple terminal devices monitored by the server cover multiple different Windows system versions, and the patch library includes patch files and patch information corresponding to different Windows system versions.
And 204, in response to receiving a patch file downloading request sent by an intranet server, sending a target patch file requested to be downloaded to the intranet server according to the patch library and the downloading request, so that the intranet server provides a patch file updated by a Windows system for a terminal deployed in an intranet by using the target patch file.
The intranet server is deployed inside an enterprise and is used for providing patch updating of the Windows system for terminals deployed in the intranet. The server provides service for the intranet server to download the required patch files.
In order to improve user experience and ensure timeliness of updating the intranet terminal patch, the method can further comprise the steps of establishing a patch white list, updating the patch white list after receiving patch updating content reported by the terminal equipment every time, wherein the patch white list comprises corresponding relations between different Windows system versions and patch information. The patch white list may include only the latest patch information for the same version of the Windows system, or may include the latest patch information and the historical patch information, so as to allow the intranet server to select.
Before the response to receiving the patch file downloading request sent by the intranet server, the method further comprises the steps of responding to receiving a query request of the intranet server and sending the patch white list to the intranet server, so that the intranet server determines whether a patch file needing to be updated exists according to the patch white list and patch installation conditions of terminals deployed in the intranet to request downloading of the patch file needing to be updated, wherein the patch installation conditions comprise Windows system versions corresponding to the terminals deployed in the intranet and patch information of the patch file currently installed.
Specifically, the intranet server may learn in advance the patch installation condition of the terminal of the intranet, and determine whether a patch file that needs to be updated exists according to the received patch white list. The patch file to be updated may be a patch file corresponding to the latest patch information or a patch file corresponding to the historical patch information.
When the intranet server determines that the patch file to be updated exists, a patch file downloading request is sent to the server, and the patch file downloading request carries the Windows system version and patch information.
In the embodiment of the invention, the intranet server can periodically send a query request to the server to determine whether the patch file needing to be updated exists.
Further, the server can classify the patch files according to the emergency degree, and when the emergency degree meets the set condition, the corresponding patch files can be directly sent to the intranet server, so that the intranet server can timely provide patch update of the Windows system for the terminal of the intranet, and the safety of the terminal of the intranet is guaranteed.
In addition, after the intranet server obtains the patch file to be updated, the intranet server can control the terminal of the intranet to update the patch in a proper time period.
In the embodiment of the invention, the patch file of the terminal equipment is obtained by monitoring the patch update of the Windows system of the terminal equipment so as to update the patch library, so that the patch library can provide the required patch file for the intranet server in time, and further the intranet server can provide the patch update of the Windows system for the terminal deployed in the intranet, thereby guaranteeing the security of the terminal of the intranet.
As shown in fig. 3 and fig. 4, an embodiment of the present invention provides a patch updating device based on bypass monitoring. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 3, a hardware architecture diagram of an electronic device where a patch updating apparatus based on bypass monitoring is located according to an embodiment of the present invention is shown, where in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 3, the electronic device where the embodiment is located may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. For example, as shown in fig. 4, the device in a logic sense is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of an electronic device where the device is located. The patch updating device based on bypass monitoring provided in this embodiment is located in a server, and the patch updating device based on bypass monitoring includes:
The processing module 401 is configured to monitor network traffic data packets received by a plurality of terminal devices from an external network through network links in a bypass monitoring manner, and determine whether the monitored network traffic data packets have patch updates for Windows systems in the corresponding terminal devices;
The updating module 402 is configured to perform security inspection on the patch file, and update patch update contents to a preset patch library after the inspection is passed, where the patch update contents at least include the patch file, the patch information, and a Windows system version of a corresponding terminal device;
And the communication module 403 is configured to respond to receiving a patch file downloading request sent by an intranet server, and send a target patch file requested to be downloaded to the intranet server according to the patch library and the downloading request, so that the intranet server provides a patch file updated by a Windows system for a terminal deployed in the intranet by using the target patch file.
In one embodiment of the invention, the server is connected in parallel to the network link of each terminal device by accessing the mirror image port of the external switch, wherein each terminal device establishes the network link through the switch;
The processing module 401 is specifically configured to receive the network traffic data packet forwarded by the switch through the mirror port when monitoring the network traffic data packet received by the plurality of terminal devices from the external network through the network link in a bypass monitoring manner.
In one embodiment of the present invention, the processing module 401 is specifically configured to determine whether the network traffic packet has a target packet for updating the patch of the Windows system in the terminal device according to whether the first target packet is determined according to at least one of an IP address of a microsoft server, an HTTP domain name of the microsoft server in the network traffic packet, and patch information in the content of the network traffic packet, and/or determine whether the subsequent target packet is determined according to a data flow length specified by a protocol to which the network traffic packet belongs after determining whether the first target packet has been determined according to at least one of an IP address of a microsoft server in the network traffic packet, an HTTP domain name of the microsoft server in the network traffic packet, and patch information in the content of the network traffic packet, when determining whether the monitored network traffic packet has a target packet for updating the patch of the Windows system in the corresponding terminal device.
In one embodiment of the present invention, the processing module 401 is specifically configured to sort the plurality of target data packets that are continuously monitored according to TCP numbers to restore TCP links when analyzing the patch file, and restore the file in the TCP data stream corresponding to the TCP links to obtain the patch file for patch update of the Windows system in the terminal device.
In one embodiment of the present invention, the updating module 402 is further configured to determine whether the patch file is stored in the patch library, and if not, update the patch update content to a preset patch library.
In one embodiment of the invention, the plurality of terminal devices cover a plurality of different Windows system versions, and the patch library comprises patch files and patch information corresponding to the different Windows system versions.
In one embodiment of the present invention, please refer to fig. 5, the patch updating device based on bypass monitoring further includes a list establishing module 404, configured to establish a patch white list, and update the patch white list after each patch library update;
The communication module 403 is further configured to send the patch white list to the intranet server in response to receiving a query request from the intranet server, so that the intranet server determines whether a patch file to be updated exists according to the patch white list and a patch installation condition of a terminal deployed in the intranet, so as to request downloading of the patch file to be updated, where the patch installation condition includes a Windows system version corresponding to the terminal deployed in the intranet and patch information of a currently installed patch file.
It will be appreciated that the architecture illustrated in the embodiments of the present invention does not constitute a specific limitation on a patch updating apparatus based on bypass monitoring. In other embodiments of the invention, a patch updating device based on bypass listening may include more or fewer components than shown, or may combine certain components, or may split certain components, or may have a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
Referring to fig. 6, the embodiment of the present invention further provides a patch update system based on bypass monitoring, which includes a patch management server 601 and at least one bypass monitoring server 602, wherein,
The at least one bypass monitoring server 602 is configured to monitor network traffic data packets received by a plurality of terminal devices from an external network through network links in a bypass monitoring manner, and determine whether the monitored network traffic data packets have a target data packet corresponding to a patch update of a Windows system in the terminal devices;
The patch management server 601 is configured to perform security check on the patch file, update patch update contents to a preset patch library after the check is passed, and respond to a received patch file downloading request sent by an intranet server, and send a target patch file requested to be downloaded to the intranet server according to the patch library and the downloading request, so that the intranet server provides a patch file updated by a Windows system for a terminal deployed in the intranet by using the target patch file.
In one embodiment of the invention, the bypass monitoring server is connected in parallel to the network link of each corresponding terminal device by accessing the mirror image port of the external switch, wherein each terminal device establishes the network link through the corresponding switch;
the bypass monitoring server is specifically configured to receive the network traffic data packet forwarded by the switch through the mirror port when monitoring the network traffic data packet received by the plurality of terminal devices from the external network through the network link in a bypass monitoring manner.
In one embodiment of the present invention, the bypass monitoring server is specifically configured to determine, when determining whether the monitored network traffic packet has a target packet for patch update of the Windows system in the corresponding terminal device, whether the network traffic packet has a target packet for patch update of the Windows system in the terminal device according to at least one of an IP address of a microsoft server, an HTTP domain name of the microsoft server in the network traffic packet, and a content of the network traffic packet, and/or determine, after determining the first target packet according to at least one of an IP address of a microsoft server in the network traffic packet, an HTTP domain name of the microsoft server in the network traffic packet, and a content of the network traffic packet, a data flow length specified by a protocol to which the network traffic packet belongs.
In one embodiment of the invention, the bypass monitoring server is specifically used for sequencing a plurality of target data packets monitored continuously according to TCP numbers to recover TCP links when analyzing patch files, and restoring files in TCP data streams corresponding to the TCP links to obtain patch files for patch updating of a Windows system in the terminal equipment.
In an embodiment of the present invention, the bypass monitoring server is further configured to determine whether the patch file needs to be reported to the patch management server, and if so, execute the reporting of the patch update content to the patch management server.
In one embodiment of the invention, the bypass monitoring server is specifically used for calculating the hash value of the patch file and transmitting the hash value and/or patch information to the patch management server when determining whether the patch file needs to be reported to the patch management server;
The patch management server is further configured to receive the hash value and/or the patch information sent by the bypass monitoring server, determine whether the patch file is stored in the patch library based on the hash value and/or the patch information, and if the patch file is not stored, send a report instruction to the terminal device.
In one embodiment of the invention, the plurality of terminal devices cover a plurality of different Windows system versions, and the patch library comprises patch files and patch information corresponding to the different Windows system versions.
In one embodiment of the invention, the patch management server is further used for establishing a patch white list, updating the patch white list after updating the patch library, wherein the patch white list comprises corresponding relations between different Windows system versions and patch information respectively, and sending the patch white list to the intranet server in response to receiving an inquiry request of the intranet server, so that the intranet server determines whether a patch file needing to be updated exists according to the patch white list and patch installation conditions of terminals deployed in the intranet to request downloading of the patch file needing to be updated, and the patch installation conditions comprise Windows system versions corresponding to the terminals deployed in the intranet and patch information of the currently installed patch file.
The embodiment of the invention also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the patch updating method based on bypass monitoring in any embodiment of the invention when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program causes the processor to execute the patch updating method based on bypass monitoring in any embodiment of the invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs, DVD+RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one.," does not exclude that an additional identical element is present in a process, method, article, or apparatus that comprises the element.
It will be appreciated by those of ordinary skill in the art that implementing all or part of the steps of the above method embodiments may be accomplished by hardware associated with program instructions, and that the above program may be stored in a computer readable storage medium which, when executed, performs the steps comprising the above method embodiments, where the above storage medium includes various media that may store program code, such as ROM, RAM, magnetic or optical disks.
It should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention, and not for limiting the same, and although the present invention has been described in detail with reference to the above-mentioned embodiments, it should be understood by those skilled in the art that the technical solution described in the above-mentioned embodiments may be modified or some technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the spirit and scope of the technical solution of the embodiments of the present invention.