CN100359495C - Information system auditing method based on data storehouse - Google Patents
Information system auditing method based on data storehouse Download PDFInfo
- Publication number
- CN100359495C CN100359495C CNB031507778A CN03150777A CN100359495C CN 100359495 C CN100359495 C CN 100359495C CN B031507778 A CNB031507778 A CN B031507778A CN 03150777 A CN03150777 A CN 03150777A CN 100359495 C CN100359495 C CN 100359495C
- Authority
- CN
- China
- Prior art keywords
- data
- dimension
- analysis
- audit
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The present invention relates to an information safety auditing method based on a data storehouse, which belongs to the technical fields of computers and information safety. The information safety auditing method based on a data storehouse comprises the following steps: diary information is collected in real time by a Syslog standard protocol and a mode matching method based on a regular expression; comprehensive analyzing processing environment is separated from operating processing environment by the data warehouse; each auditing and analyzing theme is associated by a common analyzing dimension according to a modeling method of an information safety multi-dimensional model, and a multi-dimensional constellation corresponding to the whole field of the information safety is formed; multi-dimensional analysis is executed by the multi-dimensional model in the data warehouse according to a logging on-line analyzing processing method, data is simultaneously dredged by a data dredging method and an associated analyzing method based on the data warehouse, and potential safety vulnerability and potential problems in a network are discovered; an auditing analyzing report is generated according to analyzing results. The present invention solves the problems of insufficiency and defects existing in the prior art, and the present invention greatly enhances the expandability and the openness of an auditing system and also greatly enhances the efficiency of auditing analysis.
Description
Technical field
What the present invention relates to is a kind of computer information safe auditing method, particularly a kind of information security auditing method based on data warehouse.Belong to computing machine and field of information security technology.
Background technology
Security audit is to pass judgment on whether intrinsically safe important size of a system.Security audit is the functional characteristic that the network of a safety must be supported.The security audit function mainly be monitoring from network internal and outside User Activity, the existing and potential threat that exists in the reconnaissance system, to discerning with the relevant information of security-related activity, record, storage and analyzing.The content of security audit discussion at present mainly contain following some: 1, system audit 2, network audit 3, Secure Application audit.System audit is got off the user to the Visitor Logs of important audit resources in operating system and the main frame.Network audit has write down each user's the detailed operating position of network, if someone has carried out attack, has stolen secret information or other destructive activities network, can be by inquiry and early warning to audit document, understand the situation that it uses network, the attack once more that such people is carried out legal sanction or resists him in view of the above.The Secure Application audit receives the log information that various Secure Application (comprising fire wall, intrusion detection, anti-virus etc.) produce.The keeper not only can be according to the real-time activity of tracking user in whole network of these log informations, and can carry out analysis-by-synthesis afterwards on this basis.
By literature search, find product report on the internet, as the Jump safety auditing system of the general network technology of victory company (referring to
Http:// www.jump.net.cn/product/supervise.asp), it is the content-based Internet visit auditing system of Shanghai Communications University, Xi'an Jie Pu company independent development, this system can audit to all network flows, can monitor according to the content of " key word ", " key combination ", the pairing port of service and Email, suspicious packet is carried out record, deposit auditing result in database, this system has following defective and deficiency: (1) will concentrate on network service and transmission level, and less to the concern of using aspect.Can't obtain the inner link between each application.(2) this system audits to a plurality of subnet information visit situations in the network by at corresponding network node sensor being set.The sensor here is equivalent to journaling agent, when sensor breaks down, especially when needs are crossed over Internet net management sensor, has increased the complicacy of maintenance cost and network management greatly.(3) this system is by means of Access database storing log information.Because the finite capacity of Access database (approximately 1G), and the data that network produces might several days in addition several hrs just write full database.When (4) moving in system, system needs constantly increase information in database on the one hand, and central control board software often carries out the statistical study of large amount of complex again on the other hand, and these two kinds of operations have caused the system resource conflict, have had a strong impact on the performance of system.
Summary of the invention
The objective of the invention is to overcome deficiency of the prior art, a kind of information security auditing method based on data warehouse is provided, make it solve deficiency and the defective that exists in the background technology, improved the efficient of extendability, opening and the audit analysis of auditing system greatly.
The present invention is achieved by the following technical solutions, the inventive method employing Syslog standard agreement reaches the method for mode matching real-time collecting log information based on regular expression, by means of data warehouse comprehensive analysis processing environment and operational processes environment separation are come, make database be absorbed in the collection of various audit logs, data warehouse then carries out integrated to various Source logs, extract, and by the subject area integrative organization data of audit analysis, adopt the modeling method of information security multidimensional model simultaneously, each audit analysis theme is carried out association by common analysis dimension, formed multi-dimensional constellation towards whole information security field; By the multidimensional model in the data warehouse, adopt online on-line analysis disposal route to carry out multidimensional analysis, on the basis of data warehouse, adopt data digging method and association analysis method to carry out data mining simultaneously, find a large amount of inner link between the audit log of various audits source, thereby find potential security breaches and problem in the network; Generate available audit analysis form according to analysis result at last.
The present invention adopts the method for " data-driven ", it or not application-oriented demand, but the audit log of the existing Secure Application of utilization, operating system daily record etc. are audited, from existing Secure Application and related data, according to the audit analysis field contact between Audit data and the data is investigated again, organize the audit analysis theme in the data warehouse,, create the multidimensional model in the data warehouse according to analysis result.
The present invention adopts the Syslog standard agreement and based on the method for mode matching real-time collecting log information of regular expression, by the multidimensional model in the data warehouse, has improved the extendability and the opening of auditing system greatly; Adopt online on-line analysis disposal route to carry out multidimensional analysis, improved the efficient of audit analysis greatly; In addition, the data in the data warehouse are redundant, and can not revise, institute thinks to investigate and collect evidence provides effective believable chasing after to entangle evidence.
Below the inventive method is further described, method step is as follows:
(1) data and the audit analysis theme that need audit are determined in the audit source in the phase-split network.The current information security audit is analyzed theme and mainly comprised: Firewall Events is analyzed theme, intrusion detection event analysis theme, anti-virus event analysis theme, SSLServer event analysis theme.
(2) according to the angle of audit analysis theme and analysis, create multidimensional model, organize data in the multidimensional mode.Because the maturation of relevant database and widely-used is used the expression and the storage of star-like modeling multidimensional model.Multidimensional structure with multidimensional model in star-like model is divided into two class tables: a class is a fact table, be used for depositing the code value of the needed metric of audit analysis and each analysis dimension, another kind of is the dimension table, it be distributed in fact table around, be audit analysis and special angle.Fact table connects by the value and the dimension table of each dimension.Analyze theme according to information audit, each multidimensional model is as follows:
● the fire wall multidimensional model: the metric data in the fact table comprises: continuous access time, transmitted traffic, reception flow.The dimension of analyzing comprises: time dimension, fire wall action dimension (refuse, pass through etc.), access protocal dimension (http, ftp, telnet, smtp, pop3 etc.), source address dimension, destination address dimension.
● the intrusion detection multidimensional model: the metric data in the fact table comprises: the processing suggestion of alert event detail data, alert event.The dimension of audit analysis comprises: time dimension, alert event grade dimension (high, medium and low), alarm detector dimension, source address dimension, destination address dimension, serve port dimension.
● the anti-virus multidimensional model: the metric data in the fact table comprises: virus outburst position (path).The dimension of audit analysis comprises: virus infections time dimension, virus infections machine dimension, system user dimension, Virus Name dimension, Virus Type dimension (file virus, mail virus, macrovirus etc.), scan type dimension (autoscan, manual scanning), viral operating result dimension (removing, isolation, deletion etc.).
● the SSLServer multidimensional model: the metric data in the fact table comprises: the access resources number of times.The dimension of audit analysis comprises: access resources time dimension, source address dimension, resource name dimension, user's dimension, resource dimension.
(3) related multidimensional model.Each above multidimensional model also is mutual independent auditing entity, each audit analysis theme can't be associated.In order to carry out related audit analysis, must between each a plurality of dimension types, common audit dimension be arranged.In above multidimensional model, each multidimensional model all has time dimension, and each multidimensional model all has address dimension or the dimension relevant with user profile, all have the address dimension as fire wall multidimensional model, intrusion detection multidimensional model and SSLServer multidimensional model, and the anti-virus multidimensional model has the compromised machines dimension.These dimensions are abstract and according to actual user's information creating user dimension in the network, and each user has its essential information, comprises IP address, machine name etc.By this user's dimension and time dimension, connect each multidimensional model, the constellation of configuration information safety.
(4) finish the establishment of data warehouse after, the starting log server is monitored the UDP514 port, receives network security and uses the daily record that sends.
(5) the network security application configuration after the Syslog service, the real-time Syslog agreement of passing through standard sends log information to log server when producing log information.Syslog is the built-in services that has on most linux/Unix platforms; on other platforms (as Windows), similar products like is arranged also recently; and all use the Syslog mode to send daily record in most Secure Application equipment; therefore use the Syslog agreement all system journals and safety equipment daily record can be sent in the shielded central controlled server; thereby provide a kind of retractility reasonable scheme; and, avoided daily record to be kept at the local danger of being distorted, deleting because the Network Transmission of passing through that daily record is real-time is come out.
(6) after log server receives log information, the regular expression pre-configured by the keeper mates parsing to the pattern of journal format, therefrom extract the needed information of audit, and unify integrated and conversion work, the inconsistent data in the unified audit log data.The system that makes can resolve the device log of any form by this technology, has guaranteed the opening and the extendability of system, is the comparatively feasible mode of at present miscellaneous safety equipment being unified acquisition of information.
(7) carry out olap analysis and data mining analysis.Data integration is carried out olap analysis and data mining analysis on the basis of data warehouse behind data warehouse.Olap analysis comprises section, stripping and slicing, rotates, drills through.The inner link of data in the audit log is then excavated in data mining by traditional decision-tree, association analysis method, sequence pattern analytical approach, find potential security breaches and problem in the network.
(8) generate available audit analysis form according to analysis result.Whole audit analysis process is a dynamic feedback and round-robin process.The information of returning according to the user is constantly improved and efficient and the performance of adjustment model with the raising audit analysis on the one hand, constantly understands the audit analysis demand on the other hand, provides more useful audit decision information to the user.
The present invention has mainly adopted the method for mode matching based on regular expression, the modeling method of information security multidimensional model, online on-line analysis disposal route, data digging method and association analysis method.
● based on the method for mode matching of regular expression
The variation of daily record kind causes the variation of journal format.Because the security audit daily record is stored with text mode mostly, can adopt text-processing mode for the audit log of the type based on regular expression (Regular Expression), carry out the extraction and the subsequent treatment of textview field by the mode of Pattern, to reach flexibility ratio and the opening that daily record is resolved.
● the modeling method of information security multidimensional model
Create the method for designing that the information security multidimensional model will adopt " data-driven ".At first, " data-driven " is exactly to utilize existing daily record data to carry out system's construction, and clearly which type of data recognition network, various operating system and Secure Application will produce, and they have what influence or the like to current system design.Secondly, " data-driven " no longer is application-oriented, from application demand, but from analysis field the data of various Secure Application and the contact between the data investigated again, organizes the theme in the data.The 3rd, " data-driven " is the common point of utilizing the daily record of data model effective recognition and analyzing subject data.In the method, data will be the cores of whole architecture environment, so on the basis of abundant research information security fields professional knowledge, conclude the also analysis subject area of abstracted information security fields, determine that the granularity level divides and the data segmentation strategy, create a highly compatible, extendible security audit multidimensional data model is very crucial.
● online on-line analysis disposal route
Online on-line analysis disposal route comprises the memory technology of multidimensional data, the section of multidimensional data and stripping and slicing, drill through, rotation technique.By the OLAP technology, can carry out correlation analysis to the daily record of separate sources, thereby reflect this group equipment information inherence, that have certain value.Such as search the record that a machine stays on various safety equipment, its active situation can be described out more clearly.
● data digging method and association analysis method
That data mining (Dara Mining) is excavated from data warehouse is implicit, previous unknown, the knowledge and the rule that security decision are had potential value.Data mining mainly contains prediction/authentication function and representation function.Prediction/authentication function refers to the Given information prediction or verifies other unknown messages.Forecasting Methodology has statistical analysis technique, correlation rule and decision tree Forecasting Methodology, regression tree Forecasting Methodology etc.Representation function refers to find the pattern understood of data of description.Describing method comprises following several: data qualification, regretional analysis, gather, summarize, construct dependence pattern, variation and variance analysis, mode discovery, path discovery etc.By these data digging methods can the network crime from a large amount of log informations clues and traces, and find the problem that potential leak in the network and device management configurations exist.In addition, can also from the data in difference source, analyze the correlativity that draws between the data by data digging method; By grasping the security risk situation of whole network with the contrast of standard security strategy, these analyses turn back in the formulation of safety precaution strategy the most at last, guarantee the consistance and the standardization of security strategy, these security strategies are applied in the concrete safety precaution execution the most at last, and can enrich the network-wide security policy storehouse.
The present invention has substantive distinguishing features and marked improvement, and the present invention has following remarkable result:
(1) Gao Du extendability is with compatible: by means of the Syslog agreement and the regular expression method of standard, can support various types of daily records fast.With current main-stream network security application seamless compatibility, need not to adopt proxy mode, in complexity that has reduced network management greatly and system maintenance cost.
(2) provide the audit analysis view of multidimensional to the user.From network manager's angle, the view of whole network is a multidimensional, so the conceptual model of audit analysis also should be multidimensional, and audit analysis should be to carry out from different angles.
(3) analysis efficiency and performance efficiently.Data in the data warehouse be through integrated, comprehensively reach pretreatedly, it keeps apart operational processes environment and audit analysis environment, has solved the collision problem in the varying environment, has improved the efficient and the performance of statistical study greatly.
(4), make that dissimilar audit logs are carried out association analysis becomes possibility, has excavated the inner link between the audit log in the network by each multidimensional model of customer-centric related information safety.
(5) because data warehouse is read-only, the data source that can not change so guaranteed the credibility of audit log, is entangled evidence for investigation and evidence collection provides effective believable chasing after.
Embodiment
Employing the inventive method has been developed the easy extended pattern safety auditing system based on data warehouse, and this safety auditing system separates the operational processes environment in the information security audit by data warehouse server with comprehensive analysis processing environment.In the operational processes environment, system requirements disparate networks Secure Application sends daily record in the Syslog mode in real time to the log server of far-end.The UDP514 port that log server is monitored Syslog receives daily record.Receive after the daily record with the pre-configured regular expression of keeper and carry out pattern match, qualified log information is integrated, purify and import data warehouse.In data warehouse, in the face of many numerous and diverse, heavy, discrete low level raw information, the multidimensional model of establishment information security carries out higher level in-depth analyses such as OLAP, data mining on the basis of this multidimensional model, thereby from numerous information, find inner link hiding in the original log, and problem that exists in the discovery network and potential safety hazard, auxiliary network the keeper make a strategic decision, and adjusts security strategy.At monitoring client, the soap protocol by standard carries out the Remote configuration management to log server on the one hand, thereby greatly facilitates keeper's work; Monitoring client reads audit information from data warehouse on the other hand, manages concentratedly and audit analysis.
Be that an application example based on the easy extended pattern safety auditing system of data warehouse is described below, specific as follows:
For high-tech enterprise, the employee often needs Internet inquiry data, has also increased the chance of infective virus simultaneously.Enterprise kills the virus by anti-virus software (promise pause anti-virus) on the one hand, on the other hand by the visit of fire wall (OLM's fire wall) management employee to Internet.By the easy extended pattern safety auditing system based on data warehouse, the keeper can carry out related audit analysis with the record of infective virus with the record of employee access Internet, finds the potential leak in the network.
(1) data warehouse of establishment information security is comprising fire wall multidimensional model, anti-virus multidimensional model.Data in the fire wall multidimensional model comprise: continuous access time, transmitted traffic, reception flow.The dimension of analyzing comprises: time dimension, fire wall action dimension (refuse, pass through etc.), access protocal dimension (http, ftp, telnet, smtp, pop3 etc.), source address dimension, destination address dimension.The anti-virus multidimensional model comprises virus outburst position (path).The dimension of audit analysis comprises: virus infections time dimension, virus infections machine dimension, system user dimension, Virus Name dimension, Virus Type dimension (file virus, mail virus, macrovirus etc.), scan type dimension (autoscan, manual scanning), viral operating result dimension (removing, isolation, deletion etc.).
(2) log server of startup auditing system is monitored the UDP514 port.
(3) configuration OLM (Orient LengendMaker) fire wall, the address for log server is joined in the address that daily record is received.
(4) the configuration promise fire wall that pauses sends to log server with daily record in the Syslog mode.
(5) when user capture Internet or during infective virus, produce related application daily record and the real-time log server that sends to.
(6) after log server receives daily record from the UDP514 port, carry out pattern match with the regular expression that configures.The logging mode of OLM's fire wall is as follows:
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*?kernel:id=\″firewall\″[\s]+time=\″(.*?)\″[\s]+.*?proto=\″(.*?)\″[\s]+src=\″(.*?)\”[\s]+srcport=\″(.*?)\″[\s]+dst=\″(.*?)\″[\s]+dstport=\″(.*?)\″[\s]+action=\″(.*?)\″
Be the needed information of audit in the bracket, log server carries out integrated after according to regular expression pattern taking-up information and imports in the data warehouse.Take same mode, log server takes out the information in the anti-virus daily record, filters the Virus Logs of " manual scanning ", and the daily record of " real time scan " is imported in the data warehouse.
(7) in the anti-virus daily record, comprise the machine name and the user name of infective virus, and comprised the source address when member's formula is visited Internet in the fire wall daily record, promptly visited the address of machine.Concern one to one according to machine and IP address in user's dimension, we can use OLAP technology inquiry at one time in the section compromised machines in ever accessed which website, thereby to know the employee be the virus that infect what website of visit to the destination address in the slave firewall daily record.
(8) keeper can increase rule according to this audit information in fire wall, and the packet that blocking-up is sent from the resultant destination address of above-mentioned inquiry guarantees that other machines is not subjected to the infection of this website virus.
After using the audit of information security method of Data Warehouse--based, have significant effect:
(1) configuration is simple, maintenance cost is little. Administrator just specifies is to equipment configuration logs such as OLM's fire walls The receiving terminal address does not need study to use other softwares.
(2) autgmentability and the compatibility of height. When the keeper changes the fire wall type or increase other types During fire wall, do not need recompile to realize the parsing of daily record, only need to revise corresponding configuration file and revise daily record Model string gets final product.
(3) efficient analysis efficiency and performance. Since data in data warehouse comprehensively, gather Data, thus only need to read corresponding statistical information when analyzing, and do not need to carry out the statistical computation of large amount of complex. In addition, because the usage data warehouse is Operational processing environment and Operational processing environment separation, the speed that data are extracted Performance also improves greatly.
(4) provide multidimensional view, so that the association analysis of data becomes possibility. Multidimensional mould in the data warehouse Type provides multidimensional view for the keeper, and makes the keeper with each association independently by user dimension, Thereby can find the inner link between the different application information.
(5) guaranteed the confidence level of log information, provide to chase after and entangled evidence. Because the data in the data warehouse are Redundant and read-only, distort, delete so prevent illegal user.
Claims (4)
1, a kind of information security auditing method based on data warehouse, it is characterized in that, employing Syslog standard agreement reaches the method for mode matching real-time collecting log information based on regular expression, by means of data warehouse comprehensive analysis processing environment and operational processes environment separation are come, make database be absorbed in the collection of various audit logs, data warehouse then carries out integrated to various Source logs, extract, and by the subject area integrative organization data of audit analysis, adopt the modeling method of information security multidimensional model simultaneously, each audit analysis theme is carried out association by common analysis dimension, formed multi-dimensional constellation towards whole information security field, again by the multidimensional model in the data warehouse, adopt online on-line analysis disposal route to carry out multidimensional analysis, on the basis of data warehouse, adopt data digging method and association analysis method to carry out data mining simultaneously, find a large amount of inner link between the audit log of various audits source, thereby potential security breaches and problem in the discovery network, generate the audit analysis form according to analysis result at last
Method step is as follows:
(1) the audit source in the phase-split network, determine data and the audit analysis theme that need audit: the current information security audit is analyzed theme and is comprised Firewall Events analysis theme, intrusion detection event analysis theme, anti-virus event analysis theme, SSLServer event analysis theme;
(2) according to the angle of audit analysis theme and analysis, create multidimensional model, organize data in the multidimensional mode: use the expression and the storage of star-like modeling multidimensional model, multidimensional structure with multidimensional model in star-like model is divided into two class tables: a class is a fact table, be used for depositing the code value of the needed metric of audit analysis and each analysis dimension, another kind of is the dimension table, it be distributed in fact table around, be audit analysis and special angle, fact table connects by the value and the dimension table of each dimension, analyze theme according to information audit, comprise following each multidimensional model: the fire wall multidimensional model, the intrusion detection multidimensional model, anti-virus multidimensional model, SSLServer multidimensional model;
(3) related multidimensional model: in above multidimensional model, each multidimensional model all has time dimension, and each multidimensional model all has address dimension or the dimension relevant with user profile, these dimensions are abstract and according to actual user's information creating user dimension in the network, each user has its essential information, by this user's dimension and time dimension, connect each multidimensional model, the constellation of configuration information safety;
(4) finish the establishment of data warehouse after, the starting log server is monitored the UDP514 port, receives network security and uses the daily record that sends;
(5) the network security application configuration after the Syslog service, the real-time Syslog agreement of passing through standard sends log information to log server when producing log information;
(6) after log server receives log information, the regular expression pre-configured by the keeper mates parsing to the pattern of journal format, therefrom extract the needed information of audit, and unify integrated and conversion work, the data in the unified audit log data;
(7) carry out olap analysis and data mining analysis: data integration is behind data warehouse, on the basis of data warehouse, carry out olap analysis and data mining analysis, olap analysis comprises section, stripping and slicing, rotates, drills through, the inner link of data in the audit log is then excavated in data mining by traditional decision-tree, association analysis method, sequence pattern analytical approach, find potential security breaches and problem in the network;
(8) generate the audit analysis form according to analysis result;
Described method for mode matching based on regular expression is as follows:
The security audit daily record is mostly with text mode storage, adopts text-processing mode based on regular expression for the audit log of the type, carries out the extraction and the subsequent treatment of textview field by the mode of Pattern, reaches flexibility ratio and opening that daily record is resolved,
Described data digging method and association analysis method are as follows:
Data mining is excavated implicit from data warehouse, previous the unknown, the knowledge and the rule that security decision are had potential value, data mining mainly comprises prediction/checking and describing method, prediction/checking refers to the Given information prediction or verifies other unknown messages, Forecasting Methodology has statistical analysis technique, correlation rule and decision tree Forecasting Methodology, the regression tree Forecasting Methodology, description refers to find the pattern understood of data of description, describing method comprises data qualification, regretional analysis, gather, summarize, structure dependence pattern, change and variance analysis, mode discovery, path discovery, from a large amount of log informations, find the clues and traces of the network crime by data digging method, and find the problem that potential leak in the network and device management configurations exist; From the data in various sources, analyze the correlativity that draws between the data by data digging method, by grasping the security risk situation of whole network with the contrast of standard security strategy, these analyses turn back in the formulation of safety precaution strategy the most at last, guarantee the consistance and the standardization of security strategy, these security strategies finally are applied in the concrete safety precaution execution, and substantial network-wide security policy storehouse.
2, the information security auditing method based on data warehouse according to claim 1 is characterized in that each multidimensional model: the fire wall multidimensional model, and the intrusion detection multidimensional model, the anti-virus multidimensional model, the SSLServer multidimensional model, particular content is as follows:
● the fire wall multidimensional model: the metric data in the fact table comprises: continuous access time, transmitted traffic, reception flow, and the dimension of analysis comprises: time dimension, fire wall action dimension, access protocal dimension, source address dimension, destination address dimension;
● the intrusion detection multidimensional model: the metric data in the fact table comprises: the processing suggestion of alert event detail data, alert event, and the dimension of audit analysis comprises: time dimension, alert event grade dimension, alarm detector dimension, source address dimension, destination address dimension, serve port dimension;
● the anti-virus multidimensional model: the metric data in the fact table comprises: the virus outburst position, and the dimension of audit analysis comprises: virus infections time dimension, virus infections machine dimension, system user dimension, Virus Name dimension, Virus Type dimension, scan type dimension, viral operating result dimension;
● the SSLServer multidimensional model: the metric data in the fact table comprises: the access resources number of times, the dimension of audit analysis comprises: access resources time dimension, source address dimension, resource name dimension, user's dimension, resource dimension.
3, the information security auditing method based on data warehouse according to claim 1 is characterized in that the modeling method of described information security multidimensional model is as follows:
Create the method for designing that the information security multidimensional model will adopt data-driven, at first, data-driven is to utilize existing daily record data to carry out system's construction, clearly which type of data recognition network, various operating system and Secure Application will produce, they have any influence to current system design, secondly, data-driven is investigated the data of various Secure Application and the contact between the data again from analysis field, organize the theme in the data, the 3rd, data-driven is the common point of utilizing the daily record of data model effective recognition and analyzing subject data.
4, the information security auditing method based on data warehouse according to claim 1 is characterized in that, described online on-line analysis disposal route is as follows:
Online on-line analysis disposal route comprises the memory technology of multidimensional data, the section of multidimensional data and stripping and slicing, drill through, rotation technique, by the OLAP technology, correlation analysis is carried out in the daily record in various sources, reflect this group equipment information inherence, that have certain value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031507778A CN100359495C (en) | 2003-09-04 | 2003-09-04 | Information system auditing method based on data storehouse |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031507778A CN100359495C (en) | 2003-09-04 | 2003-09-04 | Information system auditing method based on data storehouse |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1492336A CN1492336A (en) | 2004-04-28 |
| CN100359495C true CN100359495C (en) | 2008-01-02 |
Family
ID=34240631
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031507778A Expired - Fee Related CN100359495C (en) | 2003-09-04 | 2003-09-04 | Information system auditing method based on data storehouse |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100359495C (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7627555B2 (en) * | 2004-06-22 | 2009-12-01 | Microsoft Corporation | Combining multidimensional expressions and data mining extensions to mine OLAP cubes |
| US7505888B2 (en) * | 2004-11-30 | 2009-03-17 | International Business Machines Corporation | Reporting model generation within a multidimensional enterprise software system |
| CN101151843B (en) * | 2005-06-22 | 2010-05-12 | 中兴通讯股份有限公司 | Text data digging method |
| CN1917445B (en) * | 2006-09-07 | 2010-09-29 | 上海交通大学 | Method for auditing log event of fire wall, and teaching experimental system |
| CN101039186B (en) * | 2007-05-08 | 2010-08-04 | 中国科学院软件研究所 | Method for auditing safely system log |
| CN101425936B (en) * | 2007-10-30 | 2011-08-31 | 北京启明星辰信息技术股份有限公司 | Macro network security status assessment method based on exception measurement |
| CN101453378B (en) * | 2008-12-30 | 2011-01-12 | 杭州华三通信技术有限公司 | Method and system for log dump and audit |
| CN101694661B (en) * | 2009-10-22 | 2012-05-09 | 中兴通讯股份有限公司 | Method and device for generating statistical form and statistical server |
| CN102457475A (en) * | 2010-10-15 | 2012-05-16 | 中国人民解放军国防科学技术大学 | Integration and conversion system for network security data |
| EP2490135A1 (en) * | 2011-02-21 | 2012-08-22 | Amadeus S.A.S. | Method and system for providing statistical data from a data warehouse |
| CN102957550A (en) * | 2011-08-23 | 2013-03-06 | 中兴通讯股份有限公司 | System and method for alarming based on log detection |
| CN104376254B (en) * | 2013-08-16 | 2017-08-04 | 北京神州泰岳软件股份有限公司 | A kind of log audit method and system |
| CN104219088A (en) * | 2014-08-21 | 2014-12-17 | 南京邮电大学 | Hive-based network alarm information OLAP method |
| SG10201507051WA (en) * | 2015-09-03 | 2017-04-27 | Certis Cisco Security Pte Ltd | System and method for high frequency heuristic data acquisition and analytics of information security events |
| CN105787052B (en) * | 2016-02-26 | 2020-02-04 | 广州品唯软件有限公司 | Data processing model establishing method and data screening method based on data processing model |
| CN106598827B (en) * | 2016-12-19 | 2019-05-31 | 东软集团股份有限公司 | Extract the method and device of daily record data |
| CN107395570B (en) * | 2017-06-28 | 2022-09-06 | 青岛以太科技股份有限公司 | Cloud platform auditing system based on big data management analysis |
| CN108664777A (en) * | 2018-03-16 | 2018-10-16 | 济宁医学院 | A kind of secure information storage method |
| CN109508541B (en) * | 2018-10-18 | 2022-03-18 | 杭州安恒信息技术股份有限公司 | Credible behavior library generation method based on semantic analysis |
| CN109993454A (en) * | 2019-04-10 | 2019-07-09 | 贵州电网有限责任公司 | Audit risk processing method, device, computer equipment and storage medium |
| CN110855747A (en) * | 2019-10-14 | 2020-02-28 | 上海辰锐信息科技公司 | Method for collecting behavior audit data of user access application |
| CN111026759B (en) * | 2019-12-11 | 2024-03-12 | 中盈优创资讯科技有限公司 | Report generation method and device based on Hbase |
| CN113157191A (en) * | 2021-02-21 | 2021-07-23 | 上海帕科信息科技有限公司 | Data visualization method based on OLAP system |
| CN116975136A (en) * | 2023-09-25 | 2023-10-31 | 北京众图识人科技有限公司 | Processing method and device of application program interface, terminal equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4757533A (en) * | 1985-09-11 | 1988-07-12 | Computer Security Corporation | Security system for microcomputers |
| US5978475A (en) * | 1997-07-18 | 1999-11-02 | Counterpane Internet Security, Inc. | Event auditing system |
| CN1349328A (en) * | 2001-12-04 | 2002-05-15 | 上海复旦光华信息科技股份有限公司 | Easy-to-expand network invasion detecting and safety auditing system |
| CN1417690A (en) * | 2002-12-03 | 2003-05-14 | 南京金鹰国际集团软件系统有限公司 | Application process audit platform system based on members |
-
2003
- 2003-09-04 CN CNB031507778A patent/CN100359495C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4757533A (en) * | 1985-09-11 | 1988-07-12 | Computer Security Corporation | Security system for microcomputers |
| US5978475A (en) * | 1997-07-18 | 1999-11-02 | Counterpane Internet Security, Inc. | Event auditing system |
| CN1349328A (en) * | 2001-12-04 | 2002-05-15 | 上海复旦光华信息科技股份有限公司 | Easy-to-expand network invasion detecting and safety auditing system |
| CN1417690A (en) * | 2002-12-03 | 2003-05-14 | 南京金鹰国际集团软件系统有限公司 | Application process audit platform system based on members |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1492336A (en) | 2004-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100359495C (en) | Information system auditing method based on data storehouse | |
| Debar et al. | Towards a taxonomy of intrusion-detection systems | |
| Debar | An introduction to intrusion-detection systems | |
| US7694115B1 (en) | Network-based alert management system | |
| Jou et al. | Architecture design of a scalable intrusion detection system for the emerging network infrastructure | |
| US20070180107A1 (en) | Security incident manager | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| Meng et al. | Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection | |
| Nazer et al. | Current intrusion detection techniques in information technology-a detailed analysis | |
| Miloslavskaya | Information security management in SOCs and SICs | |
| Hermanowski | Open source security information management system supporting it security audit | |
| Lee et al. | Automated Intrusion Detection Using NFR: Methods and Experiences. | |
| Ning et al. | Design and implementation of a decentralized prototype system for detecting distributed attacks | |
| KR102250147B1 (en) | Security Policy Translation in Interface to Network Security Functions | |
| Shanmugam | Novel attack detection using fuzzy logic and data mining | |
| Raut | Log based intrusion detection system | |
| Ramaki et al. | Towards event aggregation for reducing the volume of logged events during IKC stages of APT attacks | |
| Zhong | The application of Apriori algorithm for network forensics analysis | |
| Sai-Halasz | Directions in future high end processors | |
| Mukti et al. | Integration of Low Interaction Honeypot and ELK Stack as Attack Detection Systems on Servers | |
| Saxena | IoT Dynamic Log File Analysis: Security Approach for Anomaly Detection In Multi Sensor Environment | |
| Гарасимчук et al. | Analysis of principles and systems for detecting remote attacks through the internet | |
| CN116827698B (en) | Network gateway flow security situation awareness system and method | |
| Hubballi et al. | Event Log Analysis and Correlation: A Digital Forensic Perspective | |
| Wang | ‘Big Data in Network Security Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Assignee: Shanghai Geer Automobile Accessory Co., Ltd. Assignor: Geer Software Co., Ltd., Shanghai Contract fulfillment period: 2009.6.1 to 2014.5.31 Contract record no.: 2009310000089 Denomination of invention: Information system auditing method based on data storehouse Granted publication date: 20080102 License type: Exclusive license Record date: 20090608 |
|
| LIC | Patent licence contract for exploitation submitted for record |
Free format text: EXCLUSIVE LICENSE; TIME LIMIT OF IMPLEMENTING CONTACT: 2009.6.1 TO 2014.5.31; CHANGE OF CONTRACT Name of requester: SHANGHAI KOAL AUTOMOBILE ACCESSORY CO., LTD. Effective date: 20090608 |
|
| EC01 | Cancellation of recordation of patent licensing contract |
Assignee: Shanghai Geer Automobile Accessory Co., Ltd. Assignor: Shanghai Ger Software Co., Ltd. Contract record no.: 2009310000089 Date of cancellation: 20170103 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080102 Termination date: 20190904 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |