CN103824069A - Intrusion detection method based on multi-host-log correlation - Google Patents
Intrusion detection method based on multi-host-log correlation Download PDFInfo
- Publication number
- CN103824069A CN103824069A CN201410101730.0A CN201410101730A CN103824069A CN 103824069 A CN103824069 A CN 103824069A CN 201410101730 A CN201410101730 A CN 201410101730A CN 103824069 A CN103824069 A CN 103824069A
- Authority
- CN
- China
- Prior art keywords
- log
- daily record
- module
- intrusion
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to an intrusion detection system and method based on multi-host-log correlation. The intrusion detection system based on multi-host-log correlation comprises a heterogeneous operating system log acquisition module, a log filtering module and a log matching algorithm, wherein the heterogeneous operating system log acquisition module is used for acquiring operating system logs of virtual machines and transmitting to a log server in real time; the log filtering module is used for receiving the detected logs, and converting according to a certain rule to generate logs in the format of XML or Excel; the log matching algorithm is used for analyzing intrusion behavior characteristics and extracting characteristic data to form a matching rule. By adopting the intrusion detection system, different operating system logs can be acquired in a virtual machine cluster, and are induced and abstracted into a unique format and stored in a centralized manner, so that the integrity and authenticity of log data are ensured; moreover, the log data stored in the centralized manner are analyzed correlatively by adopting a thought based on model detection, so that an intrusion path is tracked and identified effectively.
Description
Technical field
The present invention designs a kind of intrusion detection method based on the association of many host logs, for complicated virtual machine cluster environment, to the daily record of different operating system in cluster, conclude, analyze, detect, thereby intrusion path is carried out effectively following the trail of and identification, belong to telecommunications service safety technique field.
Background technology
Internet application increase rapidly and the demand of scale economics has expedited the emergence of new Network Computing Mode---cloud computing (Cloud Computing).Cloud computing is one of current I T field topic of greatest concern, is the focus that all circles pay close attention to.It utilizes internet that a large amount of software and hardware resources is combined, and forms huge virtual resource pond, provides various services by internet for the user such as enterprise, department.But the safety problem producing due to cloud computing self gordian technique is but restricting further universal and development of cloud computing always.
Internet era, along with emerging in an endless stream of scientific and technical develop rapidly and universal and various novel individual applications, the safety problem that the progress of science and technology must bring is also more and more concerned, and particularly the generation of Snowdon event has caused unprecedented charge and challenge to global network safety prevention.In recent years the kind of computer security leak, network attack, complicacy and the number of computers of being invaded increase year by year, potential threat and attack and continue to increase.In cloud computing system, the characteristic of calculating and storage resources high concentration can make it more easily become the object of attacking and utilizing.How under so severe network security situation, guaranteeing that cloud computing system is not invaded and destroying is one of subject matter urgently to be resolved hurrily in cloud computing research.
Intel Virtualization Technology is one of technology crucial in cloud computing, the appearance of Intel Virtualization Technology, legacy hosts is substituted by virtual machine, effectively raise on the one hand the utilization factor of resource, reduce the cost of management, the potential safety hazard of the more powerful behind of function is also more but then, and improper isolation between virtual machine, virtual machine are escaped, virtual machine is kidnapped, the dynamic change of virtual machine network topological structure etc., and these safety factors make the safety problem of virtual machine more more complicated than legacy hosts.
The safe important role of daily record to host computer system, the attack source that can find out system mistake or be subject to by system journal, traditional log analysis tool can only record analysis single operation system daily record, when applying in the face of complex network structures the next item down or a situation that service needs multi-dummy machine jointly to participate in, cannot, by the research of logical relation behind of whole cluster virtual machine raw data, identify assailant's attack attempt or attack path.In traditional non-virtualized environment, log analysis function generally combines with HIDS HIDS, and the partial function of log analysis is integrated in HIDS.HIDS can well safeguards system safety, detect the journal file that comes from system, mate with intrusion rule in knowledge base, in detection system, whether have security incident to occur.But there are a lot of problems in HIDS self: for guaranteeing the accuracy of testing result, must first guarantee the security of system, all detected activity all have at default system itself under the prerequisite of rational safety setting; Even if system meets condition above, assailant can immediately delete corresponding system journal after intrusion behavior completes, thereby is not detected, so be short of to some extent aspect the real-time of assurance institute image data, integrality, authenticity.
In addition, in virtualized environment, the structure that the appearance of dummy machine system causes legacy operating system directly to run on hardware changes, same virtual platform can be disposed many virtual machines, the security strategy of every virtual machine can be distinguished to some extent, and due to the dynamic change of network configuration in virtual environment, dynamic change also can occur the network topology structure at virtual machine place, these features all make traditional HIDS variation in commensurate structure system completely.
Finally, distributed intrusion system is later main flow.Traditional IDS is confined to single main frame or the network architecture mostly, obviously not enough to the detection of heterogeneous system, well collaborative work between different IDS systems.
Summary of the invention
For the problems referred to above, the object of the invention is, a kind of intrusion detection method based on the association of many host logs is provided.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: an intruding detection system based on the association of many host logs, comprise OS log collection module, daily record filtering module, and a kind of daily record matching algorithm;
Described OS log collection module is used for gathering the daily record of virtual hands-operation system, and by the log server that is transferred to far-end real-time daily record.Be divided into Windows system journal acquisition module and syslog log collection module according to operating system difference, for journal format unification and the collection merger of different operating system provide strong technical support;
Described daily record filtering module is accepted the daily record from detected dummy machine system, and according to demand, after it being changed by certain rule, generates the log information of XML or Excel form, passes to follow-up module, uses for analyzing.For improving the validity of daily record, alleviate the storage burden of daily record, for follow-up log analysis work provides content support;
Described daily record matching process algorithm uses the data from the output of daily record filtering module, for the basis analyzing intrusion behavior feature, test environment is carried out to repeatedly simulated strike, the daily record data that collection analysis is relevant to this intrusion behavior, extract characteristic, form matched rule.
Useful result of the present invention is: the present invention can gather the daily record of different operating system in whole cluster virtual machine, and concluding abstract is unified journal format, and carries out centralized stores, has guaranteed integrality and the authenticity of daily record data; In addition, the daily record data of centralized stores is carried out to correlation analysis, adopt the analysis thinking detecting based on model, the logged sequence collecting is mated with model in knowledge base, thereby intrusion path is carried out effectively following the trail of and identification.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described OS log collection module comprises that Windows system journal gathers submodule and Linux log collection submodule;
Described Windows system journal gathers submodule and comprises that journal file obtains submodule, screening log event submodule, extracts event metadata submodule, daily record reconstruct submodule and Log Sender submodule;
Further, described OS log collection module arranges the rational audit policy of local computer and before log transmission, daily record is effectively filtered, and reduces to greatest extent redundant data;
Described daily record filtering module comprises that sub module stored is resolved in daily record chooser module, daily record, submodule and daily record output sub-module are filtered in daily record;
For achieving the above object, the present invention also provides a kind of method of the intrusion detection based on the association of many host logs, specifically comprises the following steps:
Step 1: OS log collection module collector journal information under OS environment, and send to log analysis server;
Step 2: accept log information at log analysis server end, and information is analyzed and processed, and respond;
Further, described step 1 further comprises following operation:
Step 1.1: obtain journal file: the journal file that obtains extension name evtx under Windows operating system; Under (SuSE) Linux OS, obtain SYSLOG file;
Step 1.2: screening log event: according to certain rule, the journal file getting is carried out to preliminary screening;
Step 1.3: reconstruct is resolved in daily record: under Windows operating system, daily record need to be resolved, generates the intermediate document of XML form, and becomes standard SYSLOG form through reconstruct; (SuSE) Linux OS does not need this step;
Step 1.4: Log Sender: journal file is sent to server end with the form of UDP wrapper.
Further, described step 2 further comprises following operation:
Step 2.1: the daily record receiving is filtered;
Step 2.2: the daily record after filtering is analyzed;
Step 2.3: to the output of native system log analysis result, and take intrusion response activity according to rule of response storehouse, guarantee the true(-)running of whole cluster environment.
Further, step 2.1 further comprises following operation:
Step 2.1.1: read SYSLOG, line by line log content is resolved, and preserve;
Step 2.1.2: according to specified rule, filter journal file, and according to setting, the filter result of output XML or Excel form.
Further, step 2.2 further comprises following operation:
Step 2.2.1: the building and perfecting of matching rule base, comprises determining of causalnexus relation between extraction, the daily record data of coupling log feature data etc.;
Step 2.2.2: carry out daily record coupling according to the existing matched rule of matching rule base, identify the intrusion event corresponding with matched rule.
The described intrusion detection method based on the association of many host logs is to adopt the analysis of associating host log, can be by analyzing time series relation and the causalnexus relation between each triangular web host log, identify in the middle of the path or the suspect node of ending (although it self log recording does not reflect that this node suffered invasion), thereby track out more accurately the fullpath of whole invasion.
Fig. 3 is the generation figure of daily record Matching Model, start with to analyze daily record from known intrusion behavior, obtain Matching Model, and to start with to analyze intrusion path from the coupling of daily record in the time that actual log is analyzed, comprise invader's and host name (or IP) and all operations on destination host and the risk finally brought to destination host; The intrusion behavior one row corresponding A ttack data of illustraton of model, invader refers to invade the IP address of main frame, intrusion behavior A, B, C ... represent the operation of invader's intrusion target main frame, corresponding Sub_Attack data, intrusion behavior A represents A prepare for B to the arrow of intrusion behavior B, and intrusion behavior A successful has the possibility that causes intrusion behavior B to occur.
Middle daily record generates corresponding data Attack_Log, daily record A, B, C ... corresponding Sub_Attack_Log data, represent the corresponding journal file generating of invader's operation behavior each time, the arrow generating between daily record A and generation daily record B represents Sub_Attack_LogA prepare for Sub_Attack_LogB.
Two difficult points that Matching Model is set up are respectively that the extraction of the log recording characteristic that intrusion behavior is corresponding and each are invaded the cross transition that causalnexus between sub-behavior is related to corresponding daily record causalnexus relation.Can determine each the prepare-for relation between sub-daily record data according to the prepare-for relation between each invasion subevent, and this relation is charged to matching rule base, the sequential combination of each sub-daily record is exactly the Matching Model sequence of setting up.
Invasion example matching process is the process of a checking coupling storehouse matched rule, all flow operations before log analysis comprise that the collection of daily record, storage, the filtration of daily record etc. of daily record are all similar to the method adopting in coupling example process of establishing, after the daily record data obtaining after abstract, to the data (node of abstract gained, consequence_log) carry out keyword match, any data in the data obtained:
(1) according to consequence_log field question blank SALConseq, obtain the sub_attack_log_id of this daily record;
(2) determine node information according to this id question blank SALNode, mate checking with node information in source data and the consequence_log of this node node, if the match is successful, proceed to next step;
(3) question blank SALPrereq determines the prerequisite log feature prerequisite_log of this daily record;
(4) obtain the prerequisite sub_attack_log_id of this id using prerequisite_log as consequence_log question blank SALConseq;
(5) repeat 2-4 step, until gained prerequisite_log is empty in (3) step.
The sub_attack_log_id that said process obtains is the prerequisite daily record numbering of institute's inquiry log, before both having occurred in time this daily record, is the reason that produces this daily record.
Step is to find out all follow-up daily record of this daily record below:
(1), using the value of consequence_log field as prerequisite_log field value question blank SALPrereq, obtain the sub_attack_log_id of the result log of this daily record;
(2) determine node information according to this id question blank SALNode, mate checking with the node information in source data, if the match is successful, proceed to next step;
(3) determine consequence_log information according to this id question blank SALConseq, mate checking with the consequence_log under identical node information in source data, if the match is successful, proceed to next step;
(4) obtain the result sub_attack_log_id of this id using consequence_log obtained above as prerequisite_log question blank SALPrereq;
(5) repeat 1-4 step, until gained sub_attack_log_id is empty in (1) step.
The sub_attack_log_id that said process obtains is the follow-up daily record numbering of institute's inquiry log, after both having occurred in time this daily record, is the subsequent result that this daily record produces.
Comprehensive above-mentioned steps can obtain the sub_attack_log_id sequence that whole event is corresponding, then determine the sub_attack_id sequence of whole event by question blank SASAL, finally determine each invasion subevent by inquiry supplementary table Sub_Attack, by invasion subevent and the fragility of utilizing, the measure remedied all by screen shows to user.
Accompanying drawing explanation
Fig. 1 is the framework composition schematic diagram of a kind of intrusion detection method based on the association of many host logs of the present invention.
Fig. 2 is the assessment universal method schematic diagram of the intrusion detection method based on the association of many host logs.
Fig. 3 is the generation figure of daily record Matching Model.
Embodiment
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example is only for explaining the present invention, and non-limiting scope of the present invention.
Referring to Fig. 1, introduction the present invention is based on the structure composed of the intrusion detection method of many host logs association, the Core Feature of being somebody's turn to do the associated intruding detection system framework of daily record based on many main frames is that secure virtual machine event is detected and followed the trail of, and platform of the present invention is divided into following part from down to up according to the flow process of log collection, analysis, response: log collection module, daily record filtering module and a daily record matching algorithm.Make a concrete analysis of each several part structure below:
OS log collection module, this module is mainly mounted on detected virtual machine, is used for gathering the daily record of virtual hands-operation system, and by the log server that is transferred to far-end real-time daily record.Be divided into Windows system journal acquisition module and SYSLOG acquisition module according to operating system difference.Wherein, Windows system journal acquisition module can be divided into journal file and obtain, screens log event, extracts event metadata, daily record reconstruct, six submodules of Log Sender, wherein journal file acquisition module has two schemes to select, the one, according to the journal file path providing, selection journal file is changed, the 2nd, system gathers according to host log default path automatically; Screening log event module, according to user's request, is screened middle XML document; Extract event metadata module and call Windows Event Log API, the function providing with API obtains the log information needing; Daily record reconstructed module, according to standard syslog journal format, is converted to target syslog form by middle XML document; Log Sender module by the syslog Log Sender of having changed to destination server end.The target VME operating system of SYSLOG acquisition module is Unix or Linux, and the syslog carrying by system or rsyslog service processes are by the lead central log of far-end of journal file.
Daily record filtering module, accepts the daily record from detected dummy machine system, and according to demand, after it being changed by certain rule, generates the log information of XML or Excel form.This module can mainly be divided into daily record and resolve storage and daily record filtration output two large modules, daily record is resolved memory module and is completed the parsing to Log Source data, then complete storage according to the type design of resolving field for the database of storing, the selection request of output module reception user filtering rule is filtered in daily record, by using SQL query statement, qualified journal entries is screened.
Daily record matching process algorithm mainly comprises the foundation of daily record Matching Model and the coupling of rule.The foundation of daily record Matching Model mainly comprises that the extraction of the log recording characteristic that intrusion behavior is corresponding and each invade the cross transition that causalnexus between sub-behavior is related to corresponding daily record causalnexus relation.Invasion example matching process is the process of a checking coupling storehouse matched rule, matching rule base has provided the logged sequence feature of all intrusion events, divide according to the time according to collected daily record, whether the logged sequence that judges each time period composition is corresponding with certain matching sequence in matching rule base, judges whether to occur intrusion behavior.
Core of the present invention---daily record matching process is mainly divided into the process of establishing and the coupling example matching process that mate example from functional sequence.The process of establishing of coupling example is the process of native system autonomous learning, analyze by the invasion example to known features, extract daily record data corresponding to each subevent, then the feature field of daily record data is extracted, deposit matching rule base in, thereby realize, the invasion of this feature is had to automatic responding ability.Coupling example matching process is the process of a checking coupling storehouse Matching Model, all operations before log analysis comprises that the collection of daily record, storage, the filtration of daily record etc. of daily record are all similar to coupling example process of establishing, after the daily record data obtaining after abstract, data (node, consequence_log) to abstract gained are carried out keyword match.
As shown in Figure 2, one of the invention process, based on the associated intrusion detection assessment of many host logs universal method, specifically comprises the following steps:
Step 1: invasion whole system to certain feature is attacked, attack is divided into some subevents, and abstract be Sub_Attack categorical data, gather and invade corresponding daily record data with this time and analyzed, summarize the daily record set that can reflect this attack.Because native system is ex-post analysis system, so for the fragility existing in system in advance and do not know, what native system was paid close attention to is how to find these intrusion events by daily record after intrusion event occurs, and is worth so the hypothesis existing for fragility in whole virtual machine environment does not affect the main functionality of system.;
Step 2: log collection: this module is divided into windows system journal collection and linux system log collection.Windows system journal sampling instrument is set acquisition time interval T, represent to gather from current time toward the daily record data pushing back between the T time, then the timer setting-up time interval T timing operation sampling instrument that utilizes JAVA to carry, then utilize socket communication the daily record data in the T time to be sent to the UDP514 port of target journaling server, realize daily record data seamless transmission in time.Linux system daily record adopts rsyslog system to carry out real-time Transmission, does not have transmission intercal problem;
Step 3: central log can be set the file and the store path that receive far end system daily record, need to be under manual operation, and timing is resolved the file producing, and retains effective field and deposits database in, is convenient to follow-up analysis;
Step 4: for realizing horizontal coupling, take out invasion subevent daily record data feature behind, first need to filter out effective daily record data in database, and then carry out abstract analysis.According to the suitable filtering rule of invasion feature-set, the corresponding daily record data of invasion is filtered, extract several fields of paying close attention to, such as node is described, ID, the description of log content etc. of daily record, abstract is the data of Sub_Attack_log type.Filtering rule that this test is selected adopt by the time with filter the mode combining by main frame, the time range occurring according to intrusion behavior first limits the filtration time scope of daily record, then carry out main frame filtration for IP address, screen the log recording of this destination host in this time range;
Step 5: filter through daily record, make result data approach to greatest extent valid data set, for the daily record data after filtering, laterally mating with invasion subevent according to time parameter, description content one by one, extract characteristic, take out the Sub_Attack_Log example that Sub_Attack example is corresponding.
Step 6: determine the prepare-for relation between sub_attack_log according to the time series relation between sub_attack and causalnexus relation;
Step 7: abstract data are carried out to in-stockroom operation, realize the renewal of matching rule base;
Step 8: set up when matching rule base corresponding to invasion example that test is selected, identical test environment has been carried out to the simulated strike of same type; If malicious act occurs, when system detection behavior matches possible invasion, warning message can be presented on screen; Warning information when native system support simultaneously moves by system under file record, to do off-line analysis.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. the intruding detection system based on the association of many host logs, is characterized in that, comprises OS log collection module, daily record filtering module and a kind of daily record matching algorithm;
Described OS log collection module is used for gathering the daily record of virtual hands-operation system, and by the log server that is transferred to far-end real-time daily record;
Described daily record filtering module is for improving the validity of daily record, alleviate the storage burden of daily record, for follow-up log analysis work provides content support, comprise that sub module stored is resolved in daily record chooser module, daily record, submodule and daily record output sub-module are filtered in daily record, receive the journal file that OS log collection module is transmitted, and according to demand,, by certain rule conversion, pass to subsequent module;
Described daily record matching algorithm uses the data from the output of daily record filtering module, daily record data is carried out to correlation analysis, adopt the analysis thinking detecting based on model, the logged sequence collecting is mated with model in knowledge base, thereby intrusion path is carried out effectively following the trail of and identification, and the invasion identifying and threat information are passed to security incident corresponding module.
2. the intruding detection system based on the association of many host logs according to claim 1, it is characterized in that, described OS log collection module can be for different operating system, adopt different acquisition mode, log information is delivered to server, at server end, daily record is carried out to analyzing and processing.Use syslog as unified journal format, in acquisition phase, the daily record unification of extended formatting is carried out to daily record conversion, obtain the daily record of syslog form, so that subsequent treatment.
3. the intruding detection system based on the association of many host logs according to claim 1, is characterized in that, described daily record matching algorithm mainly carries out log analysis by setting up a set of coupling rule, follows the trail of intrusion behavior.Daily record matching algorithm is mainly to analyze thought with reference to time series analysis and causalnexus, various different condition precedent and results of attacking in identification different time sections, then, carry out the detected attack of associated native system by the journal file journal file follow-up with some that mates some early stages.
4. the intruding detection system based on the association of many host logs according to claim 2, is characterized in that, described log collection module is divided into Windows system journal and gathers submodule and Linux log collection submodule;
Described Windows log collection comprises that journal file obtains submodule, screening log event submodule, extracts event metadata submodule, daily record reconstruct submodule and Log Sender submodule.What journal file obtained submodule is input as source host system journal, in the process of obtaining log information, add document screening rule, extract legal log recording and resolve, event information metadata after resolving is reconstructed, generate target journaling file, finally by daily record generation systems, journal file is sent in target journaling server;
The syslog that described Linux log collection submodule carries by system or rsyslog service processes are by the lead central log of far-end of journal file.
5. the intruding detection system based on the association of many host logs according to claim 1, it is characterized in that, described daily record filtering module, for the daily record of Syslog form, complete including filtering based on Host and the multiple rule the time, and self-defining filtration, so that daily record is carried out to cluster association.
6. the intrusion detection method based on the association of many host logs, is characterized in that, specifically comprises following two steps:
Step 1: OS log collection module collector journal information under OS environment, and send to log analysis server;
Step 2: accept log information at log analysis server end, and information is filtered, analyzed and processes, and respond.
7. intrusion detection method according to claim 7, is characterized in that, described step 1 further comprises following operation:
Step 1.1: obtain journal file: the journal file that obtains extension name evtx under Windows operating system; Under (SuSE) Linux OS, obtain syslog journal file;
Step 1.2: screening log event: according to certain rule, the journal file getting is carried out to preliminary screening;
Step 1.3: reconstruct is resolved in daily record: under Windows operating system, daily record need to be resolved, generates the intermediate document of XML form, and becomes standard SYSLOG form through reconstruct; (SuSE) Linux OS does not need this step;
Step 1.4: Log Sender: journal file is sent to server end with the form of UDP wrapper.
8. intrusion detection method according to claim 7, is characterized in that, described step 2 further comprises following operation:
Step 2.1: the daily record receiving is filtered;
Step 2.2: the daily record after filtering is analyzed;
Step 2.3: to the output of native system log analysis result, and take intrusion response activity according to rule of response storehouse, guarantee the true(-)running of whole cluster environment.
9. intrusion detection method according to claim 9, is characterized in that, described step 2.1 further comprises following operation:
Step 2.1.1: read SYSLOG, line by line log content is resolved, and preserve;
Step 2.1.2: according to specified rule, filter journal file, and according to setting, the filter result of output XML or Excel form.
10. intrusion detection method according to claim 9, is characterized in that, described step 2.2 further comprises following operation:
Step 2.2.1: the building and perfecting of matching rule base, comprises determining of causalnexus relation between extraction, the daily record data of coupling log feature data etc.;
Step 2.2.2: carry out daily record coupling according to the existing matched rule of matching rule base, identify the intrusion event corresponding with matched rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410101730.0A CN103824069A (en) | 2014-03-19 | 2014-03-19 | Intrusion detection method based on multi-host-log correlation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410101730.0A CN103824069A (en) | 2014-03-19 | 2014-03-19 | Intrusion detection method based on multi-host-log correlation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103824069A true CN103824069A (en) | 2014-05-28 |
Family
ID=50759121
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410101730.0A Pending CN103824069A (en) | 2014-03-19 | 2014-03-19 | Intrusion detection method based on multi-host-log correlation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103824069A (en) |
Cited By (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104184622A (en) * | 2014-09-09 | 2014-12-03 | 福建星网视易信息系统有限公司 | Log information notification method and system |
| CN104392173A (en) * | 2014-11-13 | 2015-03-04 | 普华基础软件股份有限公司 | Auditing system and audit detecting method |
| CN104618459A (en) * | 2015-01-13 | 2015-05-13 | 北京中交兴路车联网科技有限公司 | Method and system for automatically acquiring data model |
| CN105138563A (en) * | 2015-07-23 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | Method for rapidly extracting key information of test log |
| CN105224441A (en) * | 2015-09-17 | 2016-01-06 | 杭州华为数字技术有限公司 | Virtual machine information harvester, method and virtual machine information maintaining method and system |
| CN105376077A (en) * | 2014-08-06 | 2016-03-02 | 中国移动通信集团黑龙江有限公司 | Network behavior information processing method, log transmitting method, network behavior information processing device and system |
| CN105512010A (en) * | 2014-09-22 | 2016-04-20 | 苏宁云商集团股份有限公司 | Virtual machine user log information acquisition method and system |
| CN105939334A (en) * | 2015-03-04 | 2016-09-14 | 费希尔-罗斯蒙特系统公司 | Anomaly detection in industrial communications networks |
| CN106254125A (en) * | 2016-08-18 | 2016-12-21 | 南京联成科技发展有限公司 | The method and system of security incident correlation analysiss based on big data |
| CN106598843A (en) * | 2016-11-18 | 2017-04-26 | 中国人民解放军国防科学技术大学 | Method for automatic identification of software log behaviors based on program analysis |
| CN106603304A (en) * | 2016-12-30 | 2017-04-26 | 郑州云海信息技术有限公司 | Virtual management system event log processing method and device |
| CN106961428A (en) * | 2017-03-15 | 2017-07-18 | 苏州大学 | A kind of centralized intruding detection system based on privately owned cloud platform |
| CN107347062A (en) * | 2017-06-19 | 2017-11-14 | 北京开数科技有限公司 | A kind of method, electronic equipment and the readable storage medium storing program for executing of daily record data processing |
| CN107426231A (en) * | 2017-08-03 | 2017-12-01 | 北京奇安信科技有限公司 | A kind of method and device for identifying user behavior |
| CN107454103A (en) * | 2017-09-07 | 2017-12-08 | 杭州安恒信息技术有限公司 | Network safety event process analysis method and system based on timeline |
| CN107515778A (en) * | 2017-08-25 | 2017-12-26 | 武汉大学 | A kind of origin method for tracing and system based on context-aware |
| CN107682351A (en) * | 2017-10-20 | 2018-02-09 | 携程旅游网络技术(上海)有限公司 | Method, system, equipment and the storage medium of network security monitoring |
| CN108052654A (en) * | 2017-12-27 | 2018-05-18 | 北京京存技术有限公司 | Data extraction method, device, equipment and storage medium |
| CN108123840A (en) * | 2017-12-22 | 2018-06-05 | 中国联合网络通信集团有限公司 | Log processing method and system |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108234480A (en) * | 2017-12-29 | 2018-06-29 | 北京奇虎科技有限公司 | Intrusion detection method and device |
| CN108280015A (en) * | 2018-02-07 | 2018-07-13 | 福建星瑞格软件有限公司 | Cluster server daily record real-time processing method based on big data and computer equipment |
| CN108280017A (en) * | 2018-02-28 | 2018-07-13 | 郑州云海信息技术有限公司 | A kind of System Event Log method for uploading, device, equipment and system |
| CN108337238A (en) * | 2017-12-28 | 2018-07-27 | 广州华夏职业学院 | A kind of information security detecting system for teaching network |
| CN108400988A (en) * | 2018-02-28 | 2018-08-14 | 郑州云海信息技术有限公司 | A kind of System Event Log method for uploading, apparatus and system |
| CN108667678A (en) * | 2017-03-29 | 2018-10-16 | 中国移动通信集团设计院有限公司 | A kind of O&M Log security detection method and device based on big data |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN108769077A (en) * | 2018-07-06 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of method and device of network security Source Tracing |
| CN108924169A (en) * | 2018-09-17 | 2018-11-30 | 武汉思普崚技术有限公司 | A kind of visual network security system |
| CN108985053A (en) * | 2018-06-27 | 2018-12-11 | 北京奇安信科技有限公司 | distributed data processing method and device |
| CN109067783A (en) * | 2018-09-17 | 2018-12-21 | 武汉思普崚技术有限公司 | A kind of centralized management security system |
| CN109684827A (en) * | 2018-03-14 | 2019-04-26 | 北京微步在线科技有限公司 | Sandbox reports filter method and device |
| CN109902074A (en) * | 2019-04-17 | 2019-06-18 | 江苏全链通信息科技有限公司 | Log storing method and system based on data center |
| CN110225065A (en) * | 2019-07-16 | 2019-09-10 | 广东申立信息工程股份有限公司 | A kind of network security warning system |
| CN110636076A (en) * | 2019-10-12 | 2019-12-31 | 北京安信天行科技有限公司 | Host attack detection method and system |
| CN110661339A (en) * | 2019-10-10 | 2020-01-07 | 四川洪辉电力科技有限公司 | Method for monitoring running state of monitoring host of transformer substation |
| CN110875928A (en) * | 2019-11-14 | 2020-03-10 | 北京神州绿盟信息安全科技股份有限公司 | Attack tracing method, device, medium and equipment |
| CN110912753A (en) * | 2019-12-11 | 2020-03-24 | 中山大学 | Cloud security event real-time detection system and method based on machine learning |
| CN111090493A (en) * | 2019-11-25 | 2020-05-01 | 中国银行股份有限公司 | Statistical method and system for virtual host use saturation |
| CN111444519A (en) * | 2019-01-16 | 2020-07-24 | 西门子股份公司 | Protecting integrity of log data |
| CN112054989A (en) * | 2020-07-13 | 2020-12-08 | 北京天融信网络安全技术有限公司 | Construction method of detection model and detection method of batch operation abnormity |
| CN112286892A (en) * | 2020-07-01 | 2021-01-29 | 上海柯林布瑞信息技术有限公司 | Real-time data synchronization method and device for post-relational database, storage medium and terminal |
| CN113141334A (en) * | 2020-01-19 | 2021-07-20 | 奇安信科技集团股份有限公司 | Data acquisition and analysis method and system based on network attack |
| CN113360892A (en) * | 2020-03-04 | 2021-09-07 | 中国电信股份有限公司 | Attack path restoration method and device and computer readable storage medium |
| CN113778826A (en) * | 2021-09-16 | 2021-12-10 | 北京天融信网络安全技术有限公司 | Log processing method and device |
| CN115037523A (en) * | 2022-05-17 | 2022-09-09 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100211826A1 (en) * | 2005-11-12 | 2010-08-19 | Logrhythm, Inc. | Log collection, structuring and processing |
| CN103425750A (en) * | 2013-07-23 | 2013-12-04 | 国云科技股份有限公司 | Cross-platform and cross-application log collecting system and collecting managing method thereof |
-
2014
- 2014-03-19 CN CN201410101730.0A patent/CN103824069A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100211826A1 (en) * | 2005-11-12 | 2010-08-19 | Logrhythm, Inc. | Log collection, structuring and processing |
| CN103425750A (en) * | 2013-07-23 | 2013-12-04 | 国云科技股份有限公司 | Cross-platform and cross-application log collecting system and collecting managing method thereof |
Non-Patent Citations (3)
| Title |
|---|
| DANFENG YAN等: ""HOST SCURITY EVENT TRACK FOR COMPLEX NETWORK ENVIRONMENTS BASED ON THE ANALYSIS OF LOG"", 《2012 IEEE 2ND INTERNATIONAL CONFERENCE ON CLOUD COMPUTING AND INTELLIGENCE SYSTEMS》 * |
| 许小明: ""多源异构日志的数据归并和预处理技术"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 颜斯哲: ""安全操作平台中日志过滤与解析范化的研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (63)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376077A (en) * | 2014-08-06 | 2016-03-02 | 中国移动通信集团黑龙江有限公司 | Network behavior information processing method, log transmitting method, network behavior information processing device and system |
| CN105376077B (en) * | 2014-08-06 | 2019-08-13 | 中国移动通信集团黑龙江有限公司 | Processing method, the sending method of log, apparatus and system of network behavior information |
| CN104184622A (en) * | 2014-09-09 | 2014-12-03 | 福建星网视易信息系统有限公司 | Log information notification method and system |
| CN105512010A (en) * | 2014-09-22 | 2016-04-20 | 苏宁云商集团股份有限公司 | Virtual machine user log information acquisition method and system |
| CN104392173A (en) * | 2014-11-13 | 2015-03-04 | 普华基础软件股份有限公司 | Auditing system and audit detecting method |
| CN104618459A (en) * | 2015-01-13 | 2015-05-13 | 北京中交兴路车联网科技有限公司 | Method and system for automatically acquiring data model |
| CN105939334A (en) * | 2015-03-04 | 2016-09-14 | 费希尔-罗斯蒙特系统公司 | Anomaly detection in industrial communications networks |
| CN105939334B (en) * | 2015-03-04 | 2021-03-09 | 费希尔-罗斯蒙特系统公司 | Anomaly detection in industrial communication networks |
| CN105138563A (en) * | 2015-07-23 | 2015-12-09 | 浪潮电子信息产业股份有限公司 | Method for rapidly extracting key information of test log |
| CN105224441B (en) * | 2015-09-17 | 2018-11-20 | 杭州华为数字技术有限公司 | Virtual machine information acquisition device, method and virtual machine information maintaining method and system |
| CN105224441A (en) * | 2015-09-17 | 2016-01-06 | 杭州华为数字技术有限公司 | Virtual machine information harvester, method and virtual machine information maintaining method and system |
| CN106254125A (en) * | 2016-08-18 | 2016-12-21 | 南京联成科技发展有限公司 | The method and system of security incident correlation analysiss based on big data |
| CN106598843B (en) * | 2016-11-18 | 2018-12-18 | 中国人民解放军国防科学技术大学 | A kind of software log behavior automatic identifying method based on program analysis |
| CN106598843A (en) * | 2016-11-18 | 2017-04-26 | 中国人民解放军国防科学技术大学 | Method for automatic identification of software log behaviors based on program analysis |
| CN106603304A (en) * | 2016-12-30 | 2017-04-26 | 郑州云海信息技术有限公司 | Virtual management system event log processing method and device |
| CN106961428A (en) * | 2017-03-15 | 2017-07-18 | 苏州大学 | A kind of centralized intruding detection system based on privately owned cloud platform |
| CN108667678A (en) * | 2017-03-29 | 2018-10-16 | 中国移动通信集团设计院有限公司 | A kind of O&M Log security detection method and device based on big data |
| CN107347062A (en) * | 2017-06-19 | 2017-11-14 | 北京开数科技有限公司 | A kind of method, electronic equipment and the readable storage medium storing program for executing of daily record data processing |
| CN107426231B (en) * | 2017-08-03 | 2020-05-01 | 奇安信科技集团股份有限公司 | Method and device for identifying user behavior |
| CN107426231A (en) * | 2017-08-03 | 2017-12-01 | 北京奇安信科技有限公司 | A kind of method and device for identifying user behavior |
| CN107515778A (en) * | 2017-08-25 | 2017-12-26 | 武汉大学 | A kind of origin method for tracing and system based on context-aware |
| CN107454103B (en) * | 2017-09-07 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Network security event process analysis method and system based on time line |
| CN107454103A (en) * | 2017-09-07 | 2017-12-08 | 杭州安恒信息技术有限公司 | Network safety event process analysis method and system based on timeline |
| CN107682351B (en) * | 2017-10-20 | 2020-03-31 | 携程旅游网络技术(上海)有限公司 | Method, system, equipment and storage medium for network security monitoring |
| CN107682351A (en) * | 2017-10-20 | 2018-02-09 | 携程旅游网络技术(上海)有限公司 | Method, system, equipment and the storage medium of network security monitoring |
| CN108123840A (en) * | 2017-12-22 | 2018-06-05 | 中国联合网络通信集团有限公司 | Log processing method and system |
| CN108052654A (en) * | 2017-12-27 | 2018-05-18 | 北京京存技术有限公司 | Data extraction method, device, equipment and storage medium |
| CN108337238B (en) * | 2017-12-28 | 2021-04-20 | 广州华夏职业学院 | Information security detection system for teaching network |
| CN108337238A (en) * | 2017-12-28 | 2018-07-27 | 广州华夏职业学院 | A kind of information security detecting system for teaching network |
| CN108234480A (en) * | 2017-12-29 | 2018-06-29 | 北京奇虎科技有限公司 | Intrusion detection method and device |
| CN108183916A (en) * | 2018-01-15 | 2018-06-19 | 华北电力科学研究院有限责任公司 | A kind of network attack detecting method and device based on log analysis |
| CN108183916B (en) * | 2018-01-15 | 2020-08-14 | 华北电力科学研究院有限责任公司 | Network attack detection method and device based on log analysis |
| CN108280015A (en) * | 2018-02-07 | 2018-07-13 | 福建星瑞格软件有限公司 | Cluster server daily record real-time processing method based on big data and computer equipment |
| CN108400988A (en) * | 2018-02-28 | 2018-08-14 | 郑州云海信息技术有限公司 | A kind of System Event Log method for uploading, apparatus and system |
| CN108280017A (en) * | 2018-02-28 | 2018-07-13 | 郑州云海信息技术有限公司 | A kind of System Event Log method for uploading, device, equipment and system |
| CN109684827A (en) * | 2018-03-14 | 2019-04-26 | 北京微步在线科技有限公司 | Sandbox reports filter method and device |
| CN108763031A (en) * | 2018-04-08 | 2018-11-06 | 北京奇安信科技有限公司 | A kind of threat information detection method and device based on daily record |
| CN108763031B (en) * | 2018-04-08 | 2022-05-24 | 奇安信科技集团股份有限公司 | Log-based threat information detection method and device |
| CN108985053A (en) * | 2018-06-27 | 2018-12-11 | 北京奇安信科技有限公司 | distributed data processing method and device |
| CN108985053B (en) * | 2018-06-27 | 2020-10-02 | 奇安信科技集团股份有限公司 | Distributed data processing method and device |
| CN108769077A (en) * | 2018-07-06 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of method and device of network security Source Tracing |
| CN108924169A (en) * | 2018-09-17 | 2018-11-30 | 武汉思普崚技术有限公司 | A kind of visual network security system |
| CN109067783A (en) * | 2018-09-17 | 2018-12-21 | 武汉思普崚技术有限公司 | A kind of centralized management security system |
| CN111444519B (en) * | 2019-01-16 | 2023-08-22 | 西门子股份公司 | Protecting the integrity of log data |
| CN111444519A (en) * | 2019-01-16 | 2020-07-24 | 西门子股份公司 | Protecting integrity of log data |
| CN109902074A (en) * | 2019-04-17 | 2019-06-18 | 江苏全链通信息科技有限公司 | Log storing method and system based on data center |
| CN110225065A (en) * | 2019-07-16 | 2019-09-10 | 广东申立信息工程股份有限公司 | A kind of network security warning system |
| CN110661339A (en) * | 2019-10-10 | 2020-01-07 | 四川洪辉电力科技有限公司 | Method for monitoring running state of monitoring host of transformer substation |
| CN110636076A (en) * | 2019-10-12 | 2019-12-31 | 北京安信天行科技有限公司 | Host attack detection method and system |
| CN110875928A (en) * | 2019-11-14 | 2020-03-10 | 北京神州绿盟信息安全科技股份有限公司 | Attack tracing method, device, medium and equipment |
| CN111090493A (en) * | 2019-11-25 | 2020-05-01 | 中国银行股份有限公司 | Statistical method and system for virtual host use saturation |
| CN110912753A (en) * | 2019-12-11 | 2020-03-24 | 中山大学 | Cloud security event real-time detection system and method based on machine learning |
| CN113141334A (en) * | 2020-01-19 | 2021-07-20 | 奇安信科技集团股份有限公司 | Data acquisition and analysis method and system based on network attack |
| CN113360892A (en) * | 2020-03-04 | 2021-09-07 | 中国电信股份有限公司 | Attack path restoration method and device and computer readable storage medium |
| CN113360892B (en) * | 2020-03-04 | 2023-12-01 | 中国电信股份有限公司 | Attack path restoration method and device and computer readable storage medium |
| CN112286892A (en) * | 2020-07-01 | 2021-01-29 | 上海柯林布瑞信息技术有限公司 | Real-time data synchronization method and device for post-relational database, storage medium and terminal |
| CN112286892B (en) * | 2020-07-01 | 2024-04-05 | 上海柯林布瑞信息技术有限公司 | Data real-time synchronization method and device of post-relation database, storage medium and terminal |
| CN112054989B (en) * | 2020-07-13 | 2023-03-24 | 北京天融信网络安全技术有限公司 | Construction method of detection model and detection method of batch operation abnormity |
| CN112054989A (en) * | 2020-07-13 | 2020-12-08 | 北京天融信网络安全技术有限公司 | Construction method of detection model and detection method of batch operation abnormity |
| CN113778826A (en) * | 2021-09-16 | 2021-12-10 | 北京天融信网络安全技术有限公司 | Log processing method and device |
| CN113778826B (en) * | 2021-09-16 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Log processing method and device |
| CN115037523A (en) * | 2022-05-17 | 2022-09-09 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
| CN115037523B (en) * | 2022-05-17 | 2024-05-17 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103824069A (en) | Intrusion detection method based on multi-host-log correlation | |
| US10867034B2 (en) | Method for detecting a cyber attack | |
| CN109861995A (en) | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium | |
| CN109885562A (en) | A kind of big data intelligent analysis system based on cyberspace safety | |
| JP6490059B2 (en) | Method for processing data, tangible machine readable recordable storage medium and device, and method for querying features extracted from a data record, tangible machine readable recordable storage medium and device | |
| CN112417477A (en) | Data security monitoring method, device, equipment and storage medium | |
| CN107667370A (en) | Abnormal account is detected using event log | |
| CN105046150B (en) | Prevent the method and system of SQL injection | |
| Singh et al. | An approach to understand the end user behavior through log analysis | |
| CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
| CN103618652A (en) | Audit and depth analysis system and audit and depth analysis method of business data | |
| CN106534146A (en) | Safety monitoring system and method | |
| CN104572976B (en) | Website data update method and system | |
| CN110262949A (en) | Smart machine log processing system and method | |
| CN111885210A (en) | Cloud computing network monitoring system based on end user environment | |
| CN108769255A (en) | The acquisition of business data and administering method | |
| CN110442582B (en) | Scene detection method, device, equipment and medium | |
| Hemdan et al. | Spark-based log data analysis for reconstruction of cybercrime events in cloud environment | |
| Fatemi et al. | Threat hunting in windows using big security log data | |
| Khan et al. | Cloud forensics and digital ledger investigation: a new era of forensics investigation | |
| CN110912753B (en) | Cloud security event real-time detection system and method based on machine learning | |
| Abbott et al. | Automated recognition of event scenarios for digital forensics | |
| Tellenbach | Detection, classification and visualization of anomalies using generalized entropy metrics | |
| Jimenez et al. | A Framework for SDN Forensic Readiness and Cybersecurity Incident Response | |
| CN116628061A (en) | Multi-source heterogeneous data acquisition method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140528 |
|
| WD01 | Invention patent application deemed withdrawn after publication |