CN106603304A - Virtual management system event log processing method and device - Google Patents
Virtual management system event log processing method and device Download PDFInfo
- Publication number
- CN106603304A CN106603304A CN201611260364.9A CN201611260364A CN106603304A CN 106603304 A CN106603304 A CN 106603304A CN 201611260364 A CN201611260364 A CN 201611260364A CN 106603304 A CN106603304 A CN 106603304A
- Authority
- CN
- China
- Prior art keywords
- data
- behavior
- management system
- daily record
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
Abstract
The embodiment of the invention discloses a virtual management system event log processing method. Through extracting the original event log data comprising a user operation behavior and system operation behavior in the operation process of a virtual management system, the preprocessing of the original event log data is carried out, log data suitable for data association rule analysis format is generated, and the processed log data is analyzed according to a preset data association rule so as to determine the operation behavior mode of a user. The method has the advantages that a mature association rule algorithm is used, the control of a behavior in the system operation process is realized through analyzing the event log, thus the behavior of a current user or system is accurately analyzed, the security problem of the virtual management system is effectively solved, and the safe and stable operation of the virtual management system is ensured. In addition, the embodiment of the invention discloses a corresponding realization device, the method is more practical further, and the device has a corresponding advantage.
Description
Technical field
The present invention relates to virtual management field, more particularly to a kind of virtual management System Event Log processing method
And device.
Background technology
It is with informationalized deep development, the particularly progressively application of the novel I T business model such as cloud computing, big data, empty
Planization has obtained increasingly extensive application in information system.
Used as a kind of technology for making computer depart from real equipment, virtualization possesses very many advantages, and user can be with together
The cost of sample meets the demand of more information process, and then cost-effective.Additionally, Intel Virtualization Technology allows enterprise to integrate fortune
Application software of the row in single server, multiple systems, which simplifies regulatory requirement, and causes IT hardware resources more preferable
It is utilized.However, virtualized extensive application causes its management environment to vary widely, the management mould being suitable in physical machine
Formula is once moved on virtual machine, and very big problem often just occurs, such as one main frame is subject to attack, then all
Client computer and virtual machine on enterprise application software it is similarly on the line.In traditional framework, if a clothes
Business device is subject to security threat, then only the live load on the server can be made out on a limb, but in Visualized data centre,
If a virtualized server is attacked, then all of virtual machine on the server will be affected.
It can be seen that, virtualized server is lower than the safety of physical server, so how to solve to virtualize security protection
Problem is the key of virtual management system.
The content of the invention
The purpose of the embodiment of the present invention is to provide a kind of virtual management System Event Log processing method and processing device, to solve
The certainly problem of virtual management system security protection.
To solve above-mentioned technical problem, the embodiment of the present invention provides technical scheme below:
On the one hand the embodiment of the present invention provides a kind of virtual management System Event Log processing method, including:
Extracting virtual management system operation includes the original thing of user operation behavior and system operatio behavior
Part daily record data;
Data prediction is carried out to the primitive event daily record data, is generated suitable for data association rule analysis form
Daily record data after process;
According to default data association rule, rule analysis are associated to daily record data after the process, user is determined
Operation behavior mode.
Preferably, it is described according to default data association rule, rule point is associated to daily record data after the process
Analysis, determines that the operation behavior mode of user includes:
The high frequency daily record for meeting condition is found out according to default minimum support threshold value from daily record data after the process
Item Sets;
Concentrated from the high frequency journal items according to default minimal confidence threshold and determine Strong association rule, determine user
Operation behavior mode.
Preferably, it is described data prediction is carried out to the primitive event daily record data to include:
Data cleansing is carried out to the primitive event daily record data, redundancy or exception item in data is rejected;
Deficiency of data item in the primitive event daily record data is filled, and carries out data classification;
Different data forms is normalized, after generating the process suitable for data association rule analysis form
Daily record data.
Preferably, also include after the operation behavior mode for determining user:
The operation behavior of real-time detection active user;
The operation behavior of the active user is judged, when the operation behavior of the active user does not meet the use
During the operation behavior mode at family, judge the operation behavior of the active user as Deviant Behavior.
Preferably, also include after the operation behavior for judging the active user is as Deviant Behavior:
Deviant Behavior to producing is positioned, and generates the information that prompt system has Deviant Behavior.
On the other hand the embodiment of the present invention provides a kind of virtual management System Event Log processing meanss, including:
Data extraction module, includes user operation behavior and system for extracting virtual management system operation
The primitive event daily record data of operation behavior;
Data preprocessing module, for data prediction is carried out to the primitive event daily record data, generates suitable for number
According to daily record data after the process of Association Rule Analysis form;
Data analysis module, for according to default data association rule, being associated to daily record data after the process
Rule analysis, determine the operation behavior mode of user.
Preferably, the data analysis module includes:
First analytic unit is full for being found out from daily record data after the process according to default minimum support threshold value
The high frequency journal items collection of sufficient condition;
Second analytic unit, determines by force for being concentrated from the high frequency journal items according to default minimal confidence threshold
Correlation rule, determines the operation behavior mode of user.
Preferably, the data preprocessing module includes:
Data cleansing unit, for data cleansing is carried out to the primitive event daily record data, rejects the redundancy in data
Item or exception item;
Sort out unit, for being filled to deficiency of data item in the primitive event daily record data, and carry out data
Sort out;
Format conversion unit, for different data forms is normalized, generates and advises suitable for data association
Then daily record data after the process of assay format.
Preferably, also include:
Detection module, for the operation behavior of real-time detection active user;
Abnormal judge module, for judging to the operation behavior of the active user, as the behaviour of the active user
When not meeting the operation behavior mode of the user as behavior, judge the operation behavior of the active user as Deviant Behavior.
Preferably, also include:
Reminding module, for after judging the operation behavior of the active user as Deviant Behavior, to the exception for producing
Behavior is positioned, and generates the information that prompt system has Deviant Behavior.
A kind of virtual management System Event Log processing method is embodiments provided, by extracting virtualization pipe
Reason system operation includes the primitive event daily record data of user operation behavior and system operatio behavior;Then to these
Primitive event daily record data carries out pretreatment, generates suitable for data association rule analysis format log data;According to default
Data association rule is analyzed to determine the operation behavior mode of user to the daily record data after these process.The advantage of the application exists
In using ripe association rule algorithm, the control to behavior in system operation is realized by analyzing event log, i.e.,
By determining that operation behavior mode is standard, the operation behavior current to user is matched with operation behavior mode, so as to standard
The true behavior to active user or system is analyzed, and effectively solves the problems, such as the security protection of virtual management system, carries
The high safety of system resource, so as to ensure the safe and stable operation of virtual management system.Additionally, the embodiment of the present invention is also
Provide for virtual management System Event Log processing method and realize device accordingly, further such that methods described has more
There is practicality, described device has corresponding advantage.
Description of the drawings
For the clearer explanation embodiment of the present invention or the technical scheme of prior art, below will be to embodiment or existing
Accompanying drawing to be used needed for technology description is briefly described, it should be apparent that, drawings in the following description are only this
Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is that a kind of flow process of virtual management System Event Log processing method provided in an embodiment of the present invention is illustrated
Figure;
Fig. 2 is that the flow process of another kind of virtual management System Event Log processing method provided in an embodiment of the present invention is illustrated
Figure;
Fig. 3 is a kind of specific embodiment party of virtual management System Event Log processing meanss provided in an embodiment of the present invention
The structure chart of formula;
Fig. 4 is that the another kind of virtual management System Event Log processing meanss provided in an embodiment of the present invention is embodied as
The structure chart of mode.
Specific embodiment
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.Obviously, described embodiment is only a part of embodiment of the invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Term " first ", " second ", " the 3rd " " in the description and claims of this application and above-mentioned accompanying drawing
Four " it is etc. for distinguishing different objects, rather than for describing specific order.In addition term " comprising " and " having " and
Their any deformations, it is intended that cover non-exclusive including.For example contain the process of series of steps or unit, method,
System, product or equipment are not limited to the step of listing or unit, but may include the step of not listing or unit.
Present inventor had found through research, and virtualization system is by substantial amounts of computing resource, storage resource and soft
Part resource link together, forms the large-scale virtualization pool that can be shared.How virtualization system money is effectively analyzed
The user operation behavior in source, finds the behavioral pattern of user, and analyzing Deviant Behavior has important to the safety for improving system resource
Meaning.
Journal file is the log file or file set for record system Action Events, and operating system has operating system
Journal file, Database Systems have Database Systems journal file.Syslog file be comprising the file with regard to system message,
Including kernel, service, the application program run in system etc..Different journal files records different information.For example, have
Be acquiescence syslog file, some record particular tasks.It can be seen that, event log is to aid in the important work of system operation management
Tool, can produce substantial amounts of log information in system operation, the information of the operation behavior of user in record system, these days
Will information can be arranged sequentially in time.So, this can be reduced to a certain extent by being analyzed to these log recordings
System operation behavior once, can be used as accurately analyzing the content of user behavior.
Correlation rule is the implications of shape such as X → Y, wherein, X and Y is referred to as the guide of correlation rule and follow-up, association
, there is support and degree of belief in regular XY.Correlation rule has been widely used in data mining technology field.Citing comes
Say, Association Rule Mining is applied in financial industry enterprise, it can be with success prediction bank client demand.Once obtain
These information, bank can just improve itself marketing.Bank is everyday all in the method for developing new communication client.Each bank is certainly
The one's own profession product information that customer may be interested is just bundled on oneself ATM, has been understood for the user using one's own profession ATM.Such as
Show in fruit data base, the client of certain high limited credit has changed address, and this client probably have purchased one recently
Bigger house, therefore higher limited credit can be likely to require, the more high-end new credit card, or need a housing improvements
Loan, these products can be mailed to client by Credit Statement.When Please ring for assistance for client, data base can be with
Telemarketing is effectively helped to represent.The characteristics of client being shown on the computer screen of representative of sales & marketing, while can also show
Illustrate that customer can be interested in what product.
Assume I={ I1, I2... ..., Im } be item set, give a transaction data base D, wherein each affairs are I
Nonvoid subset, i.e. each transaction is corresponding with a unique identifier.Support of the correlation rule in D is affairs in D
The percentage ratio of X, Y, i.e. probability are included simultaneously;Confidence level is affairs in the case of included X in D, the percentage ratio comprising Y, i.e.,
Conditional probability.If meeting default support threshold and default confidence threshold value, then it is assumed that correlation rule is meaningful.
These threshold values can be actually needed to set according to what is excavated.
Table 1
With a simply example explanation.Table 1 is the database D of customer's purchaser record, comprising 6 affairs.Item collection I=
{ tennis racket, tennis, sport shoess, shuttlecock }.Consider correlation rule:Tennis racket and tennis, affairs 1,2,3,4,6 include tennis
Clap, affairs 1,2,6 include tennis racket and tennis, X^Y=3, D=6, support (X^Y)/D=0.5 simultaneously;X=5, confidence level (X
^Y)/X=0.6.If given minimum support α=0.5, min confidence β=0.6, then it is assumed that purchase tennis racket and purchase tennis
Between exist association.
Therefore, mining analysis can be carried out to event log data by using correlation rule, so as to realize to user
The analysis of operation behavior mode.
In consideration of it, the application includes user operation behavior and system by extracting virtual management system operation
The primitive event daily record data of operation behavior;Then these primitive event daily record datas are carried out with pretreatment, is generated suitable for number
According to Association Rule Analysis format log data;According to default data association rule to these process after daily record datas analysis with
Determine the operation behavior mode of user.
After the technical scheme for describing the embodiment of the present invention, the various non-limiting reality of detailed description below the application
Apply mode.
Referring firstly to Fig. 1, Fig. 1 is a kind of virtual management System Event Log process side provided in an embodiment of the present invention
The schematic flow sheet of method, the embodiment of the present invention may include herein below:
S101:Extracting virtual management system operation includes the original of user operation behavior and system operatio behavior
Beginning event log data.
Virtual management system can record the operation behavior being related in running, specifically may include that operation is used
The information such as family, operating time, operation behavior, operation target, operation user can be staff (technical staff), alternatively system
Itself, then according to perform time sequencing these information are deposited in data base.These behavioural informations are original daily record
Data.
For example, in December, 2016 No. 29, the employee information table storage of new registration is arrived by data base administrator Zhang San
In the personnel recordss data base of company.In this operating process, the daily record of system will automatically by December, 2016 No. 29, Zhang San
As operating time and operation user record in event log.
S102:Data prediction is carried out to the primitive event daily record data, is generated suitable for data association rule analysis
Daily record data after the process of form.
When carrying out data mining analysis using Association Rule Analysis algorithm, the form of associated variable should meet wanting for the algorithm
Ask, therefore before being analyzed, pretreatment can be carried out to primitive event daily record, to improve the accuracy and efficiency of Algorithm Analysis.
Specifically, it may include:
Data cleansing is carried out to primitive event daily record data, redundancy or exception item in data is rejected;To primitive event
In daily record data, deficiency of data item is filled, and carries out data classification;Different data forms is normalized,
Generate daily record data after the process suitable for data association rule analysis form.Certainly, other data processings can be also carried out, this
It is bright that any restriction is not done to this.
For example, for record employee name, photo, sex, age, native place and post in employee information table;When
In for an employee information table, when repeatedly there is the same age, just which is cleaned, only retains an age information,
By its with all delete;When there is non-male non-female in the record of sex, decide which is exception item, cleaned, accordingly
, it is necessary to carry out supplementing the item data to ensure the complete of employee information table;When in the photographic intelligence in employee information table, shine
The form of piece has the multiple formats such as such as tif, gif, bmp or png, and which all can be unified the form such as tif for default photo.
S103:According to default data association rule, rule analysis are associated to daily record data after the process, it is determined that
The operation behavior mode of user.
Specifically correlation rule can be:
Find out the high frequency journal items for meeting condition according to default minimum support threshold value from after process in daily record data
Collection;Concentrated from the high frequency journal items according to default minimal confidence threshold and determine Strong association rule, determine the behaviour of user
Make behavioral pattern.
I.e. association rule mining process can include two stages:First stage first finds out all of high frequency from event log
Journal items collection, second stage are concentrated by these high frequency journal items again and produce correlation rule.
The frequency for being meant that a certain Item Sets appearance of high frequency is for all records, it is necessary to reach certain level
(minimum support threshold).The frequency that Item Sets occur is referred to as support, with a 2- comprising A with two projects of B
As a example by itemset, the support comprising { A, B } Item Sets can be tried to achieve, if support is more than or equal to set minimum support
During threshold value, then { A, B } is referred to as high frequency Item Sets.
Strong association rule is produced from high frequency Item Sets, is come generation rule, in min confidence using high frequency Item Sets
Under threshold value, if the confidence level tried to achieve by a rule meets min confidence, this rule is called Strong association rule.For example, via height
Regular AB produced by frequency Item Sets { A, B }, calculates its confidence level, if confidence level is more than or equal to min confidence, AB is called
Strong association rule.
It should be noted that support threshold can be according to the situation of actual project with confidence threshold value person skilled
Set, the present invention does not do any restriction to this.
User operation is can be identified as the record operation behavior in the high frequency Item Sets of strong rule association rule is met
Behavioral pattern.For example, for document is preserved, it is logical in the high frequency Item Sets for meeting strong rule association rule to preserve document
Cross what shortcut ctrl+s was preserved, then the pattern for preserving this operation behavior of document is defined as into ctrl+s just.When
When document is preserved, operation behavior is not ctrl+s to active user, then judge that its operation behavior is not belonging to the operation behavior of user
Pattern.
From the foregoing, it will be observed that the embodiment of the present invention is using ripe association rule algorithm, it is right to realize by analyzing event log
The control of behavior in system operation, so as to the behavior accurately to active user or system is analyzed, effectively solves
The security protection problem of virtual management system, improves the safety of system resource, so as to ensure virtual management system
Safe and stable operation.
The behavioral pattern of user is determined in the above-described embodiments, in actual mechanical process, can further to current use
The behavior at family is tracked to judge whether to meet normally performed activity, so as to improve the safety of virtual management system.Please join
See that the flow process that Fig. 2, Fig. 2 are another kind of virtual management System Event Log processing method provided in an embodiment of the present invention is illustrated
Figure, specifically may include herein below:
S201-S203:Specifically consistent with described by the S101-S103 of embodiment one, here is omitted.
S204:The operation behavior of real-time detection active user.
S205:The operation behavior of the active user is judged, when the operation behavior of the active user does not meet
During the operation behavior mode of the user, judge the operation behavior of the active user as Deviant Behavior.
By the operation behavior in real time obtaining active user, and by the operation behavior of user and same type of operation behavior
Pattern is matched, if current behavior is mismatched with behavioral pattern, determines that it is Deviant Behavior.
For example, if the operation behavior mode for preserving document is ctrl+s, if active user is when document is preserved,
Carry out preserving document by the symbol that preserves clicked in menu bar, it is seen that the operation behavior of the user is not ctrl+s, then recognize
The operation behavior mode of user is not belonging to for its operation behavior, is then judged to Deviant Behavior.
Optionally, in a kind of embodiment of the embodiment of the present invention, methods described for example may also include:
S206:Deviant Behavior to producing is positioned, and generates the information that prompt system has Deviant Behavior.
For some special circumstances, such as staff when more shirtsleeve operation flow process is explored, the operation implemented
Behavior is necessarily different from normal user operation behavioral pattern, and these behaviors of staff can be judged to exception by system automatically
Behavior, and after being judged to Deviant Behavior, staff just normally cannot be operated in a management system, being so bound to will
Because erroneous judgement is made troubles to staff, the work efficiency of staff is reduced.
In consideration of it, positioning to abnormal behavior, it is to allow the behavior or invasion of personnel that can screen Deviant Behavior
The behavior of person, if the Deviant Behavior of personnel can be allowed, it is believed that be not belonging to Deviant Behavior, does not do any limit to implementer
System;And when the behavior of invader is judged to, Deviant Behavior is determined that it is, its operation behavior is limited, to prevent which from invading
Enter management system, and then destroy management system.
Judgement is tracked by the operation behavior current to user, the behavior of abnormal user can be quickly screened out,
Further that abnormal behavior is positioned, quickly can note abnormalities target, quick to prevent abnormal object from entering management system
System, so as to ensure the safety of virtual management system, improves the safety of system resource, it is ensured that virtual management system is just
Often run.
The embodiment of the present invention be also directed to virtual management System Event Log processing method provide realize device accordingly,
Further such that methods described has more practicality.Below to virtual management System Event Log provided in an embodiment of the present invention
Processing meanss are introduced, and virtual management System Event Log processing meanss described below and above-described virtualization are managed
Reason System Event Log processing method can be mutually to should refer to.
Fig. 3 is referred to, Fig. 3 exists for a kind of virtual management System Event Log processing meanss provided in an embodiment of the present invention
A kind of structure chart of specific embodiment, the device may include:
Data extraction module 301, for extract virtual management system operation include user operation behavior and
The primitive event daily record data of system operatio behavior;
Data preprocessing module 302, for carrying out data prediction to the primitive event daily record data, generation is applied to
Daily record data after the process of data association rule analysis form;
Data analysis module 303, for according to default data association rule, closing to daily record data after the process
Connection rule analysis, determine the operation behavior mode of user.
Optionally, in some embodiments of the present embodiment, the data analysis module 403 can for example include:
First analytic unit 3031, for being looked in daily record data from after the process according to default minimum support threshold value
Go out to meet the high frequency journal items collection of condition;
Second analytic unit 3032, for concentrating true from the high frequency journal items according to default minimal confidence threshold
Determine Strong association rule, determine the operation behavior mode of user.
Optionally, in other embodiments of the present embodiment, the data preprocessing module 302 can for example be wrapped
Include:
Data cleansing unit 3021, for data cleansing is carried out to the primitive event daily record data, rejects in data
Redundancy or exception item;
Sort out unit 3022, for being filled to deficiency of data item in the primitive event daily record data, and carry out
Data are sorted out;
Format conversion unit 3023, for different data forms is normalized, generates and closes suitable for data
Daily record data after the process of connection rule analysis form.
Described in the embodiment of the present invention, the function of each functional module of virtual management System Event Log processing meanss can root
Implement according to the method in said method embodiment, which implements process and is referred to the correlation of said method embodiment retouches
State, here is omitted.
From the foregoing, it will be observed that the embodiment of the present invention is using ripe association rule algorithm, it is right to realize by analyzing event log
The control of behavior in system operation, so as to the behavior accurately to active user or system is analyzed, effectively solves
The security protection problem of virtual management system, improves the safety of system resource, so as to ensure virtual management system
Safe and stable operation.
Fig. 4 is referred to, present invention also provides another embodiment, data extraction module in the present embodiment
401st, data preprocessing module 402, data analysis module 403 are same with the function phase of the 301-303 modules of above-described embodiment, herein
Just repeat no more.
May also include on the basis of above-described embodiment:
Detection module 404, for the operation behavior of real-time detection active user.
Abnormal judge module 405, for judging to the operation behavior of the active user, when the active user's
When operation behavior does not meet the operation behavior mode of the user, judge the operation behavior of the active user as Deviant Behavior.
Reminding module 406, it is for after judging the operation behavior of the active user as Deviant Behavior, different to what is produced
Chang Hangwei is positioned, and generates the information that prompt system has Deviant Behavior.
Described in the embodiment of the present invention, the function of each functional module of virtual management System Event Log processing meanss can root
Implement according to the method in said method embodiment, which implements process and is referred to the correlation of said method embodiment retouches
State, here is omitted.
Judgement is tracked by the operation behavior current to user, abnormal user behavior can be quickly screened out;Enter
One step, abnormal behavior is positioned, quickly can note abnormalities target, quick to prevent abnormal object from entering management system
System, so as to ensure the safety of virtual management system, improves the safety of system resource, it is ensured that virtual management system is just
Often run.
In this specification, each embodiment is described by the way of progressive, and what each embodiment was stressed is and other
The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment
For putting, as which corresponds to the method disclosed in Example, so description is fairly simple, related part is referring to method part
Illustrate.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description
And algorithm steps, can with electronic hardware, computer software or the two be implemented in combination in, in order to clearly demonstrate hardware and
The interchangeability of software, generally describes the composition and step of each example in the above description according to function.These
Function actually with hardware or software mode performing, depending on the application-specific and design constraint of technical scheme.Specialty
Technical staff can use different methods to realize described function to each specific application, but this realization should not
Think beyond the scope of this invention.
The step of method described with reference to the embodiments described herein or algorithm, directly can be held with hardware, processor
Capable software module, or the combination of the two is implementing.Software module can be placed in random access memory (RAM), internal memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, depositor, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Above a kind of virtual management System Event Log processing method provided by the present invention and device are carried out
It is discussed in detail.Specific case used herein is set forth to the principle and embodiment of the present invention, above example
Illustrate that being only intended to help understands the method for the present invention and its core concept.It should be pointed out that for the common skill of the art
For art personnel, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these change
Enter and modify to also fall in the protection domain of the claims in the present invention.
Claims (10)
1. a kind of virtual management System Event Log processing method, it is characterised in that include:
Extracting virtual management system operation includes the primitive event day of user operation behavior and system operatio behavior
Will data;
Data prediction is carried out to the primitive event daily record data, the process suitable for data association rule analysis form is generated
Daily record data afterwards;
According to default data association rule, rule analysis are associated to daily record data after the process, the behaviour of user is determined
Make behavioral pattern.
2. virtual management System Event Log processing method as claimed in claim 1, it is characterised in that the basis is preset
Data association rule, rule analysis are associated to daily record data after the process, the operation behavior mode bag of user is determined
Include:
The high frequency journal items for meeting condition are found out according to default minimum support threshold value from daily record data after the process
Collection;
Concentrated from the high frequency journal items according to default minimal confidence threshold and determine Strong association rule, determine the behaviour of user
Make behavioral pattern.
3. virtual management System Event Log processing method as claimed in claim 2, it is characterised in that described to the original
Beginning event log data carries out data prediction to be included:
Data cleansing is carried out to the primitive event daily record data, redundancy or exception item in data is rejected;
Deficiency of data item in the primitive event daily record data is filled, and carries out data classification;
Different data forms is normalized, daily record after the process suitable for data association rule analysis form is generated
Data.
4. the virtual management System Event Log processing method as described in any one of claims 1 to 3, it is characterised in that
Also include after the operation behavior mode for determining user:
The operation behavior of real-time detection active user;
The operation behavior of the active user is judged, when the operation behavior of the active user does not meet the user's
During operation behavior mode, judge the operation behavior of the active user as Deviant Behavior.
5. virtual management System Event Log processing method as claimed in claim 4, it is characterised in that in the judgement institute
The operation behavior of active user is stated also to include after Deviant Behavior:
Deviant Behavior to producing is positioned, and generates the information that prompt system has Deviant Behavior.
6. a kind of virtual management System Event Log processing meanss, it is characterised in that include:
Data extraction module, includes user operation behavior and system operatio for extracting virtual management system operation
The primitive event daily record data of behavior;
Data preprocessing module, for data prediction is carried out to the primitive event daily record data, generates and closes suitable for data
Daily record data after the process of connection rule analysis form;
Data analysis module, for according to default data association rule, being associated rule to daily record data after the process
Analysis, determines the operation behavior mode of user.
7. virtual management System Event Log processing meanss as claimed in claim 6, it is characterised in that the data analysiss
Module includes:
First analytic unit, meets bar for finding out from daily record data after the process according to default minimum support threshold value
The high frequency journal items collection of part;
Second analytic unit, determines strong association for concentrating from the high frequency journal items according to default minimal confidence threshold
Rule, determines the operation behavior mode of user.
8. virtual management System Event Log processing meanss as claimed in claim 7, it is characterised in that the data are located in advance
Reason module includes:
Data cleansing unit, for carrying out data cleansing to the primitive event daily record data, reject redundancy in data or
Exception item;
Sort out unit, for being filled to deficiency of data item in the primitive event daily record data, and carry out data classification;
Format conversion unit, for different data forms is normalized, generates suitable for data association rule point
Daily record data after the process of analysis form.
9. virtual management System Event Log processing meanss as described in any one of claim 6 to 8, it is characterised in that also
Including:
Detection module, for the operation behavior of real-time detection active user;
Abnormal judge module, for judging to the operation behavior of the active user, when the operation row of the active user
Not meet during the operation behavior mode of the user, judge the operation behavior of the active user as Deviant Behavior.
10. virtual management System Event Log processing meanss as claimed in claim 9, it is characterised in that also include:
Reminding module, for after judging the operation behavior of the active user as Deviant Behavior, to the Deviant Behavior for producing
Positioned, generated the information that prompt system has Deviant Behavior.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611260364.9A CN106603304A (en) | 2016-12-30 | 2016-12-30 | Virtual management system event log processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611260364.9A CN106603304A (en) | 2016-12-30 | 2016-12-30 | Virtual management system event log processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106603304A true CN106603304A (en) | 2017-04-26 |
Family
ID=58581607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611260364.9A Pending CN106603304A (en) | 2016-12-30 | 2016-12-30 | Virtual management system event log processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106603304A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111209314A (en) * | 2020-01-13 | 2020-05-29 | 国网浙江省电力有限公司信息通信分公司 | System for processing massive log data of power information system in real time |
| CN111831528A (en) * | 2020-07-17 | 2020-10-27 | 浪潮商用机器有限公司 | Computer system log association method and related device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
| CN104038466A (en) * | 2013-03-05 | 2014-09-10 | 中国银联股份有限公司 | Intrusion detection system, method and device for cloud calculating environment |
| CN105243008A (en) * | 2015-11-02 | 2016-01-13 | 上海新炬网络信息技术有限公司 | Host machine-based virtual machine performance monitoring method |
| US20160110975A1 (en) * | 2012-01-08 | 2016-04-21 | Imagistar Llc | Intelligent Item Containers for Sensing, Monitoring, Remembering and Tracking Container Contents |
-
2016
- 2016-12-30 CN CN201611260364.9A patent/CN106603304A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160110975A1 (en) * | 2012-01-08 | 2016-04-21 | Imagistar Llc | Intelligent Item Containers for Sensing, Monitoring, Remembering and Tracking Container Contents |
| CN102724176A (en) * | 2012-02-23 | 2012-10-10 | 北京市计算中心 | Intrusion detection system facing cloud calculating environment |
| CN104038466A (en) * | 2013-03-05 | 2014-09-10 | 中国银联股份有限公司 | Intrusion detection system, method and device for cloud calculating environment |
| CN103824069A (en) * | 2014-03-19 | 2014-05-28 | 北京邮电大学 | Intrusion detection method based on multi-host-log correlation |
| CN105243008A (en) * | 2015-11-02 | 2016-01-13 | 上海新炬网络信息技术有限公司 | Host machine-based virtual machine performance monitoring method |
Non-Patent Citations (2)
| Title |
|---|
| 张辰: ""基于数据挖掘和蜜罐的新型入侵检测系统研究"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 李俊莉: "《电子信息环境下犯罪行为研究》", 31 October 2013, 中国人民公安大学出版社 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111209314A (en) * | 2020-01-13 | 2020-05-29 | 国网浙江省电力有限公司信息通信分公司 | System for processing massive log data of power information system in real time |
| CN111831528A (en) * | 2020-07-17 | 2020-10-27 | 浪潮商用机器有限公司 | Computer system log association method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3065367B1 (en) | System and method for automated phishing detection rule evolution | |
| CN103620601B (en) | Joining tables in a mapreduce procedure | |
| CN105825094B (en) | The method and apparatus for managing the identity data found from network traffic data | |
| Ceschin et al. | The need for speed: An analysis of brazilian malware classifiers | |
| CN106453357A (en) | Network ticket buying abnormal behavior recognition method and system and equipment | |
| US11568181B2 (en) | Extraction of anomaly related rules using data mining and machine learning | |
| CN107491983A (en) | A kind of wechat customer action feedback method, equipment and storage medium | |
| CN107193894A (en) | Data processing method, individual discrimination method and relevant apparatus | |
| Kshirsagar et al. | A scalable platform to collect, store, visualize and analyze big data in real-time | |
| CN110147360A (en) | A kind of data integration method, device, storage medium and server | |
| US11416521B2 (en) | Data item classification and organization in large data sets | |
| CN107220867A (en) | object control method and device | |
| US20210397669A1 (en) | Clustering web page addresses for website analysis | |
| CN107679977A (en) | A kind of tax administration platform and implementation method based on semantic analysis | |
| CN106844588A (en) | A kind of analysis method and system of the user behavior data based on web crawlers | |
| CN108667678A (en) | A kind of O&M Log security detection method and device based on big data | |
| Borkar et al. | Real or fake identity deception of social media accounts using recurrent neural network | |
| CN106603304A (en) | Virtual management system event log processing method and device | |
| CN109478219A (en) | For showing the user interface of network analysis | |
| US11620665B2 (en) | Methods and systems using and constructing merchant communities based on financial transaction data | |
| CN110611655B (en) | Blacklist screening method and related product | |
| Cho et al. | Double privacy layer architecture for big data framework | |
| CN109828995A (en) | A kind of diagram data detection method, the system of view-based access control model feature | |
| CN111581533B (en) | Method and device for identifying state of target object, electronic equipment and storage medium | |
| Palaiokrassas et al. | Leveraging machine learning for multichain Defi fraud detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170426 |