CN111404903B - Log processing method, device, equipment and storage medium - Google Patents
Log processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111404903B CN111404903B CN202010157807.1A CN202010157807A CN111404903B CN 111404903 B CN111404903 B CN 111404903B CN 202010157807 A CN202010157807 A CN 202010157807A CN 111404903 B CN111404903 B CN 111404903B
- Authority
- CN
- China
- Prior art keywords
- event
- log
- risk
- weight
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a log processing method, a device, equipment and a storage medium, wherein the method comprises the following steps: reading a current log event in a firewall log; acquiring an event risk relationship, wherein the event risk relationship records the risk weight of the log event; searching a target risk weight corresponding to the current log event in the event risk relationship; and outputting the current log event and the target risk weight. According to the method, the current log event and the target risk weight corresponding to the current log event are jointly output, so that a user can read the current log event in the firewall log and simultaneously learn the risk degree of the current log event, the user can be relatively ensured to intuitively know the risk caused by the flow data according to the log event corresponding to the flow data, and the readability of the user on the log event in the firewall log is improved. In addition, the application also provides a log processing device, equipment and a storage medium, and the beneficial effects are as described above.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a log processing method, apparatus, device, and storage medium.
Background
The firewall technology is a technology for protecting user data and information security by combining various software and hardware devices for security management and screening to help a computer network to construct a relatively isolated protection barrier between an internal network and an external network, and has the functions of timely finding and processing the problems of security risk, data transmission and the like which possibly exist during the operation of the computer network, and simultaneously recording and detecting various operations in the security of the computer network to ensure the operation security of the computer network, ensure the integrity of the user data and information and provide better and safer computer network use experience for users.
After analyzing the flow data received by the intranet host, the firewall often generates a corresponding firewall log, and the log contains log events corresponding to the flow data, but the readability of the current firewall log is poor, so that a user often cannot visually know the risk caused by the flow data according to the log events corresponding to the flow data.
Therefore, the log processing method is provided to improve readability of a user on a firewall log and ensure that the user can intuitively know risks caused by the flow data according to log events corresponding to the flow data, and is a problem to be solved by technical personnel in the field.
Disclosure of Invention
The application aims to provide a log processing method, a device, equipment and a storage medium, so as to improve the readability of a user on a firewall log and ensure that the user can intuitively know risks caused by flow data according to log events corresponding to the flow data.
In order to solve the above technical problem, the present application provides a log processing method, including:
reading a current log event in a firewall log;
acquiring an event risk relationship, wherein the event risk relationship records the risk weight of the log event;
searching a target risk weight corresponding to the current log event in the event risk relationship;
and outputting the current log event and the target risk weight.
Preferably, reading a current log event in the firewall log includes:
reading a current log event corresponding to each intranet host in a firewall log;
correspondingly, outputting the current log event and the target risk weight comprises:
and outputting the current log event and the target risk weight of each intranet host.
Preferably, when the number of current log events corresponding to the intranet host is greater than 1, searching a target risk weight corresponding to the current log event in the event risk relationship, including:
searching a current risk weight corresponding to the current log event in the event risk relationship;
and selecting the target risk weight with the largest value from the current risk weights.
Preferably, outputting the current log event and the target risk weight of each intranet host includes:
and outputting the current log events and the target risk weights of the intranet hosts according to the descending order of the target risk weights.
Preferably, the current log event contains the occurrence number of events;
correspondingly, outputting the current log event and the target risk weight of each intranet host, including:
and outputting the current log events and the target risk weight of each intranet host according to the descending order of the event occurrence times in each current log event.
Preferably, before outputting the current log event and the target risk weight, the method further comprises:
correspondingly recording the current log event and the target risk weight to a middle table;
correspondingly, outputting the current log event and the target risk weight comprises:
outputting the current log event and the target risk weight based on the intermediate table.
Preferably, the obtaining of the event risk relationship comprises:
acquiring a log event comprising a network type, a behavior type, an event description and an attack chain stage, and determining the risk weight of the log event according to the network type, the behavior type, the event description and the attack chain stage;
and establishing a corresponding relation between the log event and the risk weight to obtain an event risk relation.
Preferably, determining the risk weight of the log event according to the network type, the behavior type, the event description and the attack chain stage comprises:
acquiring risk weight components respectively corresponding to a network type, a behavior type, an event description and an attack chain stage;
and performing weighted operation on each risk weight component to obtain a risk weight.
Preferably, the event risk relationship records a threat weight and/or a failure weight of the log event;
correspondingly, searching the target risk weight corresponding to the current log event in the event risk relationship comprises the following steps:
searching a target threatening weight and/or a target failing weight corresponding to the current log event in the event risk relationship;
correspondingly, outputting the current log event and the target risk weight comprises:
outputting the current log event and the target threat weight and/or the target failure weight.
Preferably, outputting the current log event and the target threat weight and/or the target failure weight comprises:
outputting the current log event in a list form, and outputting the target threat weight and/or the target failure weight in a chart form.
In addition, the present application also provides a log processing apparatus, including:
the log reading module is used for reading a current log event in a firewall log;
the system comprises a relation acquisition module, a log event processing module and a log event processing module, wherein the relation acquisition module is used for acquiring an event risk relation, and the event risk relation records the risk weight of a log event;
the searching module is used for searching a target risk weight corresponding to the current log event in the event risk relationship;
and the output module is used for outputting the current log event and the target risk weight.
In addition, the present application also provides a log processing apparatus, including:
a memory for storing a computer program;
a processor for implementing the steps of the log processing method as described above when executing the computer program.
Furthermore, the present application also provides a computer readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the log processing method as described above.
According to the log processing method, the current log event in the firewall log is read, the event risk relationship in which the risk weight of the log event is recorded is obtained, the target risk weight corresponding to the current log event is searched in the event risk relationship, and the current log event and the target risk weight are output. According to the method, the current log event and the target risk weight corresponding to the current log event are jointly output, so that a user can read the current log event in the firewall log and simultaneously learn the risk degree of the current log event, the user can be relatively ensured to intuitively know the risk caused by the flow data according to the log event corresponding to the flow data, and the readability of the user on the log event in the firewall log is improved. In addition, the application also provides a log processing device, equipment and a storage medium, and the beneficial effects are as described above.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a log processing method disclosed in an embodiment of the present application;
fig. 2 is a flowchart of a specific log processing method disclosed in an embodiment of the present application;
fig. 3 is a flowchart of a specific log processing method disclosed in an embodiment of the present application;
fig. 4 is a flowchart of a specific log processing method disclosed in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a log processing apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
After analyzing the flow data received by the intranet host, the firewall often generates a corresponding firewall log, and the log contains log events corresponding to the flow data, but the readability of the current firewall log is poor, so that a user often cannot visually know the risk caused by the flow data according to the log events corresponding to the flow data.
Therefore, the core of the application is to provide a log processing method to improve readability of a user on a firewall log and ensure that the user can intuitively know risks caused by the flow data according to log events corresponding to the flow data.
Referring to fig. 1, an embodiment of the present application discloses a log processing method, including:
step S10: and reading a current log event in the firewall log.
It should be noted that the firewall log in this step is a log file recorded with relevant attribute information of the traffic data, which is generated after the firewall performs content analysis on the traffic data according to a preset analysis policy after receiving the traffic data transmitted from the external network server to the internal network host, each traffic data has a corresponding log event in the firewall log, the log event further records the relevant attribute information of the corresponding traffic data, and the current log event in this step refers to a log event that is already present in the firewall log.
In addition, in this step, the reading of the firewall log may be specifically performed in the firewall device, or may be performed in other service devices in which the firewall log is stored, which is not limited specifically herein.
Step S11: and acquiring an event risk relationship, wherein the event risk relationship records the risk weight of the log event.
The sequence between the step and the step of obtaining the current log event in the firewall log is not fixed, and can also be carried out simultaneously. In addition, the event risk relationship obtained in this step should be generated in advance according to the severity of various attack behaviors performed through the flow data, wherein risk weights of various log events are recorded, and the risk weight represents the risk degree of the flow data corresponding to the log event to the operation security of the intranet host.
Step S12: and searching a target risk weight corresponding to the current log event in the event risk relationship.
After the current log event and the event risk relationship are obtained, a target risk weight corresponding to the current log event is further searched in the event risk relationship, and therefore the risk degree of the current log event is reflected through the target risk weight.
Step S13: and outputting the current log event and the target risk weight.
After the target risk weight is obtained, relevance output is further performed on the current log event and the target risk weight in the step, so that readability of the user on the current log event is improved through the target risk weight. In addition, the outputting of the current log event and the target risk weight may specifically be outputting the current log event and the target risk weight in a form of a front-end page, or outputting the current log event and the target risk weight in a form of a file, which is not limited specifically herein.
According to the log processing method, the current log event in the firewall log is read, the event risk relationship in which the risk weight of the log event is recorded is obtained, the target risk weight corresponding to the current log event is searched in the event risk relationship, and the current log event and the target risk weight are output. According to the method, the current log event and the target risk weight corresponding to the current log event are jointly output, so that a user can read the current log event in the firewall log and simultaneously learn the risk degree of the current log event, the user can be relatively ensured to intuitively know the risk caused by the flow data according to the log event corresponding to the flow data, and the readability of the user on the log event in the firewall log is improved.
On the basis of the above embodiment, as a preferred implementation, before outputting the current log event and the target risk weight, the method further includes:
correspondingly recording the current log event and the target risk weight to a middle table;
correspondingly, outputting the current log event and the target risk weight comprises:
outputting the current log event and the target risk weight based on the intermediate table.
It should be noted that, in this embodiment, after the target risk weight corresponding to the current log event is found in the event risk relationship, the current log event and the target risk weight are further recorded in the intermediate table in a corresponding manner, and the current log event and the target risk weight are further output based on the current log event and the target risk weight recorded in the intermediate table in a corresponding manner. Before the current log event and the target risk weight are output, the current log event and the target risk weight are correspondingly recorded in the intermediate table in advance, so that the overall accuracy in outputting the current log event and the target risk weight can be relatively ensured.
On the basis of the above embodiment, as a preferred implementation, acquiring an event risk relationship includes:
acquiring a log event comprising a network type, a behavior type, an event description and an attack chain stage, and determining the risk weight of the log event according to the network type, the behavior type, the event description and the attack chain stage;
and establishing a corresponding relation between the log event and the risk weight to obtain an event risk relation.
It should be noted that, in this embodiment, the log event in the event risk relationship includes a network type, a behavior type, an event description, and an attack chain stage. The network type can further comprise the classification of the network type where the host generates the log event, such as botnet, trojan remote control, malicious link or phishing mail; the behavior type can further comprise classification of the host network behavior such as suspicious behavior, malicious connecting trojan, port scanning, address scanning and the like; the event description may further include a textual description of the operation behavior of the host, such as the host having accessed a C & C (command and control server) communication address, the number of times the host downloads an executable file from an unknown classification site exceeding a threshold, and the host having a suspected lack of network access through a browser; the attack chain stage may further include a network attack behavior stage to which host network behaviors such as C & C (command and control server) communication and data leakage belong. The embodiment further improves the richness of the content of the log event and further improves the readability of the log event for the user.
Further, as a preferred embodiment, determining the risk weight of the log event according to the network type, the behavior type, the event description and the attack chain stage comprises:
acquiring risk weight components respectively corresponding to a network type, a behavior type, an event description and an attack chain stage;
and performing weighted operation on each risk weight component to obtain a risk weight.
It should be noted that, in this embodiment, the way of generating the risk weight of the log event specifically is to obtain the risk weight components corresponding to the network type, the behavior type, the event description, and the attack chain stage, and further perform a weighting operation on each risk weight component based on the ratio between the network type, the behavior type, the event description, and the attack chain stage in terms of risk severity to obtain the overall risk weight, that is, the risk weight of the log event. According to the method and the device, the risk weight is obtained by performing weighted operation on the risk weight component, and the accuracy of calculating the risk weight of the log event is relatively ensured.
Referring to fig. 2, an embodiment of the present application discloses a log processing method, including:
step S20: and reading the current log event corresponding to each intranet host in the firewall log.
It should be noted that, the key point of this embodiment is that when reading the current log event in the firewall log, the current log event is specifically performed in units of each intranet host, that is, the current log event corresponding to each intranet host in the firewall log is read respectively, so that the current log event corresponding to different intranet hosts can be read respectively and then matched with the target risk weight in the event risk relationship.
Step S21: and acquiring an event risk relationship, wherein the event risk relationship records the risk weight of the log event.
Step S22: and searching a target risk weight corresponding to the current log event in the event risk relationship.
Step S23: and outputting the current log event and the target risk weight of each intranet host.
After the target risk weight corresponding to the current log event is found in the event risk relationship, the present embodiment further outputs the current log event and the target risk weight of each intranet host, that is, the current log event of each intranet host and the target risk weight corresponding to the current log event are respectively output by taking each intranet host as a unit. In the embodiment, the corresponding current log event is acquired from the firewall log by taking the intranet host as a unit, and the current log event and the corresponding target risk weight are output, so that a user can be ensured to correspond the current log event and the target risk weight to the intranet host, and the readability of the user on the firewall log is further improved.
Referring to fig. 3, when the number of current log events corresponding to the intranet host is greater than 1, an embodiment of the present application discloses a log processing method, including:
step S30: and reading the current log event corresponding to each intranet host in the firewall log.
Step S31: and acquiring an event risk relationship, wherein the event risk relationship records the risk weight of the log event.
Step S32: and searching a current risk weight corresponding to the current log event in the event risk relationship.
Step S33: and selecting the target risk weight with the largest value from the current risk weights.
It should be noted that, when the number of current log events corresponding to the intranet host is greater than 1, it indicates that the network security of the intranet host is affected by multiple current log events, and the current log event having the greatest influence on the network security of the intranet host often has the current risk weight with the largest value, so that the present embodiment further selects the target risk weight with the largest value from the current risk weights after searching the current risk weights corresponding to the current log events in the event risk relationship.
Step S34: and outputting the current log event and the target risk weight of each intranet host.
The embodiment further ensures the accuracy when the target risk weight of each intranet host is output when the current log event number corresponding to the intranet host is greater than 1.
On the basis of the above embodiment, as a preferred implementation, outputting the current log event and the target risk weight of each intranet host includes:
and outputting the current log events and the target risk weights of the intranet hosts according to the descending order of the target risk weights.
It should be noted that the present embodiment focuses on outputting current log events of the intranet host, specifically outputting the current log events according to a descending order between target risk weights corresponding to the current log events, so as to ensure that a user can preferentially learn log events corresponding to flow data having a large influence on the network security of the intranet host, and further improve the readability of the firewall logs by the user.
On the basis of the above embodiment, as a preferred implementation, the current log event includes the event occurrence frequency;
correspondingly, outputting the current log event and the target risk weight of each intranet host, including:
and outputting the current log events and the target risk weight of each intranet host according to the descending order of the event occurrence times in each current log event.
In the present embodiment, the current log event includes the number of times of occurrence of the event, which refers to the total number of times of receiving the data traffic corresponding to the current log event by the intranet host. Because the attack frequently initiated by the extranet server on the intranet host often has a large influence on the network security of the intranet host, the embodiment outputs the current log events of the intranet host according to the descending order of the occurrence times of the events in the current log events, so as to ensure that a user can preferentially learn the log events corresponding to the flow data having a large influence on the network security of the intranet host, and further improve the readability of the user on the firewall logs.
Referring to fig. 4, an embodiment of the present application discloses a log processing method, including:
step S40: and reading a current log event in the firewall log.
Step S41: and acquiring an event risk relationship, wherein the event risk relationship records the threat weight and/or the fault weight of the log event.
It should be noted that the risk weight in this embodiment specifically includes a threat weight and/or a failure weight, that is, the risk weight may specifically include any one or both of the threat weight and the failure weight. The threat weight in this embodiment represents the severity of the attack threat suffered by the current intranet host, and the threat weight may be embodied in a form of numbers, and the larger the number is, the higher the threat severity is; the failure weight in this embodiment indicates the possibility of the current local host failing due to attack, and the failure weight may be embodied in a form of a number, where the larger the number is, the higher the possibility of the intranet host failing is.
Step S42: and searching a target threat weight and/or a target failure weight corresponding to the current log event in the event risk relation.
Step S43: outputting the current log event and the target threat weight and/or the target failure weight.
The risk weight is further refined into a target threat weight representing the severity of the current intranet host suffering from attack threat and a target fault weight representing the possibility that the current local host is lost due to attack, the comprehensiveness of the target risk weight corresponding to the current log event is further ensured, and therefore the readability of the user on the firewall log is further improved.
On the basis of the above embodiment, as a preferred implementation, outputting the current log event and the target threat weight and/or the target failure weight includes:
outputting the current log event in a list form, and outputting the target threat weight and/or the target failure weight in a chart form.
It should be noted that the present embodiment focuses on outputting the current log event in the form of a list and outputting the target threat weight and/or the target failure weight in the form of a graph. The graph in the embodiment includes, but is not limited to, a pie chart and a coordinate system, and the current log events can be presented to the user in a relatively detailed manner by adopting a list mode, and the influence degree of the weight can be reflected more intuitively by adopting the graph mode, so that the readability of the user on the firewall log can be further improved by the embodiment.
In order to deepen understanding of the above embodiments, the following provides a scenario embodiment for processing the firewall log in an actual application scenario.
The firewall equipment generates a corresponding firewall log according to the flow data received by the intranet host at regular time, matches the threat weight and the fault weight corresponding to each log event in the firewall log according to the defined event risk relationship (as shown in the following table), associates the threat weight and the fault weight corresponding to the log event and writes the threat weight and the fault weight into the middle table.
When the user reads the intermediate table at the front console, the intermediate table is displayed at the front.
The front-end display takes an intranet host (IP) as a unit, and the threatening weight and the failure weight display the highest level of the type of the intranet host attacked. If the intranet host 200.200.154.119 has two behaviors of malicious software Trojan URL, Trojan remote control and DDoS attack, the threat weight of the malicious software Trojan URL is 7, and the fault weight is 4; the threat weight of Trojan remote control is 7, and the fault weight is 2; the threat weight of the DDoS is 10, and the fault weight is 7; therefore, the threat weight of the intranet host is 10 and the failure weight is 7 finally.
The internal network host machine is sorted according to the following elements, wherein the primary sequence and the secondary sequence are in sequence: fault weight (descending order), high order active times (descending order), processing state, and source identification.
The user safety state distribution display based on the fault weight adopts pie charts and coordinate system display, and the user can more visually see the sink-out condition of the intranet host. The coordinate system shows that the fault weight is used as an abscissa, the threat weight is used as an ordinate, and the collapse condition is more serious when the hosts are distributed at the upper right corner.
The event risk relationship in this embodiment is as follows, where the event type, description, and attack chain stage are all the contents included in the log event.
Referring to fig. 5, an embodiment of the present application discloses a log processing apparatus, including:
the log reading module 10 is configured to read a current log event in a firewall log;
the relationship obtaining module 11 is configured to obtain an event risk relationship, where the event risk relationship records a risk weight of a log event;
the searching module 12 is configured to search a target risk weight corresponding to the current log event in the event risk relationship;
and the output module 13 is used for outputting the current log event and the target risk weight.
According to the log processing method, the current log event in the firewall log is read, the event risk relationship in which the risk weight of the log event is recorded is obtained, the target risk weight corresponding to the current log event is searched in the event risk relationship, and the current log event and the target risk weight are output. According to the method, the current log event and the target risk weight corresponding to the current log event are jointly output, so that a user can read the current log event in the firewall log and simultaneously know the risk degree of the current log event, the user can relatively ensure that the user can visually know the risk caused by the flow data according to the log event corresponding to the flow data, and the readability of the user on the log event in the firewall log is improved.
On the basis of the foregoing embodiments, the embodiments of the present application further describe and optimize the log processing device. Specifically, the method comprises the following steps:
in one embodiment, the log reading module 10 includes:
the host log reading module is used for reading current log events corresponding to each intranet host in the firewall logs;
accordingly, the output module 13 includes:
and the host output module is used for outputting the current log event and the target risk weight of each intranet host.
In a specific embodiment, when the current log event number corresponding to the intranet host is greater than 1, the searching module 12 includes:
the weight searching module is used for searching a current risk weight corresponding to the current log event in the event risk relationship;
and the weight selecting module is used for selecting the target risk weight with the largest value from the current risk weights.
In one embodiment, the host output module includes:
a first output module for outputting the current log event of each intranet host and the target risk weight according to the descending order of each target risk weight
In one embodiment, the current log event includes the number of event occurrences;
a host output module comprising:
and the second output module is used for outputting the current log events and the target risk weight of each intranet host according to the descending order of the event occurrence times in each current log event.
In one embodiment, the apparatus further comprises:
the intermediate table recording module is used for correspondingly recording the current log event and the target risk weight to an intermediate table;
an output module 13, comprising:
and the intermediate table output module is used for outputting the current log event and the target risk weight based on the intermediate table.
In a specific embodiment, the relationship obtaining module 11 includes:
the acquisition module is used for acquiring the log events comprising the network type, the behavior type, the event description and the attack chain stage, and determining the risk weight of the log events according to the network type, the behavior type, the event description and the attack chain stage;
and the relationship establishing module is used for establishing a corresponding relationship between the log event and the risk weight to obtain an event risk relationship.
In one embodiment, the obtaining module includes:
the component acquisition module is used for acquiring risk weight components corresponding to the network type, the behavior type, the event description and the attack chain stage respectively;
and the weighted operation module is used for executing weighted operation on each risk weight component to obtain the risk weight.
In one embodiment, the event risk relationship records a threat weight and/or a failure weight of the log event;
the search module 12 includes:
the searching submodule is used for searching a target threat weight and/or a target fault weight corresponding to the current log event in the event risk relationship;
an output module 13, comprising:
and the output submodule is used for outputting the current log event and the target threat weight and/or the target failure weight.
In one embodiment, the output submodule includes:
and the list chart output module is used for outputting the current log event in a list form and outputting the target threat weight and/or the target failure weight in a chart form.
In addition, an embodiment of the present application further discloses a log processing device, including:
a memory for storing a computer program;
a processor for implementing the steps of the log processing method as described above when executing the computer program.
The log processing device provided by the application reads a current log event in a firewall log, acquires an event risk relationship in which a risk weight of the log event is recorded, further searches a target risk weight corresponding to the current log event in the event risk relationship, and further outputs the current log event and the target risk weight. The device jointly outputs the current log event and the target risk weight corresponding to the current log event, so that a user can read the current log event in the firewall log and simultaneously learn the risk degree of the current log event, the user can be relatively ensured to visually know the risk caused by the flow data according to the log event corresponding to the flow data, and the readability of the user on the log event in the firewall log is improved.
In addition, the embodiment of the application also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when the computer program is executed by a processor, the steps of the log processing method are realized.
The computer-readable storage medium provided by the application reads a current log event in a firewall log, acquires an event risk relationship in which risk weights of the log event are recorded, further searches a target risk weight corresponding to the current log event in the event risk relationship, and further outputs the current log event and the target risk weight. The computer readable storage medium jointly outputs the current log event and the target risk weight corresponding to the current log event, so that a user can obtain the risk degree of the current log event while reading the current log event in the firewall log, the user can visually know the risk caused by the flow data according to the log event corresponding to the flow data, and the readability of the user on the log event in the firewall log is improved.
The above details are provided for a log processing method, apparatus, device and storage medium provided by the present application. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (12)
1. A log processing method, comprising:
reading a current log event in a firewall log;
acquiring an event risk relationship, wherein the event risk relationship records the risk weight of a log event;
searching a target risk weight corresponding to the current log event in the event risk relationship;
outputting the current log event and the target risk weight;
the acquiring of the event risk relationship comprises:
acquiring the log event comprising a network type, a behavior type, an event description and an attack chain stage, and determining the risk weight of the log event according to the network type, the behavior type, the event description and the attack chain stage;
and establishing a corresponding relation between the log event and the risk weight to obtain the event risk relation.
2. The log processing method of claim 1, wherein reading the current log event in the firewall log comprises:
reading current log events corresponding to each intranet host in the firewall logs;
correspondingly, the outputting the current log event and the target risk weight includes:
and outputting the current log event and the target risk weight of each intranet host.
3. The log processing method according to claim 2, wherein when the number of current log events corresponding to the intranet host is greater than 1, the searching for the target risk weight corresponding to the current log event in the event risk relationship includes:
searching a current risk weight corresponding to the current log event in the event risk relationship;
and selecting the target risk weight with the largest value from the current risk weights.
4. The log processing method according to claim 3, wherein the outputting the current log event and the target risk weight of each intranet host comprises:
and outputting the current log events and the target risk weights of the intranet hosts according to the descending order of the target risk weights.
5. The log processing method according to claim 3, wherein the current log event includes a number of event occurrences;
correspondingly, the outputting the current log event and the target risk weight of each intranet host includes:
and outputting the current log events and the target risk weight of each intranet host according to the descending order of the event occurrence times in each current log event.
6. The log processing method of claim 1, wherein prior to said outputting the current log event and the target risk weight, the method further comprises:
correspondingly recording the current log event and the target risk weight to a middle table;
correspondingly, the outputting the current log event and the target risk weight includes:
outputting the current log event and the target risk weight based on the intermediate table.
7. The log processing method of claim 1, wherein determining the risk weight of the log event according to the network type, the behavior type, the event description, and the attack chain stage comprises:
acquiring risk weight components respectively corresponding to the network type, the behavior type, the event description and the attack chain stage;
and performing weighted operation on each risk weight component to obtain the risk weight.
8. A log processing method as claimed in any one of claims 1 to 7, wherein the event risk relationship records a threat weight and/or a failure weight of the log event;
correspondingly, the searching for the target risk weight corresponding to the current log event in the event risk relationship includes:
searching a target threat weight and/or a target failure weight corresponding to the current log event in the event risk relationship;
correspondingly, the outputting the current log event and the target risk weight includes:
outputting the current log event and the target threat weight and/or the target failure weight.
9. The log processing method of claim 8, wherein said outputting the current log event and the target threat weight and/or the target failure weight comprises:
outputting the current log event in a list form, and outputting the target threat weight and/or the target failure weight in a chart form.
10. A log processing apparatus, comprising:
the log reading module is used for reading a current log event in a firewall log;
the system comprises a relation acquisition module, a log event processing module and a log event processing module, wherein the relation acquisition module is used for acquiring an event risk relation, and the event risk relation records the risk weight of a log event;
the searching module is used for searching a target risk weight corresponding to the current log event in the event risk relationship;
an output module, configured to output the current log event and the target risk weight;
a relationship acquisition module comprising:
the acquisition module is used for acquiring the log event comprising a network type, a behavior type, an event description and an attack chain stage, and determining the risk weight of the log event according to the network type, the behavior type, the event description and the attack chain stage;
and the relationship establishing module is used for establishing a corresponding relationship between the log event and the risk weight to obtain the event risk relationship.
11. A log processing apparatus characterized by comprising:
a memory for storing a computer program;
a processor for implementing the steps of the log processing method according to any one of claims 1 to 9 when executing the computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, realizes the steps of the log processing method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010157807.1A CN111404903B (en) | 2020-03-09 | 2020-03-09 | Log processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010157807.1A CN111404903B (en) | 2020-03-09 | 2020-03-09 | Log processing method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111404903A CN111404903A (en) | 2020-07-10 |
| CN111404903B true CN111404903B (en) | 2022-08-09 |
Family
ID=71413912
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010157807.1A Active CN111404903B (en) | 2020-03-09 | 2020-03-09 | Log processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111404903B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112751876B (en) * | 2020-12-30 | 2022-11-15 | 北京天融信网络安全技术有限公司 | Control method and device of message acquisition system, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104994075A (en) * | 2015-06-01 | 2015-10-21 | 广东电网有限责任公司信息中心 | Security event handling method, system and terminal based on output logs of security system |
| CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| CN106941493A (en) * | 2017-03-30 | 2017-07-11 | 北京奇艺世纪科技有限公司 | A kind of network security situation awareness result output intent and device |
| CN108229176A (en) * | 2017-12-29 | 2018-06-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of determining Web applications protection effect |
| CN109711656A (en) * | 2018-08-20 | 2019-05-03 | 平安普惠企业管理有限公司 | Multisystem is associated with method for early warning, device, equipment and computer readable storage medium |
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
| CN110598404A (en) * | 2019-09-17 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Security risk monitoring method, monitoring device, server and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546641B (en) * | 2012-01-14 | 2014-12-31 | 杭州安恒信息技术有限公司 | Method and system for carrying out accurate risk detection in application security system |
| CN107483472B (en) * | 2017-09-05 | 2020-12-08 | 中国科学院计算机网络信息中心 | Network security monitoring method and device, storage medium and server |
| CN108933785B (en) * | 2018-06-29 | 2021-02-05 | 平安科技(深圳)有限公司 | Network risk monitoring method and device, computer equipment and storage medium |
| CN109710585A (en) * | 2018-08-20 | 2019-05-03 | 平安普惠企业管理有限公司 | Multisystem is associated with method for early warning, device, equipment and computer readable storage medium |
-
2020
- 2020-03-09 CN CN202010157807.1A patent/CN111404903B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104994075A (en) * | 2015-06-01 | 2015-10-21 | 广东电网有限责任公司信息中心 | Security event handling method, system and terminal based on output logs of security system |
| CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| CN106941493A (en) * | 2017-03-30 | 2017-07-11 | 北京奇艺世纪科技有限公司 | A kind of network security situation awareness result output intent and device |
| CN108229176A (en) * | 2017-12-29 | 2018-06-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of determining Web applications protection effect |
| CN109711656A (en) * | 2018-08-20 | 2019-05-03 | 平安普惠企业管理有限公司 | Multisystem is associated with method for early warning, device, equipment and computer readable storage medium |
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
| CN110598404A (en) * | 2019-09-17 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Security risk monitoring method, monitoring device, server and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111404903A (en) | 2020-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10484424B2 (en) | Method and system for security protection of account information | |
| US7640235B2 (en) | System and method for correlating between HTTP requests and SQL queries | |
| US6996845B1 (en) | Internet security analysis system and process | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| US7860971B2 (en) | Anti-spam tool for browser | |
| US8136029B2 (en) | Method and system for characterising a web site by sampling | |
| CN110602137A (en) | Malicious IP and malicious URL intercepting method, device, equipment and medium | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN106534146A (en) | Safety monitoring system and method | |
| CN112929390B (en) | Network intelligent monitoring method based on multi-strategy fusion | |
| CN114866358B (en) | Automatic penetration testing method and system based on knowledge graph | |
| CN110889113A (en) | Log analysis method, server, electronic device and storage medium | |
| CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
| CN111104395A (en) | Database auditing method, device, storage medium and device | |
| CN114760106A (en) | Network attack determination method, system, electronic device and storage medium | |
| CN114244564A (en) | Attack defense method, device, equipment and readable storage medium | |
| CN113596114A (en) | Extensible automatic Web vulnerability scanning system and method | |
| JP5656266B2 (en) | Blacklist extraction apparatus, extraction method and extraction program | |
| CN111404903B (en) | Log processing method, device, equipment and storage medium | |
| Zukran et al. | Performance comparison on SQL injection and XSS detection using open source vulnerability scanners | |
| CN117424743A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN115361219A (en) | Log file processing method, electronic device and storage medium | |
| CN115001724A (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |