CN113420286B - Early warning method, device, equipment and storage medium based on authentication log data - Google Patents
Early warning method, device, equipment and storage medium based on authentication log data Download PDFInfo
- Publication number
- CN113420286B CN113420286B CN202110964769.5A CN202110964769A CN113420286B CN 113420286 B CN113420286 B CN 113420286B CN 202110964769 A CN202110964769 A CN 202110964769A CN 113420286 B CN113420286 B CN 113420286B
- Authority
- CN
- China
- Prior art keywords
- authentication
- login
- data
- preset
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses an early warning method, an early warning device, early warning equipment and a storage medium based on authentication log data, wherein the method comprises the following steps: collecting a plurality of login authentication log data of a server cluster; processing the log data of the login authentication respectively according to a preset data conversion rule to obtain a plurality of character coded data; respectively acquiring login timestamp information and login authentication results corresponding to the character coded data; determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result; and when the authentication failure trend meets the preset condition, carrying out early warning prompt according to the authentication failure trend. Compared with the prior art that the login servers need to be manually checked one by one, the method and the system need login timestamp information and login authentication results of a plurality of login authentication log data corresponding to the server cluster, and then perform early warning prompt according to the login timestamp information and the login authentication results, so that the problem of failure caused by rapid server positioning is solved.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to an early warning method, an early warning device, early warning equipment and a storage medium based on authentication log data.
Background
An AD (advertisement) server is a core infrastructure service, the AD server can have authentication failure when in use, and when a large number of authentication failures occur, the AD server needs to manually check the running condition of the AD server, analyze logs, check failure reasons and judge whether actions such as password intrusion attempts exist. The problem of failure caused by incapability of quickly positioning the servers is caused by the fact that the number of AD servers is large and the distribution positions are scattered.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide an early warning method, an early warning device and a storage medium based on authentication log data, and aims to solve the problem of failure caused by how to quickly locate a server.
In order to achieve the above object, the present invention provides an early warning method based on authentication log data, which comprises the following steps:
collecting a plurality of login authentication log data corresponding to a server cluster;
processing the log data of the login authentication respectively according to a preset data conversion rule to obtain a plurality of character coded data;
respectively acquiring login timestamp information and login authentication results corresponding to the character coded data;
determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result;
and when the authentication failure trend meets a preset condition, carrying out early warning prompt according to the authentication failure trend.
Optionally, the step of processing the multiple login authentication log data according to a preset data conversion rule to obtain multiple character encoded data includes:
respectively acquiring data acquisition time of a plurality of login authentication log data;
sorting the log data of the multiple login authentication logs according to the data acquisition time to obtain an authentication log sorting result;
and respectively processing the login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
Optionally, the step of respectively processing the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain multiple character encoded data includes:
respectively acquiring authentication category information corresponding to a plurality of login authentication log data;
judging whether the authentication category information meets a preset category condition or not;
and when the authentication category information meets the preset category condition, respectively processing a plurality of login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
Optionally, the step of processing the multiple login authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain multiple character encoded data includes:
respectively determining target authentication information corresponding to a plurality of login authentication log data according to the preset category conditions;
and processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
Optionally, before the step of processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoding data, the method further includes:
acquiring the information storage capacity of the target authentication information;
judging whether the information storage amount is larger than or equal to a preset storage threshold value or not;
and when the information storage amount is larger than or equal to the preset storage threshold value, executing the step of processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
Optionally, after the step of determining whether the authentication category information meets a preset category condition, the method further includes:
when the authentication category information does not meet the preset category condition, determining a missing log identifier according to the preset category condition and the authentication category information;
acquiring missing authentication information according to the missing log identification, and taking login authentication log data corresponding to the authentication category information as authentication operation information;
and respectively processing the authentication operation information and the missing authentication information according to an authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoding data.
Optionally, after the step of obtaining the login timestamp information and the login authentication result corresponding to the plurality of character encoded data, the method further includes:
sorting the character coded data according to the login timestamp information and the login authentication result to obtain a character code sorting result;
and displaying the character coded data according to a preset data display rule and the character coding sequencing result.
Optionally, the step of determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result includes:
generating an authentication curve graph according to the login timestamp information and the login authentication result;
determining a fitting function value within a preset time range according to the authentication curve graph;
and determining an authentication failure trend according to the fitting function value and the login authentication result.
Optionally, the step of determining a fitting function value within a preset time range according to the authentication graph includes:
determining authentication failure frequency information according to the authentication curve graph;
determining a historical authentication function value according to the authentication failure frequency information;
and determining a fitting function value within a preset time range according to the historical authentication function value.
Optionally, when the authentication failure trend meets a preset condition, performing an early warning prompt according to the authentication failure trend, including:
when the authentication failure trend meets a preset condition, determining and predicting authentication failure data according to the authentication failure trend;
judging whether the predicted authentication failure data is larger than a preset alarm threshold value or not;
and when the predicted authentication failure data is larger than the preset alarm threshold value, carrying out early warning prompt according to the predicted authentication failure data.
Optionally, the step of performing an early warning prompt according to the predictive authentication failure data includes:
determining an authentication failure difference value according to the predicted authentication failure data and the preset alarm threshold value;
determining an authentication failure grade according to the authentication failure difference;
determining a preset early warning strategy according to the authentication failure grade and the authentication failure difference value;
and carrying out early warning prompt according to the preset early warning strategy and the prediction authentication failure data.
In addition, in order to achieve the above object, the present invention further provides an early warning device based on authentication log data, including:
the acquisition module is used for acquiring a plurality of login authentication log data corresponding to the server cluster;
the processing module is used for respectively processing the login authentication log data according to a preset data conversion rule to obtain a plurality of character coded data;
the acquisition module is used for respectively acquiring login timestamp information and login authentication results corresponding to the character coded data;
the determining module is used for determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result;
and the early warning module is used for carrying out early warning prompt according to the authentication failure trend when the authentication failure trend meets the preset condition.
Optionally, the processing module is further configured to obtain data acquisition times of a plurality of login authentication log data, respectively;
the processing module is further used for sequencing the log data of the multiple login authentication logs according to the data acquisition time to obtain an authentication log sequencing result;
the processing module is further configured to process the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule, so as to obtain multiple character encoding data.
Optionally, the processing module is further configured to obtain authentication category information corresponding to a plurality of login authentication log data;
the processing module is further configured to determine whether the authentication category information meets a preset category condition;
and the processing module is further configured to, when the authentication category information meets the preset category condition, respectively process the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule, so as to obtain multiple character encoding data.
Optionally, the processing module is further configured to determine, according to the preset category condition, target authentication information corresponding to the multiple login authentication log data respectively;
the processing module is further configured to process the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoding data.
Optionally, the determining module is further configured to generate an authentication graph according to the login timestamp information and the login authentication result;
the determining module is further configured to determine a fitting function value within a preset time range according to the authentication curve graph;
the determining module is further configured to determine an authentication failure trend according to the fitting function value and the login authentication result.
Optionally, the determining module is further configured to determine authentication failure frequency information according to the authentication graph;
the determining module is further configured to determine a historical authentication function value according to the authentication failure frequency information;
the determining module is further configured to determine a fitting function value within a preset time range according to the historical authentication function value.
Optionally, the early warning module is further configured to determine, when the authentication failure trend meets a preset condition, predicted authentication failure data according to the authentication failure trend;
the early warning module is also used for judging whether the predicted authentication failure data is greater than a preset warning threshold value;
the early warning module is further used for carrying out early warning prompt according to the predictive authentication failure data when the predictive authentication failure data is larger than the preset warning threshold value.
In addition, in order to achieve the above object, the present invention further provides an early warning device based on authentication log data, where the device includes: the system comprises a memory, a processor and an authentication log data-based early warning program stored on the memory and executable on the processor, wherein the authentication log data-based early warning program is configured to implement the steps of the authentication log data-based early warning method as described above.
In addition, in order to achieve the above object, the present invention further provides a storage medium, where an early warning program based on authentication log data is stored, and the early warning program based on authentication log data implements the steps of the early warning method based on authentication log data as described above when being executed by a processor.
The method comprises the steps of firstly collecting a plurality of login authentication log data of a server cluster, then respectively processing the login authentication log data according to a preset data conversion rule to obtain a plurality of character coded data, respectively obtaining login timestamp information and login authentication results corresponding to the character coded data, then determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication results, and finally carrying out early warning prompt according to the authentication failure trend when the authentication failure trend meets a preset condition. Compared with the prior art that the servers need to be manually logged in one by one, the method needs logging time stamp information and logging authentication results of a plurality of logging authentication log data corresponding to the server cluster, and then carries out early warning prompt according to the logging time stamp information and the logging authentication results, so that the early warning prompt of the future authentication trend of the servers is realized, and the failure problem generated by the servers is quickly positioned.
Drawings
Fig. 1 is a schematic structural diagram of an authentication log data-based early warning device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of an authentication log data-based early warning method according to the present invention;
FIG. 3 is a flowchart illustrating a second embodiment of an early warning method based on authentication log data according to the present invention;
FIG. 4 is a flowchart illustrating a third embodiment of an early warning method based on authentication log data according to the present invention;
fig. 5 is a block diagram illustrating a first embodiment of an early warning apparatus based on authentication log data according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an early warning device based on authentication log data in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the warning apparatus based on the authentication log data may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (Wi-Fi) interface). The Memory 1005 may be a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the authentication log data-based alerting device, and may include more or less components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a network communication module, a user interface module, and an early warning program based on authentication log data.
In the warning apparatus based on the authentication log data shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 of the warning device based on the authentication log data may be disposed in the warning device based on the authentication log data, and the warning device based on the authentication log data calls the warning program based on the authentication log data stored in the memory 1005 through the processor 1001 and executes the warning method based on the authentication log data provided by the embodiment of the present invention.
An embodiment of the present invention provides an early warning method based on authentication log data, and referring to fig. 2, fig. 2 is a schematic flow diagram of a first embodiment of the early warning method based on authentication log data according to the present invention.
In this embodiment, the authentication log data-based early warning method includes the following steps:
step S10: and collecting a plurality of login authentication log data corresponding to the server cluster.
It is easy to understand that the execution subject of this embodiment may be a communication device having functions of data processing, network communication, program operation, and the like, the device may perform data conversion on log data of login authentication, and may also determine an authentication failure trend within a preset time range, and may also be other computer devices having similar functions, and the like, and this embodiment is not limited.
It should be noted that, a plurality of pieces of login authentication log data corresponding to the server cluster may be collected according to a data collection instruction sent by the user, or a plurality of pieces of login authentication log data corresponding to the server cluster may be collected at a time set in advance by the user, for example, by using a lightweight log collector filehead or a log collection System fluent such as an event _ id, a script, a plug-in, or a performance counter, and collecting AD cluster server log data (System, Security, and Application-type recorded event data).
The server cluster may include a plurality of AD servers, each AD server has log authentication log data of a plurality of users, where the log authentication log data may include log-in devices, log-in accounts, log-in passwords, log-in verification results, log-in time, operation behavior information of a cursor or a keyboard, and the like.
Step S20: and processing the log data of the login authentication respectively according to a preset data conversion rule to obtain a plurality of character coded data.
The method comprises the steps of respectively obtaining data acquisition time of a plurality of login authentication log data, sequencing the login authentication log data according to the data acquisition time to obtain an authentication log sequencing result, respectively processing the login authentication log data according to the authentication log sequencing result and a preset data conversion rule to obtain a plurality of character coding data, wherein the preset data conversion rule comprises time modification, field screening and data conversion.
It should be understood that the data collection time of the login authentication log data may be the time of acquiring the login authentication log data, then adding the plurality of login authentication log data into the queue for sorting according to the data collection time, obtaining the authentication log sorting result, then performing data processing on the plurality of login authentication log data according to the authentication log sorting result, and the like.
In a specific implementation, the collected multiple login authentication log data are transmitted to an internal queue system Qbus or a message service tool kafak in a distributed publish-subscribe mode, and the multiple login authentication log data are processed through an open source log management system logstack, for example, the log data are modified into china district time, unnecessary fields are screened, the data are converted into a json format, utf-8 is encoded, and the like.
In this embodiment, the processing of the multiple login authentication log data may be to obtain login time in the login authentication log data, adjust the login time to china district time, select target authentication information from the login authentication log data, and perform json format and utf-8 encoding on the target authentication information to obtain character encoding data corresponding to the login authentication log.
Assuming that the login authentication log data includes login device, login account, login password, login authentication result, login time, and operation behavior information of a cursor or a keyboard, the target authentication information may be the login device, login account, login password, login authentication result, login time, and the like, and the login device may be login AD server information.
The processing mode of respectively processing the plurality of login authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain the plurality of character coded data can be to respectively obtain authentication category information corresponding to the plurality of login authentication log data, then judge whether the authentication category information meets the preset category condition, when the authentication category information meets the preset category condition, respectively processing the log authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain a plurality of character encoding data, wherein the preset category condition is set by a user in a self-defined way, the information may be the existing device type information, the account type information, the password type information, the verification result type information, and the time type information, or the existing account type information, the password type information, the verification result type information, and the time type information.
Assuming that the log authentication log data includes log-in device, log-in account, log-in password, log-in authentication result, log-in time, and operation behavior information of a cursor or a keyboard, the log authentication log data includes device type information, account type information, password type information, authentication result type information, time type information, and operation behavior type information.
And respectively processing the plurality of login authentication log data according to the authentication log sorting result and the preset data conversion rule, wherein the processing mode for obtaining the plurality of character coded data is to respectively determine target authentication information corresponding to the plurality of login authentication log data according to a preset category condition, and process the target authentication information according to the authentication log sorting result and the preset data conversion rule to obtain the plurality of character coded data.
Assuming that a login account, a login password, a login verification result, login time and operation behavior information of a cursor or a keyboard exist in login authentication log data, account category information, password category information, verification result category information, time category information and operation behavior category information exist in the login authentication log data, and if preset category conditions are that the account category information, the password category information, the verification result category information and the time category information exist, target authentication information is a login account, a login password, a login verification result, login time and the like.
In this embodiment, when the authentication category information does not satisfy the preset category condition, a missing log identifier is determined according to the preset category condition and the authentication category information, missing authentication information is obtained according to the missing log identifier, login authentication log data corresponding to the authentication category information is used as authentication operation information, and the authentication operation information and the missing authentication information are respectively processed according to an authentication log sorting result and a preset data conversion rule, so as to obtain a plurality of character encoded data.
Assuming that a login account, a login password, a login verification result and operation behavior information of a cursor or a keyboard exist in login authentication log data A, account type information, password type information, verification result type information and operation behavior type information exist in the login authentication log data A, if preset type conditions are that the account type information, the password type information, the verification result type information and the time type information exist, a missing log mark is a time mark, login time information of the login authentication log, namely the missing authentication information, is obtained, the account type information, the password type information and the verification result type information are extracted from the login authentication log data A, then the account type information, the password type information and the verification result type information are used as authentication operation information, and finally the authentication operation information and the missing authentication information are processed according to an authentication log sorting result and a preset data conversion rule, a plurality of character encoded data is obtained.
It should be noted that, in order to obtain accurate character encoded data, obtain an information storage amount of target authentication information, determine whether the information storage amount is greater than or equal to a preset storage threshold, and when the information storage amount is greater than or equal to the preset storage threshold, process the target authentication information according to an authentication log sorting result and a preset data conversion rule, so as to obtain a plurality of character encoded data. The preset storage threshold may be set by a user in a self-defined manner, and may be 2M, or 8kb, and the like.
Step S30: and respectively acquiring login timestamp information and login authentication results corresponding to the character coded data.
The login timestamp information includes specific format time information, login account code data, login password code data, login verification result code data, and the like, and the login authentication result may be login authentication success or login authentication failure.
It should be understood that the character encoding data includes specific format time information, login account encoding data, login password encoding data, login verification result encoding data and login authentication result, wherein the specific format time information, the login account encoding data, the login password encoding data, the login verification result encoding data and the login authentication result are in a one-to-one correspondence relationship. The character coded data are multiple groups of specific format time information, login account coded data, login password coded data, login verification result coded data and login authentication results.
Step S40: and determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result.
In order to enable a user to clearly view the change condition of the log data of the server cluster, the character encoding data are sequenced according to the log timestamp information and the log authentication result to obtain a character encoding sequencing result, and then the character encoding data are displayed according to a preset data display rule and the character encoding sequencing result.
Note that, the characteristic format registration time corresponding to each of the plurality of character encoded data is acquired, and then the character encoded data is sorted according to the specific format registration time and the registration authentication result.
The preset data display rule can be set by a user in a self-defined mode, can be used for selecting partial character coded data to be displayed according to a character coding sequencing result, can be used for displaying a plurality of character coded data in a linear graph mode, and can be used for displaying a plurality of character coded data in a tree graph mode.
In the embodiment, the data is sorted according to the time stamp created by each piece of data, namely the login time in a specific format, and output to the distributed search and analysis engine elastic search, and the processed data, namely the data with a plurality of characters, is displayed through an open source data visualization tool Garfana or an analysis and visualization platform kibana.
And determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result in a processing mode of generating an authentication curve graph according to the login timestamp information and the login authentication result, determining a fitting function value within the preset time range according to the authentication curve graph, and then determining the authentication failure trend according to the fitting function value and the login authentication result.
It should be understood that the authentication failure frequency information is determined according to the authentication graph, the historical authentication function value is determined according to the authentication failure frequency information, and then the fitting function value within the preset time range is determined according to the historical authentication function value, and the fitting function value can be understood as authentication failure data within the preset time range, the historical authentication function value is authentication failure data corresponding to a plurality of login authentication log data, and the like.
Step S50: and when the authentication failure trend meets a preset condition, carrying out early warning prompt according to the authentication failure trend.
And when the authentication failure trend meets a preset condition, determining predicted authentication failure data according to the authentication failure trend, judging whether the predicted authentication failure data is greater than a preset alarm threshold value, and when the predicted authentication failure data is greater than the preset alarm threshold value, performing early warning prompt according to the predicted authentication failure data. The preset condition may be that the failure trend presents an ascending trend, and the preset alarm threshold may be a user-defined relationship, which may be 2000, may also be 500, and the like, and this embodiment is not limited.
The processing mode of carrying out early warning prompting according to the predicted authentication failure data is to determine an authentication failure difference value according to the predicted authentication failure data and a preset warning threshold value, determine an authentication failure grade according to the authentication failure difference value, determine a preset early warning strategy according to the authentication failure grade and the authentication failure difference value, and finally carry out early warning prompting according to the preset early warning strategy and the predicted authentication failure data.
The preset early warning policy can be set by a user in a self-defined manner, and can be used for performing mail early warning prompt on a responsible person of the call system, and also performing information early warning prompt on the responsible person of the call system, and the like, and the embodiment is not limited.
And establishing an early warning mapping relation table according to the authentication failure grades, the authentication failure difference intervals and the preset early warning strategies, wherein the early warning mapping relation table comprises the authentication failure grades, the authentication failure difference intervals and the preset early warning strategies, and the authentication failure grades, the authentication failure difference intervals and the preset early warning strategies are in one-to-one correspondence.
The authentication failure levels comprise primary authentication failure, secondary authentication failure and tertiary authentication failure, wherein the preset early warning strategy corresponding to the primary authentication failure can be used for carrying out mail early warning prompt on a responsible person of the call system, the preset early warning strategy corresponding to the secondary authentication failure can be used for carrying out information early warning prompt on the responsible person of the call system, the preset early warning strategy corresponding to the tertiary authentication failure can be used for carrying out voice early warning prompt on the responsible person of the call system and the like, the tertiary authentication failure is greater than the secondary authentication failure, and the secondary authentication failure is greater than the primary authentication failure and the like.
In the specific implementation, assuming that the predicted authentication failure data is 2000 times and the preset alarm threshold value is 500 after two days, the authentication failure difference is determined 1500, the authentication failure difference interval is determined to be 1000-plus-2000 according to the authentication failure difference, wherein the authentication failure grade corresponding to the 1000-plus-2000 interval is the secondary authentication failure, the preset early warning strategy is determined according to the secondary authentication failure, and finally, the early warning prompt is performed according to the preset early warning strategy and the predicted authentication failure data.
In the concrete implementation, a self-defined trend trigger function is developed in an enterprise-level open source solution Zabbix based on a WEB interface and providing a distributed system monitoring function and a network monitoring function, the used corresponding trigger functions are forecast and timelife, and the collected data and a plurality of character coded data are used for prejudging the trend of AD authentication failure N minutes later.
It should be noted that each time the trigger function is evaluated, data is obtained from a specified historical period and the specified function is fitted to the data. If the data is slightly different, the fitting function will also be slightly different, etc. When the trend is larger than the alarm threshold value, triggering the action to carry out alarm processing, wherein the alarm prompt can be a mail prompt, a short message prompt, a communication chat tool prompt, a telephone prompt and the like.
In this embodiment, a plurality of login authentication log data of a server cluster are collected first, then the login authentication log data are processed respectively according to a preset data conversion rule to obtain a plurality of character encoded data, login timestamp information and a login authentication result corresponding to the character encoded data are obtained respectively, an authentication failure trend within a preset time range is determined according to the login timestamp information and the login authentication result, and finally, when the authentication failure trend meets a preset condition, an early warning prompt is given according to the authentication failure trend. Compared with the prior art that the servers need to be manually logged in one by one, the logging-in time stamp information and the logging-in authentication result of the log authentication log data corresponding to the server cluster are needed in the embodiment, and then early warning prompt is performed according to the logging-in time stamp information and the logging-in authentication result, so that early warning prompt on the future authentication trend of the servers is realized, the failure problem generated by the servers is rapidly positioned, and the labor cost and the time cost are saved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the warning method based on authentication log data according to the present invention.
Based on the first embodiment, in this embodiment, the step S20 includes:
step S201: and respectively acquiring data acquisition time of a plurality of login authentication log data.
It is to be understood that the data collection time of the login authentication log data may be the time of acquiring the login authentication log data.
Step S202: and sequencing the log data of the plurality of login authentication logs according to the data acquisition time to obtain an authentication log sequencing result.
And adding a plurality of login authentication log data into the queue for sorting according to the data acquisition time to obtain an authentication log sorting result. In a specific implementation, the collected multiple login authentication log data may be transmitted to the internal queue system Qbus or the message service tool kafak in the distributed publish-subscribe mode, so as to obtain an authentication log sorting result, and the like.
Step S203: and respectively processing the login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
In this embodiment, the processing of the multiple login authentication log data may be to obtain login time in the login authentication log data, adjust the login time to china district time, select target authentication information from the login authentication log data, and perform json format and utf-8 encoding on the target authentication information to obtain character encoding data corresponding to the login authentication log. The preset data conversion rule comprises time modification, screening fields, data conversion and the like.
Assuming that the login authentication log data includes login device, login account, login password, login authentication result, login time, and operation behavior information of a cursor or a keyboard, the target authentication information may be the login device, login account, login password, login authentication result, login time, and the like, and the login device may be login AD server information.
The processing mode of respectively processing the plurality of login authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain the plurality of character coded data can be to respectively obtain authentication category information corresponding to the plurality of login authentication log data, then judge whether the authentication category information meets the preset category condition, when the authentication category information meets the preset category condition, respectively processing the log authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain a plurality of character encoding data, wherein the preset category condition is set by a user in a self-defined way, the information may be the existing device type information, the account type information, the password type information, the verification result type information, and the time type information, or the existing account type information, the password type information, the verification result type information, and the time type information.
Assuming that the log authentication log data includes log-in device, log-in account, log-in password, log-in authentication result, log-in time, and operation behavior information of a cursor or a keyboard, the log authentication log data includes device type information, account type information, password type information, authentication result type information, time type information, and operation behavior type information.
And respectively processing the plurality of login authentication log data according to the authentication log sorting result and the preset data conversion rule, wherein the processing mode for obtaining the plurality of character coded data is to respectively determine target authentication information corresponding to the plurality of login authentication log data according to a preset category condition, and process the target authentication information according to the authentication log sorting result and the preset data conversion rule to obtain the plurality of character coded data.
Assuming that a login account, a login password, a login verification result, login time and operation behavior information of a cursor or a keyboard exist in login authentication log data, account category information, password category information, verification result category information, time category information and operation behavior category information exist in the login authentication log data, and if preset category conditions are that the account category information, the password category information, the verification result category information and the time category information exist, target authentication information is a login account, a login password, a login verification result, login time and the like.
In this embodiment, when the authentication category information does not satisfy the preset category condition, a missing log identifier is determined according to the preset category condition and the authentication category information, missing authentication information is obtained according to the missing log identifier, login authentication log data corresponding to the authentication category information is used as authentication operation information, and the authentication operation information and the missing authentication information are respectively processed according to an authentication log sorting result and a preset data conversion rule, so as to obtain a plurality of character encoded data.
Assuming that a login account, a login password, a login verification result and operation behavior information of a cursor or a keyboard exist in login authentication log data A, account type information, password type information, verification result type information and operation behavior type information exist in the login authentication log data A, if preset type conditions are that the account type information, the password type information, the verification result type information and the time type information exist, a missing log mark is a time mark, login time information of the login authentication log, namely the missing authentication information, is obtained, the account type information, the password type information and the verification result type information are extracted from the login authentication log data A, then the account type information, the password type information and the verification result type information are used as authentication operation information, and finally the authentication operation information and the missing authentication information are processed according to an authentication log sorting result and a preset data conversion rule, a plurality of character encoded data is obtained.
In this embodiment, the data acquisition time of the login authentication log data is respectively obtained, then the login authentication log data is sequenced according to the data acquisition time to obtain the sequencing result of the authentication log, and finally the login authentication log data is respectively processed according to the sequencing result of the authentication log and the preset data conversion rule to obtain a plurality of character encoding data, compared with the prior art, the login authentication log is not processed, the number of authentication failures is confirmed only according to the login authentication log, and the server is manually detected according to the authentication failure data, in this embodiment, the multiple login authentication log data can be processed according to the authentication log sorting result and the preset data conversion rule, so as to obtain multiple character encoded data, thereby increasing the detection efficiency of the multiple login authentication log data in the server.
Referring to fig. 4, fig. 4 is a schematic flowchart of a warning method based on authentication log data according to a third embodiment of the present invention.
Based on the first embodiment, in this embodiment, the step S40 includes:
step S401: and generating an authentication curve graph according to the login timestamp information and the login authentication result.
It should be noted that, in order to enable a user to clearly view a change situation of log data of a server cluster, the multiple character coded data are sorted according to the log timestamp information and the log authentication result to obtain a character code sorting result, and then the multiple character coded data are displayed according to a preset data display rule and the character code sorting result.
In the embodiment, the data is sorted according to the time stamp created by each piece of data, namely the login time in a specific format, and output to the distributed search and analysis engine elastic search, and the processed data, namely the data with a plurality of characters, is displayed through an open source data visualization tool Garfana or an analysis and visualization platform kibana.
The authentication curve graph is generated by the authentication failure time and the authentication failure data in the log authentication log data, and a user can check the authentication failure number in the preset time according to the authentication curve graph.
Step S402: and determining a fitting function value within a preset time range according to the authentication curve graph.
It should be understood that the authentication failure frequency information is determined according to the authentication graph, the historical authentication function value is determined according to the authentication failure frequency information, and then the fitting function value within the preset time range is determined according to the historical authentication function value, and the fitting function value can be understood as authentication failure data within the preset time range, the historical authentication function value is authentication failure data corresponding to a plurality of login authentication log data, and the like.
Step S403: and determining an authentication failure trend according to the fitting function value and the login authentication result.
In the concrete implementation, a self-defined trend trigger function is developed in an enterprise-level open source solution Zabbix based on a WEB interface and providing a distributed system monitoring function and a network monitoring function, the used corresponding trigger functions are forecast and timelife, and the collected data and a plurality of character coded data are used for prejudging the trend of AD authentication failure N minutes later.
In this embodiment, an authentication curve graph is generated according to login timestamp information and a login authentication result, a fitting function value within a preset time range is determined according to the authentication curve graph, and then an authentication failure trend is determined according to the fitting function value and the login authentication result.
In addition, an embodiment of the present invention further provides a storage medium, where an early warning program based on authentication log data is stored on the storage medium, and when the early warning program based on the authentication log data is executed by a processor, the steps of the early warning method based on the authentication log data as described above are implemented.
Referring to fig. 5, fig. 5 is a block diagram illustrating a first embodiment of an early warning apparatus based on authentication log data according to the present invention.
As shown in fig. 5, the warning apparatus based on authentication log data according to an embodiment of the present invention includes:
the collection module 5001 is configured to collect a plurality of login authentication log data corresponding to the server cluster.
The processing module 5002 is configured to process the multiple login authentication log data according to a preset data conversion rule, so as to obtain multiple character encoded data.
An obtaining module 5003 is configured to obtain login timestamp information and login authentication results corresponding to the plurality of character encoded data, respectively.
A determining module 5004, configured to determine an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result.
The early warning module 5005 is configured to perform early warning prompting according to the authentication failure trend when the authentication failure trend meets a preset condition.
In this embodiment, a plurality of login authentication log data of a server cluster are collected first, then the login authentication log data are processed respectively according to a preset data conversion rule to obtain a plurality of character encoded data, login timestamp information and a login authentication result corresponding to the character encoded data are obtained respectively, an authentication failure trend within a preset time range is determined according to the login timestamp information and the login authentication result, and finally, when the authentication failure trend meets a preset condition, an early warning prompt is given according to the authentication failure trend. Compared with the prior art that the servers need to be manually logged in one by one, the logging-in time stamp information and the logging-in authentication result of the log authentication log data corresponding to the server cluster are needed in the embodiment, and then early warning prompt is performed according to the logging-in time stamp information and the logging-in authentication result, so that early warning prompt on the future authentication trend of the servers is realized, the failure problem generated by the servers is rapidly positioned, and the labor cost and the time cost are saved.
Further, the processing module 5002 is further configured to respectively obtain data acquisition times of a plurality of login authentication log data;
the processing module 5002 is further configured to sort the multiple login authentication log data according to the data acquisition time, and obtain an authentication log sorting result;
the processing module 5002 is further configured to process the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule, so as to obtain multiple character encoded data.
Further, the processing module 5002 is further configured to obtain authentication category information corresponding to a plurality of login authentication log data;
the processing module 5002 is further configured to determine whether the authentication category information meets a preset category condition;
the processing module 5002 is further configured to, when the authentication category information meets the preset category condition, respectively process the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule, so as to obtain multiple character encoded data.
Further, the processing module 5002 is further configured to determine, according to the preset category condition, target authentication information corresponding to the multiple login authentication log data respectively;
the processing module 5002 is further configured to process the target authentication information according to the authentication log sorting result and a preset data conversion rule, so as to obtain a plurality of character encoded data.
Further, the processing module 5002 is further configured to obtain an information storage amount of the target authentication information;
the processing module 5002 is further configured to determine whether the information storage amount is greater than or equal to a preset storage threshold;
the processing module 5002 is further configured to, when the information storage amount is greater than or equal to the preset storage threshold, perform the operation of processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoded data.
Further, the processing module 5002 is further configured to determine a missing log identifier according to the preset category condition and the authentication category information when the authentication category information does not satisfy the preset category condition;
the processing module 5002 is further configured to obtain missing authentication information according to the missing log identifier, and use login authentication log data corresponding to the authentication category information as authentication operation information;
the processing module 5002 is further configured to process the authentication operation information and the missing authentication information according to an authentication log sorting result and a preset data conversion rule, respectively, so as to obtain a plurality of character encoded data.
Further, the warning device based on the authentication log data comprises: a display module;
the display module is used for sequencing the character coded data according to the login timestamp information and the login authentication result to obtain a character code sequencing result;
the display module is further used for displaying the character coded data according to preset data display rules and the character code sequencing results.
Further, the determining module 5004 is further configured to generate an authentication graph according to the login timestamp information and the login authentication result;
the determining module 5004 is further configured to determine a fitting function value within a preset time range according to the authentication curve graph;
the determining module 5004 is further configured to determine an authentication failure trend according to the fitting function value and the login authentication result.
Further, the determining module 5004 is further configured to determine authentication failure frequency information according to the authentication graph;
the determining module 5004 is further configured to determine a historical authentication function value according to the authentication failure frequency information;
the determining module 5004 is further configured to determine a fitting function value within a preset time range according to the historical authentication function value.
Further, the early warning module 5005 is further configured to determine predicted authentication failure data according to the authentication failure trend when the authentication failure trend meets a preset condition;
the early warning module 5005 is further configured to determine whether the predictive authentication failure data is greater than a preset warning threshold;
the early warning module 5005 is further configured to perform early warning prompting according to the predictive authentication failure data when the predictive authentication failure data is greater than the preset warning threshold.
Further, the early warning module 5005 is further configured to determine an authentication failure difference according to the predicted authentication failure data and the preset warning threshold;
the early warning module 5005 is further configured to determine an authentication failure level according to the authentication failure difference;
the early warning module 5005 is further configured to determine a preset early warning policy according to the authentication failure level and the authentication failure difference;
the early warning module 5005 is further configured to perform early warning prompting according to the preset early warning policy and the predictive authentication failure data.
Other embodiments or specific implementation manners of the warning device based on the authentication log data may refer to the above method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., a rom/ram, a magnetic disk, an optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
The invention also discloses A1 and an early warning method based on the authentication log data, wherein the early warning method based on the authentication log data comprises the following steps:
collecting a plurality of login authentication log data corresponding to a server cluster;
processing the log data of the login authentication respectively according to a preset data conversion rule to obtain a plurality of character coded data;
respectively acquiring login timestamp information and login authentication results corresponding to the character coded data;
determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result;
and when the authentication failure trend meets a preset condition, carrying out early warning prompt according to the authentication failure trend.
A2, the method as claimed in a1, wherein the step of processing the plurality of log authentication log data according to the preset data conversion rule to obtain the plurality of character encoded data includes:
respectively acquiring data acquisition time of a plurality of login authentication log data;
sorting the log data of the multiple login authentication logs according to the data acquisition time to obtain an authentication log sorting result;
and respectively processing the login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
A3, the method as in a2, wherein the step of processing the multiple login authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain multiple character encoded data includes:
respectively acquiring authentication category information corresponding to a plurality of login authentication log data;
judging whether the authentication category information meets a preset category condition or not;
and when the authentication category information meets the preset category condition, respectively processing a plurality of login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
A4, the method as in A3, where the step of processing the multiple login authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain multiple character encoded data includes:
respectively determining target authentication information corresponding to a plurality of login authentication log data according to the preset category conditions;
and processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
A5, the method as in a4, wherein before the step of processing the target authentication information according to the authentication log sorting result and the preset data conversion rule to obtain the encoded data of a plurality of characters, the method further comprises:
acquiring the information storage capacity of the target authentication information;
judging whether the information storage amount is larger than or equal to a preset storage threshold value or not;
and when the information storage amount is larger than or equal to the preset storage threshold value, executing the step of processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
A6, the method as claimed in A3, wherein the step of determining whether the authentication class information satisfies a preset class condition further includes:
when the authentication category information does not meet the preset category condition, determining a missing log identifier according to the preset category condition and the authentication category information;
acquiring missing authentication information according to the missing log identification, and taking login authentication log data corresponding to the authentication category information as authentication operation information;
and respectively processing the authentication operation information and the missing authentication information according to an authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoding data.
A7, the method according to any of a1 to a6, wherein the step of obtaining the login timestamp information and the login authentication result corresponding to the plurality of character encoded data, respectively, further comprises:
sorting the character coded data according to the login timestamp information and the login authentication result to obtain a character code sorting result;
and displaying the character coded data according to a preset data display rule and the character coding sequencing result.
A8 the method according to any of the claims A1-A6, wherein the step of determining a failure trend of authentication within a preset time range according to the login timestamp information and the login authentication result comprises:
generating an authentication curve graph according to the login timestamp information and the login authentication result;
determining a fitting function value within a preset time range according to the authentication curve graph;
and determining an authentication failure trend according to the fitting function value and the login authentication result.
A9 the method according to a8, wherein said step of determining fitted function values for a predetermined time range from said authentication profile comprises:
determining authentication failure frequency information according to the authentication curve graph;
determining a historical authentication function value according to the authentication failure frequency information;
and determining a fitting function value within a preset time range according to the historical authentication function value.
A10, the method according to a8, wherein the step of performing an early warning prompt according to the authentication failure trend when the authentication failure trend meets a preset condition includes:
when the authentication failure trend meets a preset condition, determining and predicting authentication failure data according to the authentication failure trend;
judging whether the predicted authentication failure data is larger than a preset alarm threshold value or not;
and when the predicted authentication failure data is larger than the preset alarm threshold value, carrying out early warning prompt according to the predicted authentication failure data.
A11 the method according to a10, wherein the step of performing warning notification according to the predicted authentication failure data comprises:
determining an authentication failure difference value according to the predicted authentication failure data and the preset alarm threshold value;
determining an authentication failure grade according to the authentication failure difference;
determining a preset early warning strategy according to the authentication failure grade and the authentication failure difference value;
and carrying out early warning prompt according to the preset early warning strategy and the prediction authentication failure data.
The invention also discloses B12 and an early warning device based on the authentication log data, wherein the early warning device based on the authentication log data comprises:
the acquisition module is used for acquiring a plurality of login authentication log data corresponding to the server cluster;
the processing module is used for respectively processing the login authentication log data according to a preset data conversion rule to obtain a plurality of character coded data;
the acquisition module is used for respectively acquiring login timestamp information and login authentication results corresponding to the character coded data;
the determining module is used for determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result;
and the early warning module is used for carrying out early warning prompt according to the authentication failure trend when the authentication failure trend meets the preset condition.
B13, the apparatus as in B12, the processing module is further configured to obtain data collection times of a plurality of login authentication log data, respectively;
the processing module is further used for sequencing the log data of the multiple login authentication logs according to the data acquisition time to obtain an authentication log sequencing result;
the processing module is further configured to process the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule, so as to obtain multiple character encoding data.
B14, the apparatus according to B13, the processing module is further configured to obtain authentication category information corresponding to a plurality of login authentication log data, respectively;
the processing module is further configured to determine whether the authentication category information meets a preset category condition;
and the processing module is further configured to, when the authentication category information meets the preset category condition, respectively process the multiple login authentication log data according to the authentication log sorting result and a preset data conversion rule, so as to obtain multiple character encoding data.
B15, the apparatus as in B14, and the processing module are further configured to determine target authentication information corresponding to a plurality of login authentication log data according to the preset category condition;
the processing module is further configured to process the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoding data.
B16, the apparatus as in any of B12-B15, the determining module further configured to generate an authentication graph according to the login timestamp information and the login authentication result;
the determining module is further configured to determine a fitting function value within a preset time range according to the authentication curve graph;
the determining module is further configured to determine an authentication failure trend according to the fitting function value and the login authentication result.
B17, the apparatus as in B16, the determining module further configured to determine authentication failure frequency information from the authentication graph;
the determining module is further configured to determine a historical authentication function value according to the authentication failure frequency information;
the determining module is further configured to determine a fitting function value within a preset time range according to the historical authentication function value.
B18, the apparatus as in B17, the early warning module, further configured to determine predicted authentication failure data according to the authentication failure trend when the authentication failure trend meets a preset condition;
the early warning module is also used for judging whether the predicted authentication failure data is greater than a preset warning threshold value;
the early warning module is further used for carrying out early warning prompt according to the predictive authentication failure data when the predictive authentication failure data is larger than the preset warning threshold value.
The invention also discloses C19 and early warning equipment based on the authentication log data, which is characterized by comprising the following components: the system comprises a memory, a processor and an authentication log data-based early warning program stored on the memory and executable on the processor, wherein the authentication log data-based early warning program is configured to implement the steps of the authentication log data-based early warning method as described above.
The invention also discloses D20 and a storage medium, which are characterized in that the storage medium is stored with an early warning program based on the authentication log data, and the early warning program based on the authentication log data realizes the steps of the early warning method based on the authentication log data when being executed by a processor.
Claims (9)
1. An early warning method based on authentication log data is characterized by comprising the following steps:
collecting a plurality of login authentication log data corresponding to a server cluster;
processing the log data of the login authentication respectively according to a preset data conversion rule to obtain a plurality of character coded data;
respectively acquiring login timestamp information and login authentication results corresponding to a plurality of character coded data, wherein the login timestamp information is in a json format, and the login authentication results are in a coded utf-8 format;
determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result;
when the authentication failure trend meets a preset condition, carrying out early warning prompt according to the authentication failure trend;
the step of determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result includes:
generating an authentication curve graph according to the login timestamp information and the login authentication result;
determining authentication failure frequency information according to the authentication curve graph;
determining a historical authentication function value according to the authentication failure frequency information, wherein the historical authentication function value is authentication failure data corresponding to a plurality of login authentication log data;
determining a fitting function value within a preset time range according to the historical authentication function value, wherein the fitting function value is authentication failure data within the preset time range;
determining an authentication failure trend according to the fitting function value and the login authentication result;
the step of processing the multiple login authentication log data according to the preset data conversion rule to obtain multiple character coded data includes:
respectively determining target authentication information corresponding to a plurality of login authentication log data, wherein the target authentication information is user login information;
and processing the target authentication information according to a preset data conversion rule to obtain a plurality of character coded data.
2. The method according to claim 1, wherein the step of processing the plurality of login authentication log data according to the preset data conversion rule to obtain a plurality of character encoded data comprises:
respectively acquiring data acquisition time of a plurality of login authentication log data;
sorting the log data of the multiple login authentication logs according to the data acquisition time to obtain an authentication log sorting result;
and respectively processing the login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
3. The method as claimed in claim 2, wherein the step of processing the plurality of log authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character encoded data comprises:
respectively acquiring authentication category information corresponding to a plurality of login authentication log data;
judging whether the authentication category information meets a preset category condition or not;
and when the authentication category information meets the preset category condition, respectively processing a plurality of login authentication log data according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
4. The method as claimed in claim 3, wherein the step of processing the plurality of login authentication log data according to the authentication log sorting result and the preset data conversion rule to obtain a plurality of character encoded data comprises:
respectively determining target authentication information corresponding to a plurality of login authentication log data according to the preset category conditions;
and processing the target authentication information according to the authentication log sorting result and a preset data conversion rule to obtain a plurality of character coded data.
5. The method according to any one of claims 1 to 4, wherein the step of obtaining the login time stamp information and the login authentication result corresponding to the plurality of character encoded data, respectively, further comprises:
sorting the character coded data according to the login timestamp information and the login authentication result to obtain a character code sorting result;
and displaying the character coded data according to a preset data display rule and the character coding sequencing result.
6. The method of claim 1, wherein the step of performing an early warning prompt according to the authentication failure trend when the authentication failure trend meets a preset condition comprises:
when the authentication failure trend meets a preset condition, determining and predicting authentication failure data according to the authentication failure trend;
judging whether the predicted authentication failure data is larger than a preset alarm threshold value or not;
and when the predicted authentication failure data is larger than the preset alarm threshold value, carrying out early warning prompt according to the predicted authentication failure data.
7. An early warning device based on authentication log data, characterized in that the early warning device based on authentication log data comprises:
the acquisition module is used for acquiring a plurality of login authentication log data corresponding to the server cluster;
the processing module is used for respectively processing the login authentication log data according to a preset data conversion rule to obtain a plurality of character coded data;
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for respectively acquiring login timestamp information and login authentication results corresponding to a plurality of character coded data, the login timestamp information is in a json format, and the login authentication results are in an utf-8 format;
the determining module is used for determining an authentication failure trend within a preset time range according to the login timestamp information and the login authentication result;
the early warning module is used for carrying out early warning prompt according to the authentication failure trend when the authentication failure trend meets the preset condition;
the determining module is further configured to generate an authentication curve graph according to the login timestamp information and the login authentication result;
the determining module is further configured to determine authentication failure frequency information according to the authentication curve graph;
the determining module is further configured to determine a historical authentication function value according to the authentication failure frequency information, where the historical authentication function value is authentication failure data corresponding to multiple login authentication log data;
the determining module is further configured to determine a fitting function value within a preset time range according to the historical authentication function value, where the fitting function value is authentication failure data within the preset time range;
the determining module is further used for determining an authentication failure trend according to the fitting function value and the login authentication result;
the processing module is further configured to determine target authentication information corresponding to the multiple login authentication log data, respectively, where the target authentication information is user login information;
the processing module is further configured to process the target authentication information according to a preset data conversion rule to obtain a plurality of character encoded data.
8. An early warning device based on authentication log data, the device comprising: a memory, a processor and an authentication log data based pre-warning program stored on the memory and executable on the processor, the authentication log data based pre-warning program being configured to implement the steps of the authentication log data based pre-warning method as claimed in any one of claims 1 to 6.
9. A storage medium, wherein the storage medium stores thereon an authentication log data-based warning program, and the authentication log data-based warning program, when executed by a processor, implements the steps of the authentication log data-based warning method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110964769.5A CN113420286B (en) | 2021-08-23 | 2021-08-23 | Early warning method, device, equipment and storage medium based on authentication log data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110964769.5A CN113420286B (en) | 2021-08-23 | 2021-08-23 | Early warning method, device, equipment and storage medium based on authentication log data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113420286A CN113420286A (en) | 2021-09-21 |
| CN113420286B true CN113420286B (en) | 2021-12-24 |
Family
ID=77719059
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110964769.5A Active CN113420286B (en) | 2021-08-23 | 2021-08-23 | Early warning method, device, equipment and storage medium based on authentication log data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113420286B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197676A (en) * | 2006-12-04 | 2008-06-11 | 株式会社日立制作所 | Authentication system managing method |
| US7653633B2 (en) * | 2005-11-12 | 2010-01-26 | Logrhythm, Inc. | Log collection, structuring and processing |
| US10425432B1 (en) * | 2016-06-24 | 2019-09-24 | EMC IP Holding Company LLC | Methods and apparatus for detecting suspicious network activity |
| CN112231698A (en) * | 2020-09-29 | 2021-01-15 | 新华三信息安全技术有限公司 | Attack detection method, device and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120246303A1 (en) * | 2011-03-23 | 2012-09-27 | LogRhythm Inc. | Log collection, structuring and processing |
-
2021
- 2021-08-23 CN CN202110964769.5A patent/CN113420286B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7653633B2 (en) * | 2005-11-12 | 2010-01-26 | Logrhythm, Inc. | Log collection, structuring and processing |
| CN101197676A (en) * | 2006-12-04 | 2008-06-11 | 株式会社日立制作所 | Authentication system managing method |
| US10425432B1 (en) * | 2016-06-24 | 2019-09-24 | EMC IP Holding Company LLC | Methods and apparatus for detecting suspicious network activity |
| CN112231698A (en) * | 2020-09-29 | 2021-01-15 | 新华三信息安全技术有限公司 | Attack detection method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113420286A (en) | 2021-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106992994B (en) | Automatic monitoring method and system for cloud service | |
| CN110417721B (en) | Security risk assessment method, device, equipment and computer readable storage medium | |
| CN108989150B (en) | Login abnormity detection method and device | |
| CN110209820B (en) | User identification detection method, device and storage medium | |
| CN111325463A (en) | Data quality detection method, device, equipment and computer readable storage medium | |
| CN109495467B (en) | Method and device for updating interception rule and computer readable storage medium | |
| CN111614690A (en) | Abnormal behavior detection method and device | |
| CN110830438A (en) | Abnormal log warning method and device and electronic equipment | |
| CN110798440B (en) | Abnormal user detection method, device and system and computer storage medium | |
| CN111866016A (en) | Log analysis method and system | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN112751835A (en) | Traffic early warning method, system, equipment and storage device | |
| CN112163222A (en) | Malicious software detection method and device | |
| CN107168844B (en) | Performance monitoring method and device | |
| CN111611519A (en) | Method and device for detecting personal abnormal behaviors | |
| CN114445088A (en) | Method and device for judging fraudulent conduct, electronic equipment and storage medium | |
| CN113420286B (en) | Early warning method, device, equipment and storage medium based on authentication log data | |
| CN113656122A (en) | Information screening method, device and system for equal protection evaluation | |
| CN108804501A (en) | A kind of method and device of detection effective information | |
| CN111049685A (en) | Network security sensing system, network security sensing method and device of power system | |
| CN103795585A (en) | Method and system for monitoring website based on black list | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
| CN115204733A (en) | Data auditing method and device, electronic equipment and storage medium | |
| CN115658443A (en) | Log filtering method and device | |
| CN115509854A (en) | Inspection processing method, inspection server and inspection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |