CN116561383A - Network security log analysis method, device, equipment and storage medium - Google Patents
Network security log analysis method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116561383A CN116561383A CN202310548763.9A CN202310548763A CN116561383A CN 116561383 A CN116561383 A CN 116561383A CN 202310548763 A CN202310548763 A CN 202310548763A CN 116561383 A CN116561383 A CN 116561383A
- Authority
- CN
- China
- Prior art keywords
- data
- target
- graph
- preset
- data source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 109
- 238000012545 processing Methods 0.000 claims abstract description 38
- 238000000034 method Methods 0.000 claims description 28
- 238000013500 data storage Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 6
- 238000002372 labelling Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 16
- 238000013473 artificial intelligence Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000007726 management method Methods 0.000 description 5
- 238000000059 patterning Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 238000012098 association analyses Methods 0.000 description 2
- 239000003086 colorant Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000007418 data mining Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 231100000279 safety data Toxicity 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to artificial intelligence technology, and discloses a network security log analysis method, which comprises the following steps: carrying out composition processing on the obtained weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database; according to the obtained target search statement, obtaining graph data corresponding to a target point data source in the target search statement from a preset graph database as target graph data; and carrying out security analysis on the related data of the target point data source in the target graph data according to the data security judgment conditions in the target search statement, and generating security analysis results about the target point data source. The invention also relates to a block chain technology, and a preset map database is stored in the block chain. The invention can solve the problems of large model parameter number, reduced model running speed, inconvenient deployment of the model in mobile terminal equipment with higher real-time requirement, and the like in the prior art.
Description
Technical Field
The present invention relates to the field of big data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for analyzing a network security log.
Background
The main objects of the network security log analysis are connection information and payload information in traffic, and auxiliary information such as external reports is also contained, the scattered logs are aggregated to a big data platform by applying big data technology, and network security data mining is carried out by adopting efficient collection, storage, retrieval analysis and other means, so that the analysis efficiency when mass data are faced is improved, and meanwhile, internal links are mined by adopting the means of association analysis, modeling and the like, so that the event detection rate is improved.
The traditional network security log analysis is mainly based on rule policy configuration at the rear end of a security platform, the information such as integral network connection and the like cannot be connected in series, the characteristics of the rule policy are single, and the association analysis modeling can only be carried out on the current data or the data within the context limit range; the traditional graph database has a performance bottleneck caused by the fact that analysis of mass data is not supported, or has extremely high application cost, the application of resources is limited, the application assembly is not enough in openness, interfaces cannot be customized, most of user integration uses official integration tools, and unified importing is performed after standard formatting; in addition, in terms of event alarms and specific data export, the traditional mode needs to depend on developers, and a general export template is not available.
In summary, the existing network security log analysis technology has the problems of incomplete network connection information series connection, single characteristic of rule strategies, difficult visualization and the like.
Disclosure of Invention
The invention provides a network security log analysis method, a device, equipment and a storage medium, which mainly aim to solve the problems that in the prior art, the network security log analysis technology has complete network connection information series non-continuity, single characteristic of a rule strategy, difficult visualization and the like.
In order to achieve the above object, a method for analyzing a web security log according to the present invention includes:
carrying out composition processing on the obtained weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database;
according to the obtained target search statement, obtaining graph data corresponding to a target point data source in the target search statement from the preset graph database as target graph data; the target search statement comprises a target point data source and a data security judgment condition;
Performing security analysis on related data of a target point data source in the target graph data according to the data security judgment conditions in the target search statement, and generating a security analysis result about the target point data source;
and labeling the corresponding positions of the target image data according to the safety analysis result, generating target image data with the safety analysis label, and taking the target image data with the safety analysis label and the related data of the target point data source as output results of the target search statement.
In a second aspect, to solve the above-mentioned problem, the present invention also provides a network security log analysis apparatus, the apparatus including:
the composition module is used for performing composition processing on the acquired weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database;
the searching module is used for acquiring graph data corresponding to a target point data source in the target search statement from the preset graph database according to the acquired target search statement, and taking the graph data as target graph data; the target search statement comprises a target point data source and a data security judgment condition;
The analysis module is used for carrying out safety analysis on the related data of the target point data source in the target graph data according to the data safety judgment conditions in the target search statement, and generating a safety analysis result about the target point data source;
and the output module is used for marking the corresponding position of the target image data according to the safety analysis result, generating target image data with the safety analysis mark, and taking the target image data with the safety analysis mark and the related data of the target point data source as the output result of the target search statement.
In order to solve the above-mentioned problems, the present invention also provides an electronic device including:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the steps of the weblog analysis method as described above.
In a fourth aspect, in order to solve the above-mentioned problems, the present invention also provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the network security log analysis method as described above.
According to the network security log analysis method, the device, the equipment and the storage medium, the graph data are obtained by the composition processing of the network log data, the characteristic and the series information of the relation network are found by utilizing the multi-path links at the point edges in the graph data, the inquiry of the ultra-long connection relation is supported, the network connection information is connected in series completely, and the information omission during the data analysis is avoided; the corresponding target graph data is obtained from the preset graph database through the target search statement, the relevant data of the target point data source in the target graph data are subjected to safety analysis by utilizing the data safety judgment conditions in the target search statement, the analysis result is marked at the corresponding position of the target graph data, the target graph data with the safety analysis mark and the relevant data of the target point data source are used as the output result of the target search statement, the analysis mode based on the conventional rule strategy configuration is broken, the visualization degree of network safety data analysis is increased, and the analysis efficiency and the event detection rate are improved.
Drawings
Fig. 1 is a flow chart of a method for analyzing a web security log according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a network security log analysis device according to an embodiment of the present invention;
Fig. 3 is a schematic diagram of an internal structure of an electronic device for implementing a network security log analysis method according to an embodiment of the present invention;
the achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
The invention provides a network security log analysis method. Referring to fig. 1, a flow chart of a method for analyzing a web security log according to an embodiment of the invention is shown. The method may be performed by an apparatus, which may be implemented in software and/or hardware.
In this embodiment, the network security log analysis method includes:
and step S110, carrying out composition processing on the obtained weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database.
Specifically, the network security platform is used for acquiring network security log data, and composition processing is performed on point data sources in the network security log data, wherein the point data sources refer to entities generating data, such as servers. The point data sources are connected through the side data sources, so that patterned graph data are obtained, for example, a server A is connected with a server B through a root account number running ssh protocol, so that the server A and the server B can be regarded as 2 different point data sources, data generated in the transmission process of the two point data sources are point data, and the point data sources can be regarded as the association relationship among the 2 point data sources through the information connection of the ssh protocol, a login account number, a designated port number and the like, namely the side data sources; here we take the network connection point edge relationship actually constructed in the project as an example, and the point data source is server, process; connection relation can be formed between the server and the process point through net_connect and an access side data source. The obtained graph data is stored in a preset graph database, so that the subsequent query and use are facilitated.
As an optional embodiment of the present invention, before performing composition processing on the obtained weblog data, and connecting each two point data sources in the weblog data through an edge data source to obtain graph data, and storing the graph data in a preset graph database, the method further includes:
acquiring online data generated by the weblog in real time by adopting data writing software and acquiring offline data generated by the weblog from a preset offline data storage library according to preset frequency;
the online data and the offline data are taken as weblog data.
Specifically, the weblog data is generated in real time, and the post task has the requirement of falling to a database or hive for post tracing, so that the weblog is respectively written in real time through kafka (software for writing data) and the same falling part of data is stored in a hive warehouse (namely a preset offline data storage library) to be respectively used as the online data and the offline data sources in graph data exploration. The online data is acquired in real time by using writing software, and the offline data is acquired from a preset offline data storage library according to a preset frequency, for example, the offline data is acquired once a day by taking a day as a unit.
As an optional embodiment of the present invention, storing a preset graph database in a blockchain, performing composition processing on the obtained blog data, connecting each two point data sources in the blog data through an edge data source to obtain graph data, and storing the graph data in the preset graph database includes:
performing data structuring treatment on offline data acquired according to preset frequency to obtain offline structured data;
customizing the offline structured data to enable data generated by point data sources in the offline structured data to be subjected to data processing according to preset data indexes, so as to obtain customized offline data;
and carrying out composition processing on the customized offline data and the online data acquired in real time, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database.
Specifically, the offline data plays a role of assisting operators to better know the data condition generated by a data source or an edge data source at a certain point, and generally, customized data processed before graph data generation can assist security operators in subsequent event discovery, so that the offline data needs to be subjected to data structuring processing firstly and then customized, wherein preset data indexes are preset, such as counted network connection times, connection intervals, different attack means times in the same attack type and the like. The online data can be used as the original data of the connection information and used as the follow-up use of the original data traced by operators, the graph data is obtained by carrying out composition processing on the customized offline data and the online data acquired in real time, and the graph data is stored in a preset graph database.
As an optional embodiment of the present invention, performing composition processing on customized offline data and online data acquired in real time, so that each two point data sources in the weblog data are connected through an edge data source to obtain graph data, and storing the graph data in a preset graph database, includes:
positioning point data sources in online data acquired in real time, and establishing a connected side data source between every two point data sources to obtain primary graph data;
based on the same point data source, establishing a corresponding relation between the customized offline data and the primary graph data to obtain graph data, and storing the graph data into a preset graph database.
Specifically, the online data is used as the original data of the connection information to be formed, namely, a point data source is positioned from the online data acquired in real time, for example, the generation entity of the service data A is a server A, then the service data A acquired in real time is positioned to the server A, the generation entity of the service data B is a server B, the server A and the server B are connected through information such as ssh protocol, login account number, appointed port number and the like, the information such as ssh protocol, login account number, appointed port number and the like is used as a table data source between the two, and the like, so as to obtain primary graph data obtained by forming the online data; and then determining the point data sources in the customized offline data, finding the same point data sources corresponding to the primary graph data, and establishing the corresponding relation between the customized offline data corresponding to the point data sources and the corresponding point data sources in the primary graph data, so as to obtain the graph data.
As an optional embodiment of the present invention, after performing composition processing on the obtained weblog data, connecting each two point data sources in the weblog data through an edge data source to obtain graph data, and storing the graph data in a preset graph database, the method further includes;
taking a searchable field in a preset map database as an index field;
and creating an index corresponding to the graph data based on the index field in a preset graph database.
Specifically, in order to facilitate the subsequent searching requirement, an INDEX is established for the graph data in the preset graph database, the specific creation mode of the INDEX is basically the same as that of the traditional database creation INDEX, and the creation can be performed by acquiring an INDEX field from the preset graph database, for example, CREATE TAG INDEX 'server_ennameabbr' on 'server' (30); REBUILD TAG INDEX server _ennaminabbr.
Step S120, according to the obtained target search statement, obtaining graph data corresponding to a target point data source in the target search statement from a preset graph database as target graph data; the target search statement comprises a target point data source and a data security judgment condition; .
Specifically, by inputting a target search term, drawing data corresponding to a target point data source in the target search term is acquired from a preset drawing database, for example,
And inputting MATCH (v: server) - [ e: access|net_connect ] - > (v 2: server), namely inquiring the graph data between the point data sources v and v2, wherein a plurality of edge data sources between two point data sources can be provided, and each edge data source corresponds to corresponding edge data. And obtaining graph data corresponding to the target point data source in the target search statement from a preset graph database as target graph data.
As an optional embodiment of the present invention, according to the obtained target search statement, graph data corresponding to a target point data source in the target search statement is obtained from a preset graph database as target graph data, including:
acquiring a target search statement, and analyzing a target point data source and a data security judgment condition of the target search statement according to the target search statement;
and obtaining graph data corresponding to the target point data source from a preset graph database as target graph data.
Specifically, the target search statement includes a target point data source and a data security determination condition. For example, if a connection link from the point data source v to the point data source v2 is required to be searched, MATCH (v: server) - [ e: access|net_connect ] - > (v 2: server) is input, so that graph data, i.e., target graph data, of all connection lines from the point data source v to the point data source v2 can be obtained.
And step S130, carrying out security analysis on related data of a target point data source in the target graph data according to the data security judgment conditions in the target search statement, and generating security analysis results about the target point data source.
Specifically, safety analysis is performed on relevant data of a target point data source in the target map data through data safety judging conditions, for example, whether the number of times that a certain edge data source V between the point data source V and the point data source V2 is attacked reaches a preset attack threshold value or not, if the threshold value is reached, the edge data source V has safety problems, if the threshold value is not reached, the edge data source V has no safety problems, and a corresponding safety analysis result is generated according to whether the safety is high or not. The relevant data of the target point data source includes data information of the point data source and data information of an edge data source between the point data sources, and the data information of the point data source may specifically include attribute information of the point data source itself and changed service information, for example, attribute information of an IP address, a machine room location, a company to which a server IP belongs, a server administrator, and service information of a service object.
As an optional embodiment of the present invention, performing security analysis on data information in the target graph data according to the data security determination condition in the target search statement, generating a security analysis result regarding the target point data source includes:
Acquiring related data of a target point data source from target graph data; wherein the related data comprises data information of a target point data source and data information of an edge data source between the target point data sources;
and analyzing the related data of the target point data source according to the data safety judgment condition, and generating a safety analysis result about the target point data source.
Specifically, related data of a target point data source is obtained from target graph data, wherein the related data comprises data information of the target point data source and data information of an edge data source between the target point data sources; and then carrying out security analysis on the related data of the target point data source according to the security judgment conditions in the target search statement, thereby generating security analysis results about the target point data source. For example, the target search statement is: ATCH (v: server) - [ e: access|net_connect ] - > (v 2: server) WHERE v.environment IN [ 'HEV: HPR', 'HEV: HSG' ] AND v2.Environment IN [ 'HEV: HPR', 'HEV: HSG' ] AND e.pnamein [ 'frp', 'frpc', 'frps' ] RETURN v, e, v2. Then, the statement after ATCH is the indicated target point data source, i.e. v to v2; corresponding target graph data can be obtained from a preset graph database according to the statement; and carrying out safety analysis on related data of a target point data source in target diagram data through a statement after WHERE, generating a safety analysis result when the related data accords with the statement, generating an unsafe analysis result when the related data does not accord with the statement, marking the target diagram data according to the analysis result, generating early warning information when the unsafe analysis result is generated, and giving an early warning prompt.
And step 140, labeling the corresponding positions of the target image data according to the safety analysis result, generating the target image data with the safety analysis label, and taking the target image data with the safety analysis label and the related data of the target point data source as the output result of the target search statement.
Specifically, the corresponding positions of the target graph data are marked according to the security analysis result about the target point data source, for example, the edge data source with the security problem and the edge data source without the security problem are marked by lines with different colors, so that operators can distinguish the edge data source with the security problem from the marked target graph data. And taking the target graph data with the security analysis labels and the related data of the target point data source as the output result of the target search statement.
As shown in fig. 2, a functional block diagram of a network security log analysis device according to an embodiment of the present invention is shown.
The network security log analysis apparatus 200 of the present invention may be installed in an electronic device. The websecurity log analysis device may include a composition module 210, a search module 220, an analysis module 230, and an output module 240 according to the implemented functions. The module of the present invention may also be referred to as a unit, meaning a series of computer program segments capable of being executed by the processor of the electronic device and of performing fixed functions, stored in the memory of the electronic device.
In the present embodiment, the functions concerning the respective modules/units are as follows:
the composition module 210 is configured to perform composition processing on the obtained weblog data, connect every two point data sources in the weblog data through an edge data source to obtain graph data, and store the graph data into a preset graph database.
Specifically, the network security platform is used for acquiring network security log data, and composition processing is performed on point data sources in the network security log data, wherein the point data sources refer to entities generating data, such as servers. The point data sources are connected through the side data sources, so that patterned graph data are obtained, for example, a server A is connected with a server B through a root account number running ssh protocol, so that the server A and the server B can be regarded as 2 different point data sources, data generated in the transmission process of the two point data sources are point data, and the point data sources can be regarded as the association relationship among the 2 point data sources through the information connection of the ssh protocol, a login account number, a designated port number and the like, namely the side data sources; here we take the network connection point edge relationship actually constructed in the project as an example, and the point data source is server, process; connection relation can be formed between the server and the process point through net_connect and an access side data source. The obtained graph data is stored in a preset graph database, so that the subsequent query and use are facilitated.
As an alternative embodiment of the present invention, the websecurity log analysis device 200 further includes a data acquisition module and a weblog data acquisition module (not shown in the figure). Wherein,,
the data acquisition module is used for acquiring online data generated by the weblog in real time by adopting data writing software and acquiring offline data generated by the weblog from a preset offline data storage library according to preset frequency;
and the weblog data acquisition module is used for taking the online data and the offline data as weblog data.
Specifically, the weblog data is generated in real time, and the post task has the requirement of falling to a database or hive for post tracing, so that the weblog is respectively written in real time through kafka (software for writing data) and the same falling part of data is stored in a hive warehouse (namely a preset offline data storage library) to be respectively used as the online data and the offline data sources in graph data exploration. The online data is acquired in real time by the data acquisition module by adopting writing software, and the offline data is acquired from a preset offline data storage library according to preset frequency, for example, the offline data is acquired once a day by taking a day as a unit, so that the online data and the offline data are used as weblog data by the weblog data acquisition module for subsequent composition processing.
As an alternative embodiment of the present invention, patterning module 210 further includes a structuring unit, a customizing unit, and a patterning unit (not shown). Wherein,,
the structuring unit is used for carrying out data structuring processing on the offline data acquired according to the preset frequency to obtain the offline structured data;
the customizing unit is used for customizing the offline structured data, so that data generated by a point data source in the offline structured data are subjected to data processing according to preset data indexes to obtain customized offline data;
the composition unit is used for performing composition processing on the customized offline data and the online data acquired in real time, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database.
Specifically, the offline data plays a role of helping operators to better know the data condition generated by a data source or an edge data source at a certain point, and generally, customized data processed before graph data generation can assist security operators in subsequent event discovery, so that the offline data needs to be subjected to data structuring processing through a structuring unit, and then the offline structured data needs to be subjected to customizing processing through a customizing unit, wherein preset data indexes are preset, such as counted network connection times, connection intervals, different attack means times in the same attack type and the like. The online data can be used as original data of connection information and used as follow-up of original data traced by operators, and finally, the customized offline data and the online data acquired in real time are subjected to composition processing through a composition unit to obtain graph data, and the graph data are stored in a preset graph database.
As an alternative embodiment of the invention, the patterning unit further comprises a primary patterning sub-unit and a corresponding patterning sub-unit (not shown in the figures). Wherein,,
the primary composition subunit is used for carrying out positioning processing on point data sources in online data acquired in real time, and establishing a connected side data source between every two point data sources to obtain primary graph data;
and the corresponding composition subunit is used for establishing a corresponding relation between the customized offline data and the primary graph data based on the same point data source to obtain graph data, and storing the graph data into a preset graph database.
Specifically, the primary composition subunit is used for composing original data by taking online data as connection information, namely, a point data source is positioned from online data acquired in real time, for example, a generating entity of service data A is a server A, then the generating entity of service data A acquired in real time is positioned to the server A, the generating entity of service data B is a server B, the server A and the server B are connected through information such as ssh protocol, login account number, designated port number and the like, and then the information such as ssh protocol, login account number, designated port number and the like is taken as a table data source between the two, and the like, so as to obtain primary graph data obtained by composing the online data; and then determining the point data sources in the customized offline data through the corresponding composition subunit, finding the same point data sources corresponding to the primary graph data, and establishing a corresponding relation between the customized offline data corresponding to the same point data sources and the corresponding point data sources in the primary graph data, so as to obtain the graph data.
As an alternative embodiment of the present invention, the websecurity log analyzing device 200 further includes an index field determining module and an index creating module (not shown in the figure). Wherein,,
the index field determining module is used for taking the searchable fields in the preset map database as index fields;
and the index establishing module is used for establishing an index corresponding to the graph data based on the index field in the preset graph database.
Specifically, in order to facilitate the subsequent searching, an index is established for the graph data in the preset graph database, the specific establishment mode of the index is basically the same as that of the traditional database establishment index, and the index field is acquired from the preset graph database through the index field determining module and then the index establishing module can be used for establishment. Such as:
CREATE TAG INDEX`server_ennameabbr`on`server`(`ennameabbr`(30));REBUILD TAG INDEX server_ennameabbr。
the searching module 220 is configured to obtain, from a preset graph database, graph data corresponding to a target point data source in the target search sentence as target graph data according to the obtained target search sentence; the target search statement comprises a target point data source and a data safety judgment condition.
Specifically, by inputting a target search term, drawing data corresponding to a target point data source in the target search term is acquired from a preset drawing database, for example,
And inputting MATCH (v: server) - [ e: access|net_connect ] - > (v 2: server), namely inquiring the graph data between the point data sources v and v2, wherein a plurality of edge data sources between two point data sources can be provided, and each edge data source corresponds to corresponding edge data. And obtaining graph data corresponding to the target point data source in the target search statement from a preset graph database as target graph data.
As an alternative embodiment of the present invention, the search module 220 further includes a sentence acquisition unit and a target graph data acquisition unit (not shown in the figure). Wherein,,
the sentence acquisition unit is used for acquiring a target search sentence, and analyzing a target point data source and a data security judgment condition of the target search sentence according to the target search sentence;
a target graph data acquisition unit, configured to acquire graph data corresponding to the target point data source from a preset graph database, as target graph data.
Specifically, the target search statement includes a target point data source and a data security determination condition. For example, if a connection link from the point data source v to the point data source v2 is required to be searched, MATCH (v: server) - [ e: access|net_connect ] - > (v 2: server) is input, so that graph data, i.e., target graph data, of all connection lines from the point data source v to the point data source v2 can be obtained.
The analysis module 230 is configured to perform security analysis on relevant data of a target point data source in the target graph data according to the data security determination condition in the target search statement, and generate a security analysis result about the target point data source.
Specifically, safety analysis is performed on relevant data of a target point data source in the target map data through data safety judging conditions, for example, whether the number of times that a certain edge data source V between the point data source V and the point data source V2 is attacked reaches a preset attack threshold value or not, if the threshold value is reached, the edge data source V has safety problems, if the threshold value is not reached, the edge data source V has no safety problems, and a corresponding safety analysis result is generated according to whether the safety is high or not. The relevant data of the target point data source includes data information of the point data source and data information of an edge data source between the point data sources, and the data information of the point data source may specifically include attribute information of the point data source itself and changed service information, for example, attribute information of an IP address, a machine room location, a company to which a server IP belongs, a server administrator, and service information of a service object.
As an alternative embodiment of the present invention, the analysis module 230 further includes a related data acquisition unit and an analysis unit (not shown in the figure). Wherein,,
A related data acquisition unit for acquiring related data of a target point data source from the target map data; wherein the related data comprises data information of a target point data source and data information of an edge data source between the target point data sources;
and the analysis unit is used for analyzing the related data of the target point data source according to the data safety judgment condition and generating a safety analysis result about the target point data source.
Specifically, related data of a target point data source is acquired from target graph data through a related data acquisition unit, wherein the related data comprises data information of the target point data source and data information of an edge data source between the target point data sources; and then performing security analysis on the related data of the target point data source according to the security judgment conditions in the target search statement by an analysis unit, thereby generating a security analysis result about the target point data source.
For example, the target search statement is: ATCH (v: server) - [ e: access|net_connect ] - > (v 2: server) WHERE v.environment IN [ 'HEV: HPR', 'HEV: HSG' ] AND v2.Environment IN [ 'HEV: HPR', 'HEV: HSG' ] AND e.pnamein [ 'frp', 'frpc', 'frps' ] RETURN v, e, v2. Then, the statement after ATCH is the indicated target point data source, i.e. v to v2; corresponding target graph data can be obtained from a preset graph database according to the statement; and carrying out safety analysis on related data of a target point data source in target diagram data through a statement after WHERE, generating a safety analysis result when the related data accords with the statement, generating an unsafe analysis result when the related data does not accord with the statement, marking the target diagram data according to the analysis result, generating early warning information when the unsafe analysis result is generated, and giving an early warning prompt.
The output module 240 is configured to label the corresponding position of the target graph data according to the security analysis result, generate target graph data with security analysis label, and take the target graph data with security analysis label and related data of the target point data source as an output result of the target search statement.
Specifically, the corresponding positions of the target graph data are marked according to the security analysis result about the target point data source, for example, the edge data source with the security problem and the edge data source without the security problem are marked by lines with different colors, so that operators can distinguish the edge data source with the security problem from the marked target graph data. And taking the target graph data with the security analysis labels and the related data of the target point data source as the output result of the target search statement.
Fig. 3 is a schematic structural diagram of an electronic device implementing a network security log analysis method according to an embodiment of the present invention.
The electronic device 1 may comprise a processor 10, a memory 11 and a bus, and may further comprise a computer program, such as a websecurity log analysis program 12, stored in the memory 11 and executable on the processor 10.
The memory 11 includes at least one type of readable storage medium, including flash memory, a mobile hard disk, a multimedia card, a card memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device 1, such as a removable hard disk of the electronic device 1. The memory 11 may also be an external storage device of the electronic device 1 in other embodiments, for example, a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the electronic device 1. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device 1. The memory 11 may be used not only for storing application software installed in the electronic device 1 and various types of data, such as codes of a web security log analysis program, but also for temporarily storing data that has been output or is to be output.
The processor 10 may be comprised of integrated circuits in some embodiments, for example, a single packaged integrated circuit, or may be comprised of multiple integrated circuits packaged with the same or different functions, including one or more central processing units (Central Processing unit, CPU), microprocessors, digital processing chips, graphics processors, various control chips, and the like. The processor 10 is a Control Unit (Control Unit) of the electronic device, connects respective components of the entire electronic device using various interfaces and lines, and executes various functions of the electronic device 1 and processes data by running or executing programs or modules (e.g., a web security log analysis program, etc.) stored in the memory 11, and calling data stored in the memory 11.
The bus may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. The bus is arranged to enable a connection communication between the memory 11 and at least one processor 10 etc.
Fig. 3 shows only an electronic device with components, it being understood by a person skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than shown, or may combine certain components, or may be arranged in different components.
For example, although not shown, the electronic device 1 may further include a power source (such as a battery) for supplying power to each component, and preferably, the power source may be logically connected to the at least one processor 10 through a power management device, so that functions of charge management, discharge management, power consumption management, and the like are implemented through the power management device. The power supply may also include one or more of any of a direct current or alternating current power supply, recharging device, power failure detection circuit, power converter or inverter, power status indicator, etc. The electronic device 1 may further include various sensors, bluetooth modules, wi-Fi modules, etc., which will not be described herein.
Further, the electronic device 1 may also comprise a network interface, optionally the network interface may comprise a wired interface and/or a wireless interface (e.g. WI-FI interface, bluetooth interface, etc.), typically used for establishing a communication connection between the electronic device 1 and other electronic devices.
The electronic device 1 may optionally further comprise a user interface, which may be a Display, an input unit, such as a Keyboard (Keyboard), or a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like. The display may also be referred to as a display screen or display unit, as appropriate, for displaying information processed in the electronic device 1 and for displaying a visual user interface.
It should be understood that the embodiments described are for illustrative purposes only and are not limited to this configuration in the scope of the patent application.
The websecurity log analysis program 12 stored in the memory 11 in the electronic device 1 is a combination of instructions that, when executed in the processor 10, may implement:
Carrying out composition processing on the obtained weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database;
according to the obtained target search statement, obtaining graph data corresponding to a target point data source in the target search statement from a preset graph database as target graph data, wherein the target search statement comprises the target point data source and a data security judgment condition; the method comprises the steps of carrying out a first treatment on the surface of the
Performing security analysis on related data of a target point data source in target graph data according to data security judgment conditions in the target search statement, and generating security analysis results about the target point data source;
and labeling the corresponding positions of the target image data according to the safety analysis result, generating target image data with the safety analysis label, and taking the target image data with the safety analysis label and the related data of the target point data source as the output result of the target search statement.
Specifically, the specific implementation method of the above instructions by the processor 10 may refer to the description of the relevant steps in the corresponding embodiment of fig. 1, which is not repeated herein. It should be emphasized that, to further ensure the privacy and security of the preset map database, the preset map database may also be stored in a node of a blockchain.
Further, the modules/units integrated in the electronic device 1 may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as separate products. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM).
In the several embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be other manners of division when actually implemented.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units can be realized in a form of hardware or a form of hardware and a form of software functional modules.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the system claims can also be implemented by means of software or hardware by means of one unit or means. The terms second, etc. are used to denote a name, but not any particular order.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.
Claims (10)
1. A network security log analysis method applied to an electronic device, the method comprising:
carrying out composition processing on the obtained weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database;
according to the obtained target search statement, obtaining graph data corresponding to a target point data source in the target search statement from the preset graph database as target graph data; the target search statement comprises a target point data source and a data security judgment condition;
Performing security analysis on related data of a target point data source in the target graph data according to the data security judgment conditions in the target search statement, and generating a security analysis result about the target point data source;
and labeling the corresponding positions of the target image data according to the safety analysis result, generating target image data with the safety analysis label, and taking the target image data with the safety analysis label and the related data of the target point data source as output results of the target search statement.
2. The method according to claim 1, wherein before the step of performing composition processing on the obtained blog data to connect each two point data sources in the blog data through an edge data source to obtain graph data, and storing the graph data in a preset graph database, the method further comprises:
acquiring online data generated by the weblog in real time by adopting data writing software and acquiring offline data generated by the weblog from a preset offline data storage library according to preset frequency;
and taking the online data and the offline data as weblog data.
3. The method according to claim 2, wherein the storing the preset map database in a blockchain, the performing a composition process on the obtained weblog data, so that each two point data sources in the weblog data are connected through an edge data source to obtain map data, and the storing the map data in the preset map database includes:
performing data structuring treatment on offline data acquired according to preset frequency to obtain offline structured data;
customizing the offline structured data to enable data generated by a point data source in the offline structured data to be subjected to data processing according to preset data indexes, so as to obtain customized offline data;
and carrying out composition processing on the customized offline data and the online data acquired in real time, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database.
4. A method of analyzing a web security log according to claim 3, wherein the composing the customized offline data with the online data acquired in real time to connect each two point data sources in the web log data through an edge data source to obtain graph data, and storing the graph data in a preset graph database comprises:
Positioning point data sources in online data acquired in real time, and establishing a connected side data source between every two point data sources to obtain primary graph data;
based on the same point data source, establishing a corresponding relation between the customized offline data and the primary graph data to obtain graph data, and storing the graph data into a preset graph database.
5. The method according to claim 1, wherein after the step of performing composition processing on the obtained blog data, connecting each two point data sources in the blog data through an edge data source to obtain graph data, and storing the graph data in a preset graph database, the method further comprises;
taking the searchable fields in the preset map database as index fields;
and creating an index corresponding to the graph data based on the index field in the preset graph database.
6. The web security log analysis method according to claim 1, wherein the obtaining map data corresponding to a target point data source in the target search statement from the preset map database according to the obtained target search statement as target map data includes:
Acquiring a target search statement, and analyzing a target point data source and a data security judgment condition of the target search statement according to the target search statement;
and obtaining graph data corresponding to the target point data source from the preset graph database as target graph data.
7. The web security log analysis method of claim 1, wherein the performing security analysis on the data information in the target graph data according to the data security determination condition in the target search statement, generating a security analysis result regarding a target point data source comprises:
acquiring related data of a target point data source from the target graph data; wherein the related data comprises data information of a target point data source and data information of an edge data source between the target point data sources;
and analyzing the related data of the target point data source according to the data safety judging condition, and generating a safety analysis result about the target point data source.
8. A network security log analysis apparatus, the apparatus comprising:
the composition module is used for performing composition processing on the acquired weblog data, enabling every two point data sources in the weblog data to be connected through an edge data source so as to obtain graph data, and storing the graph data into a preset graph database;
The searching module is used for acquiring graph data corresponding to a target point data source in the target search statement from the preset graph database according to the acquired target search statement, and taking the graph data as target graph data; the target search statement comprises a target point data source and a data security judgment condition;
the analysis module is used for carrying out safety analysis on the related data of the target point data source in the target graph data according to the data safety judgment conditions in the target search statement, and generating a safety analysis result about the target point data source;
and the output module is used for marking the corresponding position of the target image data according to the safety analysis result, generating target image data with the safety analysis mark, and taking the target image data with the safety analysis mark and the related data of the target point data source as the output result of the target search statement.
9. An electronic device, the electronic device comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the steps of the weblog analysis method of any of claims 1 to 7.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the network security log analysis method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310548763.9A CN116561383A (en) | 2023-05-16 | 2023-05-16 | Network security log analysis method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310548763.9A CN116561383A (en) | 2023-05-16 | 2023-05-16 | Network security log analysis method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116561383A true CN116561383A (en) | 2023-08-08 |
Family
ID=87485792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310548763.9A Pending CN116561383A (en) | 2023-05-16 | 2023-05-16 | Network security log analysis method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116561383A (en) |
-
2023
- 2023-05-16 CN CN202310548763.9A patent/CN116561383A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113657495B (en) | Insurance product recommendation method, apparatus and equipment based on probability prediction model | |
| CN113806434B (en) | Big data processing method, device, equipment and medium | |
| CN112364107A (en) | System analysis visualization method and device, electronic equipment and computer readable storage medium | |
| CN115129753A (en) | Data blood relationship analysis method and device, electronic equipment and storage medium | |
| CN113468288B (en) | Text courseware content extraction method based on artificial intelligence and related equipment | |
| CN111930963B (en) | Knowledge graph generation method and device, electronic equipment and storage medium | |
| CN112069782B (en) | Document template generation method and device, electronic equipment and storage medium | |
| CN113886204A (en) | User behavior data collection method and device, electronic equipment and readable storage medium | |
| CN114841165B (en) | User data analysis and display method and device, electronic equipment and storage medium | |
| CN116012019B (en) | Financial wind control management system based on big data analysis | |
| CN112101191A (en) | Expression recognition method, device, equipment and medium based on frame attention network | |
| CN116823437A (en) | Access method, device, equipment and medium based on configured wind control strategy | |
| CN116561383A (en) | Network security log analysis method, device, equipment and storage medium | |
| CN114518993A (en) | System performance monitoring method, device, equipment and medium based on business characteristics | |
| CN114513355A (en) | Malicious domain name detection method, device, equipment and storage medium | |
| CN114387021A (en) | Service state generation method, device, equipment and storage medium | |
| CN116976821B (en) | Enterprise problem feedback information processing method, device, equipment and medium | |
| CN112307771A (en) | Course analysis method, device, equipment and medium based on emotion analysis | |
| CN111553133A (en) | Report generation method and device, electronic equipment and storage medium | |
| CN117975949B (en) | Event recording method, device, equipment and medium based on voice conversion | |
| CN116934263B (en) | Product batch admittance method, device, equipment and medium | |
| CN113688924B (en) | Abnormal order detection method, device, equipment and medium | |
| CN112559940B (en) | Page labeling method, device, equipment and medium | |
| CN117390933B (en) | Process data tracing method and system for lubricating oil preparation | |
| CN117975949A (en) | Event recording method, device, equipment and medium based on voice conversion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |