CN104994075A - Security event handling method, system and terminal based on output logs of security system - Google Patents
Security event handling method, system and terminal based on output logs of security system Download PDFInfo
- Publication number
- CN104994075A CN104994075A CN201510293691.3A CN201510293691A CN104994075A CN 104994075 A CN104994075 A CN 104994075A CN 201510293691 A CN201510293691 A CN 201510293691A CN 104994075 A CN104994075 A CN 104994075A
- Authority
- CN
- China
- Prior art keywords
- security incident
- event
- daily record
- security
- safety system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/40—Information retrieval; Database structures therefor; File system structures therefor of multimedia data, e.g. slideshows comprising image and additional audio data
- G06F16/48—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/55—Push-based network services
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Library & Information Science (AREA)
- Multimedia (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a security event handling method, system and terminal based on output logs of a security system. The security event handling method includes pushing logs meeting a syslog protocol to a syslog server and subjecting the logs to piece-by-piece keyword matching by a syslog server based on a security event early warning rule for judging whether the logs meet requirements for security incidents or not; judging the types and security levels of the security events when that the logs meet requirements for security incidents is determined; extracting event elements in log data and sending the event elements to an HBase storing and recording the event elements after the extraction is finished. High-precision and deep analysis of the logs is realized and convenience is made for locating security problems for security system enterprises.
Description
Technical field
The present invention relates to data processing field, particularly a kind of Security incident handling method based on safety system output journal, system and terminal.
Background technology
Current the Internet has entered the flourish epoch, and popularizing as people's obtaining information brings great convenience with diffusing information of network, also brings huge security challenge to the Internet simultaneously.For alleviating day by day serious safety problem, the safety products such as fire compartment wall, intruding detection system, safety filtering system and auditing system obtain wide sending out and use, but a large amount of introducings of safety means bring again new problem.
Such as: various safety means hacker intercept and checking and killing virus process in can produce the daily record of magnanimity, and the risk height of security incident is just hidden in the middle of these daily records, for these daily records, safety officer is needed to spend a large amount of time and efforts, log analysis at present to network safety event, normally these daily record centralized collection are got up, using valuable log information and a large amount of rubbish log informations all as security evaluation object.This mode lacks the unified daily record center can analyzed for network safety event, though enterprise has the daily record center as SOC, but still lack the Network Safety Analysis function of accuracy, in information security, wretched insufficiency is existed to log analysis, be embodied in: the accuracy of analysis is not high, the aspect taken into account of log collection is too many, and every aspect has and relates to thus cause the safety analysis degree of depth inadequate.
Thus prior art need to improve.
Summary of the invention
In view of above-mentioned the deficiencies in the prior art part, the object of the present invention is to provide a kind of Security incident handling method based on safety system output journal, system and terminal, accuracy and the analysis depth of log analysis can be improved.
In order to achieve the above object, this invention takes following technical scheme:
Based on a Security incident handling method for safety system output journal, it comprises the steps:
The daily record meeting syslog agreement is pushed to syslog server by A, the equipment with safety system;
B, syslog server mates according to the keyword of security incident early warning rule the daily record whether daily record data is security incident one by one;
C, when mate daily record data be the daily record of security incident time, judge type and the safe class of this security incident;
D, the Event element extracted in described daily record data, and after extraction completes, this Event element is sent in HBase;
E, HBase store and record described Event element.
Described based in the Security incident handling method of safety system output journal, described early warning rule comprises: early warning test expression formula, event type, danger classes.
Described based in the Security incident handling method of safety system output journal, described event type comprises unauthorized access event, virus attack event, web page attacks event and/or TCP event.
Described based in the Security incident handling method of safety system output journal, described Event element comprises: source IP, Target IP, time of origin, target port, source port.
Based on a Security incident handling system for safety system output journal, it comprises the steps:
Safety means, have safety system, for the daily record meeting syslog agreement is pushed to syslog server;
Syslog server, for mating the daily record whether daily record data is security incident one by one according to the keyword of security incident early warning rule; When the daily record data mated is the daily record of security incident, judge type and the safe class of this security incident; And the Event element extracted in described daily record data, and after extraction completes, this Event element is sent in HBase;
HBase, for storing and recording described Event element.
Described based in the Security incident handling system of safety system output journal, described early warning rule comprises: early warning test expression formula, event type, danger classes.
Described based in the Security incident handling system of safety system output journal, described event type comprises unauthorized access event, virus attack event, web page attacks event and/or TCP event.
Described based in the Security incident handling system of safety system output journal, described Event element comprises: source IP, Target IP, time of origin, target port, source port.
Based on a Security incident handling terminal for safety system output journal, it comprises the Security incident handling system as above described in any one.
Compared to prior art, Security incident handling method based on safety system output journal provided by the invention, system and terminal, by the daily record meeting syslog agreement is pushed to syslog server, mate according to the keyword of security incident early warning rule the daily record whether daily record data is security incident one by one by syslog server, when the daily record data mated is the daily record of security incident, judge type and the safe class of this security incident; Extract the Event element in described daily record data, and after extraction completes, this Event element is sent in HBase, HBase stores and records described Event element, achieve analysis daily record being carried out to high accuracy, high depth, for safety system enterprise better positioning security problem provide precondition.
Accompanying drawing explanation
The flow chart of the Security incident handling method based on safety system output journal that Fig. 1 provides for the embodiment of the present invention.
The structured flowchart of the Security incident handling system based on safety system output journal that Fig. 2 provides for the embodiment of the present invention.
Embodiment
The invention provides a kind of Security incident handling method based on safety system output journal, system and terminal, mainly be to overcome conventional art collect massive logs information cannot accurate positioning security event, make lower to the accuracy of log analysis, that analysis depth is inadequate technical problem.
For making object of the present invention, technical scheme and effect clearly, clearly, developing simultaneously referring to accompanying drawing, the present invention is described in more detail for embodiment.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Refer to Fig. 1, the Security incident handling method based on safety system output journal provided by the invention comprises:
The daily record meeting syslog agreement (syslog protocol is the standard at an IP network repeating system log message) is pushed to syslog server by S100, the equipment with safety system;
S200, syslog server mates according to the keyword of security incident early warning rule the daily record whether daily record data is security incident one by one;
S300, when mate daily record data be the daily record of security incident time, judge type and the safe class of this security incident;
S400, the Event element extracted in described daily record data, and after extraction completes, this Event element is sent to HBase (HBase be one distributed, towards the PostgreSQL database of row) in;
S500, HBase store and record described Event element.
The daily record meeting syslog protocol requirement that the present invention passes through to collect is to syslog server, by the message stores of reception and be recorded in syslog server database, and to data analysis, mate the daily record that daily record data finds out security incident afterwards, judge type and the safe class of security incident again, substantially increase accuracy and the analysis depth of log analysis.
In the present embodiment, described early warning rule comprises: early warning test expression formula, event type, danger classes, specifically can artificially configure.Described event type comprises unauthorized access event, virus attack event, web page attacks event and/or TCP event.Described Event element comprises: source IP, Target IP, time of origin, target port, source port.
The present invention also provides a kind of Security incident handling system based on safety system output journal, comprises safety means 10, syslog server 20 and HBase30.Described safety establishes 10 to have got everything ready safety system, for the daily record meeting syslog agreement is pushed to syslog server.Described syslog server 20 is for mating the daily record whether daily record data is security incident one by one according to the keyword of security incident early warning rule; When the daily record data mated is the daily record of security incident, judge type and the safe class of this security incident; And the Event element extracted in described daily record data, and after extraction completes, this Event element is sent in HBase.Described HBase30 is used for storing and recording described Event element.
Wherein, described early warning rule comprises: early warning test expression formula, event type, danger classes.Described event type comprises unauthorized access event, virus attack event, web page attacks event and/or TCP event.Described Event element comprises: source IP, Target IP, time of origin, target port, source port.
The present invention is also corresponding provides a kind of Security incident handling based on safety system output journal eventually, and it comprises above-mentioned Security incident handling system, owing to being described in detail this Security incident handling system above, repeats no more herein.
In sum, present invention achieves analysis daily record being carried out to high accuracy, high depth, unified management and analysis are carried out in the syslog daily record that can export for each safety means, reaching on the basis of docking all kinds of safety means, and the security incident in daily record is analyzed, help enterprise (software enterprise) positioning security problem better.
Be understandable that, for those of ordinary skills, can be equal to according to technical scheme of the present invention and inventive concept thereof and replace or change, and all these change or replace the protection range that all should belong to the claim appended by the present invention.
Claims (9)
1., based on a Security incident handling method for safety system output journal, it is characterized in that, comprise the steps:
The daily record meeting syslog agreement is pushed to syslog server by A, the equipment with safety system;
B, syslog server mates according to the keyword of security incident early warning rule the daily record whether daily record data is security incident one by one;
C, when mate daily record data be the daily record of security incident time, judge type and the safe class of this security incident;
D, the Event element extracted in described daily record data, and after extraction completes, this Event element is sent in HBase;
E, HBase store and record described Event element.
2. the Security incident handling method based on safety system output journal according to claim 1, is characterized in that, described early warning rule comprises: early warning test expression formula, event type, danger classes.
3. the Security incident handling method based on safety system output journal according to claim 1, is characterized in that, described event type comprises unauthorized access event, virus attack event, web page attacks event and/or TCP event.
4. the Security incident handling method based on safety system output journal according to claim 1, it is characterized in that, described Event element comprises: source IP, Target IP, time of origin, target port, source port.
5., based on a Security incident handling system for safety system output journal, it is characterized in that, comprise the steps:
Safety means, have safety system, for the daily record meeting syslog agreement is pushed to syslog server;
Syslog server, for mating the daily record whether daily record data is security incident one by one according to the keyword of security incident early warning rule; When the daily record data mated is the daily record of security incident, judge type and the safe class of this security incident; And the Event element extracted in described daily record data, and after extraction completes, this Event element is sent in HBase;
HBase, for storing and recording described Event element.
6. the Security incident handling system based on safety system output journal according to claim 5, is characterized in that, described early warning rule comprises: early warning test expression formula, event type, danger classes.
7. the Security incident handling system based on safety system output journal according to claim 5, is characterized in that, described event type comprises unauthorized access event, virus attack event, web page attacks event and/or TCP event.
8. the Security incident handling system based on safety system output journal according to claim 5, it is characterized in that, described Event element comprises: source IP, Target IP, time of origin, target port, source port.
9. based on a Security incident handling terminal for safety system output journal, it is characterized in that, comprise the Security incident handling system as described in claim 5-8 any one.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510293691.3A CN104994075A (en) | 2015-06-01 | 2015-06-01 | Security event handling method, system and terminal based on output logs of security system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510293691.3A CN104994075A (en) | 2015-06-01 | 2015-06-01 | Security event handling method, system and terminal based on output logs of security system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104994075A true CN104994075A (en) | 2015-10-21 |
Family
ID=54305827
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510293691.3A Pending CN104994075A (en) | 2015-06-01 | 2015-06-01 | Security event handling method, system and terminal based on output logs of security system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104994075A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110245045A (en) * | 2019-05-23 | 2019-09-17 | 平安科技(深圳)有限公司 | A kind of keyword alarm method and device based on log |
CN111404903A (en) * | 2020-03-09 | 2020-07-10 | 深信服科技股份有限公司 | Log processing method, device, equipment and storage medium |
CN111597084A (en) * | 2019-02-20 | 2020-08-28 | 长鑫存储技术有限公司 | Safety early warning method and device, electronic equipment and storage medium |
CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102207948A (en) * | 2010-07-13 | 2011-10-05 | 天津海量信息技术有限公司 | Method for generating incident statement sentence material base |
US20130055389A1 (en) * | 2011-08-31 | 2013-02-28 | Abb Technology Ag | Security event logging in process control |
CN103138989A (en) * | 2013-02-25 | 2013-06-05 | 武汉华工安鼎信息技术有限责任公司 | System and method for analyzing large number of logs |
CN104579782A (en) * | 2015-01-12 | 2015-04-29 | 国家电网公司 | Hotspot security event identification method and system |
-
2015
- 2015-06-01 CN CN201510293691.3A patent/CN104994075A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102207948A (en) * | 2010-07-13 | 2011-10-05 | 天津海量信息技术有限公司 | Method for generating incident statement sentence material base |
US20130055389A1 (en) * | 2011-08-31 | 2013-02-28 | Abb Technology Ag | Security event logging in process control |
CN103138989A (en) * | 2013-02-25 | 2013-06-05 | 武汉华工安鼎信息技术有限责任公司 | System and method for analyzing large number of logs |
CN104579782A (en) * | 2015-01-12 | 2015-04-29 | 国家电网公司 | Hotspot security event identification method and system |
Non-Patent Citations (1)
Title |
---|
刘莉: "基于多协议技术的日志集中管理安全方案", 《2008年中国通信学会无线及移动通信委员会学术年会论文集》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111597084A (en) * | 2019-02-20 | 2020-08-28 | 长鑫存储技术有限公司 | Safety early warning method and device, electronic equipment and storage medium |
CN110245045A (en) * | 2019-05-23 | 2019-09-17 | 平安科技(深圳)有限公司 | A kind of keyword alarm method and device based on log |
CN110245045B (en) * | 2019-05-23 | 2022-06-07 | 平安科技(深圳)有限公司 | Keyword warning method and device based on log |
CN111404903A (en) * | 2020-03-09 | 2020-07-10 | 深信服科技股份有限公司 | Log processing method, device, equipment and storage medium |
CN111404903B (en) * | 2020-03-09 | 2022-08-09 | 深信服科技股份有限公司 | Log processing method, device, equipment and storage medium |
CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
CN114826727B (en) * | 2022-04-22 | 2024-05-07 | 南方电网数字电网研究院有限公司 | Flow data acquisition method, device, computer equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105550583B (en) | Android platform malicious application detection method based on random forest classification method | |
CN107888571B (en) | Multi-dimensional webshell intrusion detection method and system based on HTTP log | |
CN109861995A (en) | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium | |
CN101610174B (en) | Log correlation analysis system and method | |
CN107423434B (en) | Mining method of potential social relationship network based on ticket data | |
CN109885562A (en) | A kind of big data intelligent analysis system based on cyberspace safety | |
CN107872454B (en) | Threat information monitoring and analyzing system and method for ultra-large Internet platform | |
EP2760162B1 (en) | Method and device for detecting rule optimization configuration | |
CN104539626A (en) | Network attack scene generating method based on multi-source alarm logs | |
CN104994075A (en) | Security event handling method, system and terminal based on output logs of security system | |
CN107360118B (en) | Advanced persistent threat attack protection method and device | |
CN102340485A (en) | Network security situation awareness system and method based on information correlation | |
CN104572976B (en) | Website data update method and system | |
CN113612763B (en) | Network attack detection device and method based on network security malicious behavior knowledge base | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
Singh et al. | An approach to understand the end user behavior through log analysis | |
CN109347808B (en) | Safety analysis method based on user group behavior activity | |
CN109446816A (en) | A kind of user behavior analysis method based on big data platform audit log | |
CN109409113B (en) | Power grid data safety protection method and distributed power grid data safety protection system | |
CN109995722A (en) | Magnanimity detection data analysis system towards APT protection | |
CN110891071A (en) | Network traffic information acquisition method, device and related equipment | |
CN110912753B (en) | Cloud security event real-time detection system and method based on machine learning | |
CN110881022A (en) | Large-scale network security situation detection and analysis method | |
CN104836815A (en) | Security event backtracking method and system based on log analysis function | |
CN109544179B (en) | Operation supporting system based on important product traceability data service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151021 |