CN106415578B - Log analysis device and log analysis method - Google Patents
Log analysis device and log analysis method Download PDFInfo
- Publication number
- CN106415578B CN106415578B CN201480079459.3A CN201480079459A CN106415578B CN 106415578 B CN106415578 B CN 106415578B CN 201480079459 A CN201480079459 A CN 201480079459A CN 106415578 B CN106415578 B CN 106415578B
- Authority
- CN
- China
- Prior art keywords
- log
- daily record
- frequency distribution
- described information
- log analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
Abstract
The present invention relates to log analysis device and log analysis methods, carry out the discovery of the detection of malware infection and the devious conduct of organization internal.Log analysis device has:Physics system log and information system daily record are collected by log collection portion, and the physical system daily record is the daily record of the facilities management equipment of physics, and described information system log is the daily record for the information equipment for carrying out execution information processing by the operation of user;And log analysis portion, the frequency distribution of the time interval of physical system daily record and information system daily record is calculated, which is compared to the exception of detection information equipment with the frequency distribution calculated in a state that information equipment is normal.
Description
Technical field
The present invention relates to the daily records of the discovery of the devious conduct for the detection and organization internal for carrying out malware infection
Analytical equipment.
Background technology
Previous physical system/information system integrated log analysis device by comprehensive analysis and building go out to enter the room it is related
Daily record (physical system daily record) and PC operation history and proxy server etc. web access history daily record (information system
Daily record), detect improper use.For example, after outputing some company clerk A and going out the daily record of room from room, text is outputed
In the case of the reading daily record of confidential information on part server, other people can be detected and pretend to be company clerk A and peeped secret
The possibility (such as patent document 1) of information.
In addition, it is also proposed that following mechanism:It is detected when the operation of user deviates the allowed band being previously set
It is abnormal.There is the people for carrying out various business in enterprise, therefore, when setting includes the allowed band of personnel, i.e.,
Make generation that can not also detect extremely, for the subject, be inclined to select to permit from several patterns by grasping personal business
Perhaps range improves abnormal detection possibility (such as patent document 2).
Existing technical literature
Patent document
Patent document 1:Japanese Unexamined Patent Publication 2007-233661 bulletins
Patent document 2:Japanese Unexamined Patent Publication 2010-211257 bulletins
Invention content
The subject that the invention solves
Previous physical system/information system integrated log analysis device is slapped according to the practical event of time series arrangement
The action of company clerk has been held, but has not specifically disclosed and what kind of rule detection is what kind of devious conduct (such as patent is gone out by
Document 1).
Usually, it may be said that, can be by monitoring from room by the daily record of comprehensive analysis physical system and information system
Go out room to the daily record of operation carried out during entering the room again to find devious conduct, but for example leave itself in company clerk
Seat and the detection method of devious conduct that carries out during going out room from room is unknown.
In addition, in the case of detecting abnormal mechanism when the operation of user deviates the allowed band being previously set,
How much the operating time of people and operating interval etc. can generate deviation according to period and urgency level etc., it is therefore desirable to will be used for exception
The threshold value (allowed band) of detection is set as larger value.Thus, for example infected once people stop operation with regard to suspension activity that
In the case of the Malware of sample, it is very difficult to detect the infection (such as patent document 2).
The present invention is precisely in order to solve the above problems and complete, once it is intended that even if stop having infected people
In the case that operation is with regard to Malware as suspension activity, the possibility for detecting the infection can be also improved.
Means for solving the problems
In order to solve the above problems, log analysis device of the invention has:Physical system day is collected in log collection portion
Will and information system daily record, the physical system daily record are the daily records of the facilities management equipment of physics, described information system log
It is the daily record for the information equipment for carrying out execution information processing by the operation of user;And log analysis portion, calculate the physics
The frequency distribution of the time interval of system log and described information system log, by the frequency distribution in described information equipment just
The frequency distribution calculated in the state of often is compared to the exception of detection described information equipment.
In addition, the log analysis method of the present invention is to analyze the abnormal log analysis device that daily record carrys out detection information equipment
Log analysis method, wherein, which has:Physical system day is collected in log collection step, log collection portion
Will and information system daily record, the physical system daily record are the daily records of the facilities management equipment of physics, described information system log
It is the daily record for the information equipment for carrying out execution information processing by the operation of user;And log analysis step, log analysis portion meter
Calculate the frequency distribution of the time interval of the physical system daily record and described information system log, by the frequency distribution with described
The frequency distribution calculated in a state that information equipment is normal is compared to the exception of detection described information equipment.
Invention effect
According to the present invention, the daily record of comprehensive analysis physical system and information system daily record, and to pervious daily record interval and
Current daily record interval is compared and analyzes its deviation, and thus there are following effects:It can not only detect as in the past
Go out the devious conduct carried out during room, additionally it is possible to detect the exception before room.
Description of the drawings
Fig. 1 is the structure chart of a configuration example of the log analysis device for showing embodiment 1.
Fig. 2 is the figure for an example for going out daily record of entering the room for being shown as one of physical system daily record.
Fig. 3 is the figure of an example of the access log for the file server for being shown as one of information system daily record.
Fig. 4 is the flow chart of the log analysis process flow for the log analysis device for showing embodiment 1.
Fig. 5 is the figure of an example for the curve graph for showing log analysis result.
Specific embodiment
Embodiment 1
Fig. 1 is the structure chart of a configuration example of the log analysis device for showing embodiment 1.
In Fig. 1, room 100 is typically user's using terminal 101 to perform the place of business.Assuming that room 100 is only capable of
It is enough to go out to enter the room by the safety door 103 controlled by safe controlling device for doors 102.Moreover, it is assumed that the user to enter the room can be gone out
It is restricted.Terminal 101 is arranged in room 100, is the equipment in order to be set for user's execution information processing business, built-in
There are signal input and output portion 104, operational part 105, memory 106.In addition, terminal 101 as be used for for user to terminal into
The basic structure of the device of row input and output is connected with keyboard 107, mouse 108, monitor 109.
It, can be by network 110 and and with the miscellaneous equipment that connect of network 110 in addition, terminal 101 is connect with network 110
It communicates.The miscellaneous equipment being connect with network 110 for example has file server 111, certificate server 112, mail server
113rd, proxy server 114, fire wall 115 etc..In addition, the communication between the server on internet 116 has via mail
The mail transmission/reception of server 113, the web communication via proxy server 114, FTP (File Transfer Protocol:Text
Part transport protocol) etc..
Assuming that net of the log analysis device 117 in the same manner as file server 111 and certificate server 112 with organization internal
Network 110 connects.Assuming that log analysis device 117 is by log collection portion 118, in addition to collecting terminal 101 connected to the network
Daily record and file server 111, certificate server 112, mail server 113, proxy server 114, fire wall 115 are in this way
The daily record with the relevant equipment of information processing other than, also collect with safe controlling device for doors 102 as example manage user
Into room 100 and the relevant daily record of physical facility in room 100 is exited, and accumulated in log database 119.Daily record
Analysis portion 120 is directed to the daily record being accumulated in log database 119, carries out the systems such as the summary of the retrieval based on keyword, daily record
The analysis of meter property, based on whether analysis consistent with predetermined rule etc..Detected in log analysis portion 120 security breaches or
In the case that failure etc. needs the state of affairs that manager is notified to be coped with, alarm (warning) is generated simultaneously by alarm generating unit 121
It notifies to manager.
Then, illustrate keeping in the daily record of log database 119.
Fig. 2 is the figure for an example for going out daily record of entering the room for being shown as one of physical system daily record.
Fig. 3 is the figure of an example of the access log for the file server for being shown as one of information system daily record.
Definition graph 2 first.It is to go out daily record of entering the room as one of physical system daily record.Go out to enter the room daily record for example by day
Phase, moment, User ID, event are formed.Date represents the date entered the room, and the moment represents at the time of enter the room, and User ID represents
Go out the ID of the company clerk to enter the room, event table is shown into room or goes out the states of affairs such as room.It in the example in figure 2, will " 1 day 12 April in 2014
When 2 20 seconds user A is divided to go out room " it is such go out the history entered the room taken care of as daily record.
Then definition graph 3.It is the access log as the file server of one of information system daily record.Access log example
Such as it is made of date, moment, User ID, file, operation.Date represents to carry out the date of file operation, and the moment represents to carry out text
At the time of part operates, User ID represents to carry out the ID of the company clerk of file operation, the filename that representation of file is accessed, operation
Expression has carried out file any operation.In the example in figure 3, by " 2 divide 0 second user A to read in during 1 day 12 April in 2014
' propose book .doc ' this file " as file access history taken care of as daily record.
Then, illustrate the action of log analysis device.
Fig. 4 is the flow chart of the log analysis process flow for the log analysis device for showing embodiment 1.
First, in step S101, physical system daily record of the log analysis portion 120 from keeping in log database 119
With daily record of the extraction as analysis object in information system daily record.For example, the file when wanting to be ready room to user A read in into
In the case of row analysis, from it is shown in Figure 2 go out enter the room extraction and user A in daily record go out the relevant daily record of room event, from Fig. 3
In show file access daily record extraction by user A carried out read in operation daily record.
Then, in step s 102, log analysis portion 120 is according to each period, from the day extracted by step S101
In will, the mutual time interval of log recording needed for analysis is calculated, carries out carrying out curve graph etc. according to each generation frequency
Statistical disposition.For example, the situation of file is read in before it will go out room in discovery user A and has measured the feelings of its time interval
Under condition, carry out the control of daily record that shows in Fig. 2 and Fig. 3, when finding 1 day 12 April in 2014 2 divide 20 seconds go out room it is tight before text
2 divide 0 second when part access is 12, it is known that time interval is 20 seconds.Go out the above-mentioned action of room event implementation, and then according to every for whole
Moon etc. carries out curve graph.As a result, the curve graph of (a) and (b) of Fig. 5.
Then, in step s 103, log analysis portion 120 to curve graph obtained from statistical disposition in step s 102 into
Row compares, and verifies the deviation of the two.For example, as shown in (c) of Fig. 5, the curve graph of the two is overlapped to calculate time-axis direction
Deviation τ.The calculating is, such as in a state that the curve graph of (a) is fixed, tries the curve graph of (b) in time-axis direction
On slightly offset from, find so that and (a) curve graph difference minimum time shaft deviation τ.As the side for finding deviation τ
Method shown in numerical expression 1 described as follows, there is method of deviation τ for merely finding squared-distance minimum etc..
τ:minΣ(a(t)-b(t+τ))2
Then, in step S104, log analysis portion 120 verifies whether the deviation τ calculated in step s 103 is more than
Threshold value T.Threshold value T be according to be uninfected by Malware it is normal when deviation τ value and the parameter that is determined in advance.Stop from people
The deviation τ that only time of the operation until Malware is stopped action calculates in step s 103 is more than the feelings of threshold value T
Under condition, it is capable of detecting when exception.In the case where detecting exception, processing is made to enter step S105, do not detect it is abnormal
In the case of, end processing.
Finally, in the case that alarm generating unit 121 detects exception in step S104 in step S105, to management
Person prompts warning.
As described above, in the invention of present embodiment 1, the daily record of comprehensive analysis physical system and information system daily record, and
And pervious daily record interval and current daily record interval are compared and analyze its deviation, it thus can not only be as in the past
Detect the devious conduct carried out when going out room, additionally it is possible to detect the exception before room.For example, in the feelings for having infected Malware
Condition is inferior, it is contemplated that daily record interval can generate the deviation of hundreds of milliseconds or several seconds, by detecting the deviation, can carry out Malware
The detection of infection and the discovery of internal devious conduct.
In addition, the present invention carries out the inclined of statistic due to being after the statistics at daily record interval is achieved according to each period
Difference calculates, therefore is not easily susceptible to the influence of fluctuations at each daily record interval.Usually, it is contemplated that the operating interval of people was according to several seconds or more than ten
Deviation occurs for the unit of second.Therefore, it in the case of evaluating deviation observing each daily record interval, needs to use larger threshold value
T is judged.But the present invention is evaluated not in accordance with each daily record interval, but use the inclined of whole distribution trend
Difference is analyzed, therefore smaller threshold value T detections can be used abnormal, so as to detect the exception such as malware infection
Possibility improves.
In addition, in step s 103, as the opinion scale of distribution deviation, usually used squared-distance has been used, but
Such as can also frequency of use peak deviation, can also judge deviation using other distances such as earth displacement distance.In addition,
Bark-leibler information content or Jansen Shannon information content etc. can also be strangled using library to evaluate the deviation of distribution.
In addition, in step S101 and step S102, show and the example that operation is analyzed is read in file, but also may be used
Daily record interval is analyzed to use the operations such as file write-in or web access.Divided furthermore, it is not necessary that being defined in specific operation
Analysis, can also calculate daily record interval according to certain operation carried out before room is gone out.
In addition, in present embodiment 1, the daily record of file access has been used as information system daily record, but can use
Any daily record such as daily record of the daily record of web access, the daily record of mail transmission/reception, the daily record of certification or PC (terminal) operations is divided
Analysis.
In addition, in present embodiment 1, show using go out in the daily record entered the room with going out the relevant daily record of room event
It is analyzed, but can also use and carry out log analysis with entering the room relevant event.This is because for example from being placed with PC
In the case that the room of (terminal) is moved to the laboratory being disposed adjacently with room, the thing of entering the room of testing laboratory can be passed through
Part stopped terminal operation to differentiate.
In addition, in present embodiment 1, the daily record for and entering the room has been used as physical system daily record, but as long as knowing not
PC (terminal) is operated, seat or PC (terminal) are left based on monitor camera thus, for example can also use
Operate the detection daily record terminated, the detection daily record for leaving seat or PC (terminal) operation end using sensors such as RF-ID, photograph
Any daily record such as the detection daily record of bright ON/OFF is analyzed.
In addition, in step s 102, show and summarize the example of daily record according to moon unit, but be not limited to a moon unit,
It can also summarize according to Zhou Danwei or day unit etc..The present invention is not dependent on the unit summarized.
In addition, it in step s 102, due to being according to second unit output journal, implicitly assumes that and is given birth to according to second unit
Into frequency curve chart, but can not also according to second unit and rounding is 2 seconds units, 5 seconds units or 1 point of unit etc. carry out formation curve
Figure.
Label declaration
100:Room;101:Terminal;102:Safe controlling device for doors;103:Safety door;104:Signal input and output portion;
105:Operational part;106:Memory;107:Keyboard;108:Mouse;109:Monitor;110:Network;111:File server;
112:Certificate server;113:Mail server;114:Proxy server;115:Fire wall;116:Internet;117:Daily record point
Analysis apparatus;118:Log collection portion;119:Log database;120:Log analysis portion;121:Alarm generating unit.
Claims (4)
1. a kind of log analysis device, wherein, which has:
Log collection portion, it is the facility of physics to collect physics system log and information system daily record, the physical system daily record
The daily record of management equipment, described information system log are the days for the information equipment for carrying out execution information processing by the operation of user
Will;And
Log analysis portion, calculates the time interval between the physical system daily record and described information system log, and statistics is each
The frequency distribution of the generation frequency of a time interval, by the frequency distribution with being calculated in a state that described information equipment is normal
Frequency distribution be compared to detection described information equipment exception.
2. log analysis device according to claim 1, wherein,
The log analysis device has log database, and the log database preservation log collection portion is collected into described
Physical system daily record and described information system log,
The physical system occurred during the 1st and during the 2nd is extracted from the log database in the log analysis portion
Daily record and described information system log, calculate the physical system daily record during the 1st and described information system log it
Between time interval, count each time interval generation frequency frequency distribution as the 1st frequency distribution, calculate the described 2nd
Time interval between the physical system daily record and described information system log of period, counts the generation of each time interval
The frequency distribution of frequency calculates the 1st frequency distribution and the 2nd frequency distribution in time shaft side as the 2nd frequency distribution
Upward deviation τ, in deviation τ than the 1st frequency distribution calculated in a state that described information equipment is normal and institute
State deviation T of the 2nd frequency distribution on time-axis direction it is big in the case of, detect the exception of described information equipment.
3. log analysis device according to claim 1 or 2, wherein,
The log analysis device has alarm generating unit, and the exception of described information equipment is detected in the log analysis portion
In the case of, alarm generating unit generation is alerted and is notified to manager.
4. a kind of log analysis method analyzed daily record and carry out the abnormal log analysis device of detection information equipment, wherein, the day
Will analysis method has:
Log collection step, physics system log and information system daily record, the physical system daily record are collected by log collection portion is
The daily record of the facilities management equipment of physics, described information system log are to carry out the information of execution information processing by the operation of user
The daily record of equipment;And
Log analysis step, log analysis portion were calculated between the time between the physical system daily record and described information system log
Every, count the frequency distribution of the generation frequency of each time interval, by the frequency distribution in the normal shape of described information equipment
The frequency distribution calculated under state is compared to the exception of detection described information equipment.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2014/002955 WO2015186155A1 (en) | 2014-06-03 | 2014-06-03 | Log analysis device and log analysis method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106415578A CN106415578A (en) | 2017-02-15 |
CN106415578B true CN106415578B (en) | 2018-07-03 |
Family
ID=54766260
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201480079459.3A Expired - Fee Related CN106415578B (en) | 2014-06-03 | 2014-06-03 | Log analysis device and log analysis method |
Country Status (3)
Country | Link |
---|---|
JP (1) | JP6138367B2 (en) |
CN (1) | CN106415578B (en) |
WO (1) | WO2015186155A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP5926413B1 (en) * | 2015-02-16 | 2016-05-25 | 株式会社ラック | Information processing apparatus, information processing method, and program |
JP5992643B2 (en) * | 2016-04-21 | 2016-09-14 | 株式会社ラック | Information processing apparatus, information processing method, and program |
JP6088700B2 (en) * | 2016-08-17 | 2017-03-01 | 株式会社ラック | Information processing apparatus, information processing method, and program |
JP6145588B2 (en) * | 2017-02-03 | 2017-06-14 | 株式会社ラック | Information processing apparatus, information processing method, and program |
CN107341095B (en) * | 2017-06-27 | 2020-07-28 | 北京优特捷信息技术有限公司 | Method and device for intelligently analyzing log data |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1950778A (en) * | 2004-03-09 | 2007-04-18 | Ip锁有限公司 | Database user behavior monitor system and method |
JP2007233661A (en) * | 2006-02-28 | 2007-09-13 | Intelligent Wave Inc | Log integrated management system and log integrated management method |
JP4156540B2 (en) * | 2004-02-23 | 2008-09-24 | Kddi株式会社 | Log analysis device, log analysis program, and recording medium |
-
2014
- 2014-06-03 CN CN201480079459.3A patent/CN106415578B/en not_active Expired - Fee Related
- 2014-06-03 WO PCT/JP2014/002955 patent/WO2015186155A1/en active Application Filing
- 2014-06-03 JP JP2016524945A patent/JP6138367B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4156540B2 (en) * | 2004-02-23 | 2008-09-24 | Kddi株式会社 | Log analysis device, log analysis program, and recording medium |
CN1950778A (en) * | 2004-03-09 | 2007-04-18 | Ip锁有限公司 | Database user behavior monitor system and method |
JP2007233661A (en) * | 2006-02-28 | 2007-09-13 | Intelligent Wave Inc | Log integrated management system and log integrated management method |
Also Published As
Publication number | Publication date |
---|---|
WO2015186155A1 (en) | 2015-12-10 |
JPWO2015186155A1 (en) | 2017-04-20 |
JP6138367B2 (en) | 2017-05-31 |
CN106415578A (en) | 2017-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106415578B (en) | Log analysis device and log analysis method | |
CN106485871B (en) | System and method for providing early prediction and prediction of false alarms by applying statistical inference models | |
US10187411B2 (en) | Method for intrusion detection in industrial automation and control system | |
KR101538709B1 (en) | Anomaly detection system and method for industrial control network | |
CN111262722B (en) | Safety monitoring method for industrial control system network | |
US10679135B2 (en) | Periodicity analysis on heterogeneous logs | |
US10373065B2 (en) | Generating database cluster health alerts using machine learning | |
US10078317B2 (en) | Method, device and computer program for monitoring an industrial control system | |
US20150304346A1 (en) | Apparatus and method for detecting anomaly of network | |
CN104050787B (en) | There is the system and method for the abnormality detection of categorical attribute | |
CN107592309B (en) | Security incident detection and processing method, system, equipment and storage medium | |
US20060259968A1 (en) | Log analysis system, method and apparatus | |
EP2759938A1 (en) | Operations management device, operations management method, and program | |
US11640459B2 (en) | Abnormality detection device | |
KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
JP2015028700A (en) | Failure detection device, failure detection method, failure detection program and recording medium | |
CN106951776A (en) | A kind of Host Anomaly Detection method and system | |
JP2021528743A (en) | Time behavior analysis of network traffic | |
US11297082B2 (en) | Protocol-independent anomaly detection | |
KR20130020265A (en) | Method for anomaly detection using statistical process control | |
WO2022115419A1 (en) | Method of detecting an anomaly in a system | |
CN108804914A (en) | A kind of method and device of anomaly data detection | |
CN113901441A (en) | User abnormal request detection method, device, equipment and storage medium | |
KR20170123324A (en) | Relay device and program | |
US20230385411A1 (en) | Systems and methods for side-channel monitoring of a processor on a communication network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180703 Termination date: 20200603 |
|
CF01 | Termination of patent right due to non-payment of annual fee |