CN106415578B - Log analysis device and log analysis method - Google Patents

Log analysis device and log analysis method Download PDF

Info

Publication number
CN106415578B
CN106415578B CN201480079459.3A CN201480079459A CN106415578B CN 106415578 B CN106415578 B CN 106415578B CN 201480079459 A CN201480079459 A CN 201480079459A CN 106415578 B CN106415578 B CN 106415578B
Authority
CN
China
Prior art keywords
log
daily record
frequency distribution
described information
log analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201480079459.3A
Other languages
Chinese (zh)
Other versions
CN106415578A (en
Inventor
松田规
平野贵人
北泽繁树
米田健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Publication of CN106415578A publication Critical patent/CN106415578A/en
Application granted granted Critical
Publication of CN106415578B publication Critical patent/CN106415578B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management

Abstract

The present invention relates to log analysis device and log analysis methods, carry out the discovery of the detection of malware infection and the devious conduct of organization internal.Log analysis device has:Physics system log and information system daily record are collected by log collection portion, and the physical system daily record is the daily record of the facilities management equipment of physics, and described information system log is the daily record for the information equipment for carrying out execution information processing by the operation of user;And log analysis portion, the frequency distribution of the time interval of physical system daily record and information system daily record is calculated, which is compared to the exception of detection information equipment with the frequency distribution calculated in a state that information equipment is normal.

Description

Log analysis device and log analysis method
Technical field
The present invention relates to the daily records of the discovery of the devious conduct for the detection and organization internal for carrying out malware infection Analytical equipment.
Background technology
Previous physical system/information system integrated log analysis device by comprehensive analysis and building go out to enter the room it is related Daily record (physical system daily record) and PC operation history and proxy server etc. web access history daily record (information system Daily record), detect improper use.For example, after outputing some company clerk A and going out the daily record of room from room, text is outputed In the case of the reading daily record of confidential information on part server, other people can be detected and pretend to be company clerk A and peeped secret The possibility (such as patent document 1) of information.
In addition, it is also proposed that following mechanism:It is detected when the operation of user deviates the allowed band being previously set It is abnormal.There is the people for carrying out various business in enterprise, therefore, when setting includes the allowed band of personnel, i.e., Make generation that can not also detect extremely, for the subject, be inclined to select to permit from several patterns by grasping personal business Perhaps range improves abnormal detection possibility (such as patent document 2).
Existing technical literature
Patent document
Patent document 1:Japanese Unexamined Patent Publication 2007-233661 bulletins
Patent document 2:Japanese Unexamined Patent Publication 2010-211257 bulletins
Invention content
The subject that the invention solves
Previous physical system/information system integrated log analysis device is slapped according to the practical event of time series arrangement The action of company clerk has been held, but has not specifically disclosed and what kind of rule detection is what kind of devious conduct (such as patent is gone out by Document 1).
Usually, it may be said that, can be by monitoring from room by the daily record of comprehensive analysis physical system and information system Go out room to the daily record of operation carried out during entering the room again to find devious conduct, but for example leave itself in company clerk Seat and the detection method of devious conduct that carries out during going out room from room is unknown.
In addition, in the case of detecting abnormal mechanism when the operation of user deviates the allowed band being previously set, How much the operating time of people and operating interval etc. can generate deviation according to period and urgency level etc., it is therefore desirable to will be used for exception The threshold value (allowed band) of detection is set as larger value.Thus, for example infected once people stop operation with regard to suspension activity that In the case of the Malware of sample, it is very difficult to detect the infection (such as patent document 2).
The present invention is precisely in order to solve the above problems and complete, once it is intended that even if stop having infected people In the case that operation is with regard to Malware as suspension activity, the possibility for detecting the infection can be also improved.
Means for solving the problems
In order to solve the above problems, log analysis device of the invention has:Physical system day is collected in log collection portion Will and information system daily record, the physical system daily record are the daily records of the facilities management equipment of physics, described information system log It is the daily record for the information equipment for carrying out execution information processing by the operation of user;And log analysis portion, calculate the physics The frequency distribution of the time interval of system log and described information system log, by the frequency distribution in described information equipment just The frequency distribution calculated in the state of often is compared to the exception of detection described information equipment.
In addition, the log analysis method of the present invention is to analyze the abnormal log analysis device that daily record carrys out detection information equipment Log analysis method, wherein, which has:Physical system day is collected in log collection step, log collection portion Will and information system daily record, the physical system daily record are the daily records of the facilities management equipment of physics, described information system log It is the daily record for the information equipment for carrying out execution information processing by the operation of user;And log analysis step, log analysis portion meter Calculate the frequency distribution of the time interval of the physical system daily record and described information system log, by the frequency distribution with described The frequency distribution calculated in a state that information equipment is normal is compared to the exception of detection described information equipment.
Invention effect
According to the present invention, the daily record of comprehensive analysis physical system and information system daily record, and to pervious daily record interval and Current daily record interval is compared and analyzes its deviation, and thus there are following effects:It can not only detect as in the past Go out the devious conduct carried out during room, additionally it is possible to detect the exception before room.
Description of the drawings
Fig. 1 is the structure chart of a configuration example of the log analysis device for showing embodiment 1.
Fig. 2 is the figure for an example for going out daily record of entering the room for being shown as one of physical system daily record.
Fig. 3 is the figure of an example of the access log for the file server for being shown as one of information system daily record.
Fig. 4 is the flow chart of the log analysis process flow for the log analysis device for showing embodiment 1.
Fig. 5 is the figure of an example for the curve graph for showing log analysis result.
Specific embodiment
Embodiment 1
Fig. 1 is the structure chart of a configuration example of the log analysis device for showing embodiment 1.
In Fig. 1, room 100 is typically user's using terminal 101 to perform the place of business.Assuming that room 100 is only capable of It is enough to go out to enter the room by the safety door 103 controlled by safe controlling device for doors 102.Moreover, it is assumed that the user to enter the room can be gone out It is restricted.Terminal 101 is arranged in room 100, is the equipment in order to be set for user's execution information processing business, built-in There are signal input and output portion 104, operational part 105, memory 106.In addition, terminal 101 as be used for for user to terminal into The basic structure of the device of row input and output is connected with keyboard 107, mouse 108, monitor 109.
It, can be by network 110 and and with the miscellaneous equipment that connect of network 110 in addition, terminal 101 is connect with network 110 It communicates.The miscellaneous equipment being connect with network 110 for example has file server 111, certificate server 112, mail server 113rd, proxy server 114, fire wall 115 etc..In addition, the communication between the server on internet 116 has via mail The mail transmission/reception of server 113, the web communication via proxy server 114, FTP (File Transfer Protocol:Text Part transport protocol) etc..
Assuming that net of the log analysis device 117 in the same manner as file server 111 and certificate server 112 with organization internal Network 110 connects.Assuming that log analysis device 117 is by log collection portion 118, in addition to collecting terminal 101 connected to the network Daily record and file server 111, certificate server 112, mail server 113, proxy server 114, fire wall 115 are in this way The daily record with the relevant equipment of information processing other than, also collect with safe controlling device for doors 102 as example manage user Into room 100 and the relevant daily record of physical facility in room 100 is exited, and accumulated in log database 119.Daily record Analysis portion 120 is directed to the daily record being accumulated in log database 119, carries out the systems such as the summary of the retrieval based on keyword, daily record The analysis of meter property, based on whether analysis consistent with predetermined rule etc..Detected in log analysis portion 120 security breaches or In the case that failure etc. needs the state of affairs that manager is notified to be coped with, alarm (warning) is generated simultaneously by alarm generating unit 121 It notifies to manager.
Then, illustrate keeping in the daily record of log database 119.
Fig. 2 is the figure for an example for going out daily record of entering the room for being shown as one of physical system daily record.
Fig. 3 is the figure of an example of the access log for the file server for being shown as one of information system daily record.
Definition graph 2 first.It is to go out daily record of entering the room as one of physical system daily record.Go out to enter the room daily record for example by day Phase, moment, User ID, event are formed.Date represents the date entered the room, and the moment represents at the time of enter the room, and User ID represents Go out the ID of the company clerk to enter the room, event table is shown into room or goes out the states of affairs such as room.It in the example in figure 2, will " 1 day 12 April in 2014 When 2 20 seconds user A is divided to go out room " it is such go out the history entered the room taken care of as daily record.
Then definition graph 3.It is the access log as the file server of one of information system daily record.Access log example Such as it is made of date, moment, User ID, file, operation.Date represents to carry out the date of file operation, and the moment represents to carry out text At the time of part operates, User ID represents to carry out the ID of the company clerk of file operation, the filename that representation of file is accessed, operation Expression has carried out file any operation.In the example in figure 3, by " 2 divide 0 second user A to read in during 1 day 12 April in 2014 ' propose book .doc ' this file " as file access history taken care of as daily record.
Then, illustrate the action of log analysis device.
Fig. 4 is the flow chart of the log analysis process flow for the log analysis device for showing embodiment 1.
First, in step S101, physical system daily record of the log analysis portion 120 from keeping in log database 119 With daily record of the extraction as analysis object in information system daily record.For example, the file when wanting to be ready room to user A read in into In the case of row analysis, from it is shown in Figure 2 go out enter the room extraction and user A in daily record go out the relevant daily record of room event, from Fig. 3 In show file access daily record extraction by user A carried out read in operation daily record.
Then, in step s 102, log analysis portion 120 is according to each period, from the day extracted by step S101 In will, the mutual time interval of log recording needed for analysis is calculated, carries out carrying out curve graph etc. according to each generation frequency Statistical disposition.For example, the situation of file is read in before it will go out room in discovery user A and has measured the feelings of its time interval Under condition, carry out the control of daily record that shows in Fig. 2 and Fig. 3, when finding 1 day 12 April in 2014 2 divide 20 seconds go out room it is tight before text 2 divide 0 second when part access is 12, it is known that time interval is 20 seconds.Go out the above-mentioned action of room event implementation, and then according to every for whole Moon etc. carries out curve graph.As a result, the curve graph of (a) and (b) of Fig. 5.
Then, in step s 103, log analysis portion 120 to curve graph obtained from statistical disposition in step s 102 into Row compares, and verifies the deviation of the two.For example, as shown in (c) of Fig. 5, the curve graph of the two is overlapped to calculate time-axis direction Deviation τ.The calculating is, such as in a state that the curve graph of (a) is fixed, tries the curve graph of (b) in time-axis direction On slightly offset from, find so that and (a) curve graph difference minimum time shaft deviation τ.As the side for finding deviation τ Method shown in numerical expression 1 described as follows, there is method of deviation τ for merely finding squared-distance minimum etc..
τ:minΣ(a(t)-b(t+τ))2
Then, in step S104, log analysis portion 120 verifies whether the deviation τ calculated in step s 103 is more than Threshold value T.Threshold value T be according to be uninfected by Malware it is normal when deviation τ value and the parameter that is determined in advance.Stop from people The deviation τ that only time of the operation until Malware is stopped action calculates in step s 103 is more than the feelings of threshold value T Under condition, it is capable of detecting when exception.In the case where detecting exception, processing is made to enter step S105, do not detect it is abnormal In the case of, end processing.
Finally, in the case that alarm generating unit 121 detects exception in step S104 in step S105, to management Person prompts warning.
As described above, in the invention of present embodiment 1, the daily record of comprehensive analysis physical system and information system daily record, and And pervious daily record interval and current daily record interval are compared and analyze its deviation, it thus can not only be as in the past Detect the devious conduct carried out when going out room, additionally it is possible to detect the exception before room.For example, in the feelings for having infected Malware Condition is inferior, it is contemplated that daily record interval can generate the deviation of hundreds of milliseconds or several seconds, by detecting the deviation, can carry out Malware The detection of infection and the discovery of internal devious conduct.
In addition, the present invention carries out the inclined of statistic due to being after the statistics at daily record interval is achieved according to each period Difference calculates, therefore is not easily susceptible to the influence of fluctuations at each daily record interval.Usually, it is contemplated that the operating interval of people was according to several seconds or more than ten Deviation occurs for the unit of second.Therefore, it in the case of evaluating deviation observing each daily record interval, needs to use larger threshold value T is judged.But the present invention is evaluated not in accordance with each daily record interval, but use the inclined of whole distribution trend Difference is analyzed, therefore smaller threshold value T detections can be used abnormal, so as to detect the exception such as malware infection Possibility improves.
In addition, in step s 103, as the opinion scale of distribution deviation, usually used squared-distance has been used, but Such as can also frequency of use peak deviation, can also judge deviation using other distances such as earth displacement distance.In addition, Bark-leibler information content or Jansen Shannon information content etc. can also be strangled using library to evaluate the deviation of distribution.
In addition, in step S101 and step S102, show and the example that operation is analyzed is read in file, but also may be used Daily record interval is analyzed to use the operations such as file write-in or web access.Divided furthermore, it is not necessary that being defined in specific operation Analysis, can also calculate daily record interval according to certain operation carried out before room is gone out.
In addition, in present embodiment 1, the daily record of file access has been used as information system daily record, but can use Any daily record such as daily record of the daily record of web access, the daily record of mail transmission/reception, the daily record of certification or PC (terminal) operations is divided Analysis.
In addition, in present embodiment 1, show using go out in the daily record entered the room with going out the relevant daily record of room event It is analyzed, but can also use and carry out log analysis with entering the room relevant event.This is because for example from being placed with PC In the case that the room of (terminal) is moved to the laboratory being disposed adjacently with room, the thing of entering the room of testing laboratory can be passed through Part stopped terminal operation to differentiate.
In addition, in present embodiment 1, the daily record for and entering the room has been used as physical system daily record, but as long as knowing not PC (terminal) is operated, seat or PC (terminal) are left based on monitor camera thus, for example can also use Operate the detection daily record terminated, the detection daily record for leaving seat or PC (terminal) operation end using sensors such as RF-ID, photograph Any daily record such as the detection daily record of bright ON/OFF is analyzed.
In addition, in step s 102, show and summarize the example of daily record according to moon unit, but be not limited to a moon unit, It can also summarize according to Zhou Danwei or day unit etc..The present invention is not dependent on the unit summarized.
In addition, it in step s 102, due to being according to second unit output journal, implicitly assumes that and is given birth to according to second unit Into frequency curve chart, but can not also according to second unit and rounding is 2 seconds units, 5 seconds units or 1 point of unit etc. carry out formation curve Figure.
Label declaration
100:Room;101:Terminal;102:Safe controlling device for doors;103:Safety door;104:Signal input and output portion; 105:Operational part;106:Memory;107:Keyboard;108:Mouse;109:Monitor;110:Network;111:File server; 112:Certificate server;113:Mail server;114:Proxy server;115:Fire wall;116:Internet;117:Daily record point Analysis apparatus;118:Log collection portion;119:Log database;120:Log analysis portion;121:Alarm generating unit.

Claims (4)

1. a kind of log analysis device, wherein, which has:
Log collection portion, it is the facility of physics to collect physics system log and information system daily record, the physical system daily record The daily record of management equipment, described information system log are the days for the information equipment for carrying out execution information processing by the operation of user Will;And
Log analysis portion, calculates the time interval between the physical system daily record and described information system log, and statistics is each The frequency distribution of the generation frequency of a time interval, by the frequency distribution with being calculated in a state that described information equipment is normal Frequency distribution be compared to detection described information equipment exception.
2. log analysis device according to claim 1, wherein,
The log analysis device has log database, and the log database preservation log collection portion is collected into described Physical system daily record and described information system log,
The physical system occurred during the 1st and during the 2nd is extracted from the log database in the log analysis portion Daily record and described information system log, calculate the physical system daily record during the 1st and described information system log it Between time interval, count each time interval generation frequency frequency distribution as the 1st frequency distribution, calculate the described 2nd Time interval between the physical system daily record and described information system log of period, counts the generation of each time interval The frequency distribution of frequency calculates the 1st frequency distribution and the 2nd frequency distribution in time shaft side as the 2nd frequency distribution Upward deviation τ, in deviation τ than the 1st frequency distribution calculated in a state that described information equipment is normal and institute State deviation T of the 2nd frequency distribution on time-axis direction it is big in the case of, detect the exception of described information equipment.
3. log analysis device according to claim 1 or 2, wherein,
The log analysis device has alarm generating unit, and the exception of described information equipment is detected in the log analysis portion In the case of, alarm generating unit generation is alerted and is notified to manager.
4. a kind of log analysis method analyzed daily record and carry out the abnormal log analysis device of detection information equipment, wherein, the day Will analysis method has:
Log collection step, physics system log and information system daily record, the physical system daily record are collected by log collection portion is The daily record of the facilities management equipment of physics, described information system log are to carry out the information of execution information processing by the operation of user The daily record of equipment;And
Log analysis step, log analysis portion were calculated between the time between the physical system daily record and described information system log Every, count the frequency distribution of the generation frequency of each time interval, by the frequency distribution in the normal shape of described information equipment The frequency distribution calculated under state is compared to the exception of detection described information equipment.
CN201480079459.3A 2014-06-03 2014-06-03 Log analysis device and log analysis method Expired - Fee Related CN106415578B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/002955 WO2015186155A1 (en) 2014-06-03 2014-06-03 Log analysis device and log analysis method

Publications (2)

Publication Number Publication Date
CN106415578A CN106415578A (en) 2017-02-15
CN106415578B true CN106415578B (en) 2018-07-03

Family

ID=54766260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480079459.3A Expired - Fee Related CN106415578B (en) 2014-06-03 2014-06-03 Log analysis device and log analysis method

Country Status (3)

Country Link
JP (1) JP6138367B2 (en)
CN (1) CN106415578B (en)
WO (1) WO2015186155A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5926413B1 (en) * 2015-02-16 2016-05-25 株式会社ラック Information processing apparatus, information processing method, and program
JP5992643B2 (en) * 2016-04-21 2016-09-14 株式会社ラック Information processing apparatus, information processing method, and program
JP6088700B2 (en) * 2016-08-17 2017-03-01 株式会社ラック Information processing apparatus, information processing method, and program
JP6145588B2 (en) * 2017-02-03 2017-06-14 株式会社ラック Information processing apparatus, information processing method, and program
CN107341095B (en) * 2017-06-27 2020-07-28 北京优特捷信息技术有限公司 Method and device for intelligently analyzing log data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1950778A (en) * 2004-03-09 2007-04-18 Ip锁有限公司 Database user behavior monitor system and method
JP2007233661A (en) * 2006-02-28 2007-09-13 Intelligent Wave Inc Log integrated management system and log integrated management method
JP4156540B2 (en) * 2004-02-23 2008-09-24 Kddi株式会社 Log analysis device, log analysis program, and recording medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4156540B2 (en) * 2004-02-23 2008-09-24 Kddi株式会社 Log analysis device, log analysis program, and recording medium
CN1950778A (en) * 2004-03-09 2007-04-18 Ip锁有限公司 Database user behavior monitor system and method
JP2007233661A (en) * 2006-02-28 2007-09-13 Intelligent Wave Inc Log integrated management system and log integrated management method

Also Published As

Publication number Publication date
WO2015186155A1 (en) 2015-12-10
JPWO2015186155A1 (en) 2017-04-20
JP6138367B2 (en) 2017-05-31
CN106415578A (en) 2017-02-15

Similar Documents

Publication Publication Date Title
CN106415578B (en) Log analysis device and log analysis method
CN106485871B (en) System and method for providing early prediction and prediction of false alarms by applying statistical inference models
US10187411B2 (en) Method for intrusion detection in industrial automation and control system
KR101538709B1 (en) Anomaly detection system and method for industrial control network
CN111262722B (en) Safety monitoring method for industrial control system network
US10679135B2 (en) Periodicity analysis on heterogeneous logs
US10373065B2 (en) Generating database cluster health alerts using machine learning
US10078317B2 (en) Method, device and computer program for monitoring an industrial control system
US20150304346A1 (en) Apparatus and method for detecting anomaly of network
CN104050787B (en) There is the system and method for the abnormality detection of categorical attribute
CN107592309B (en) Security incident detection and processing method, system, equipment and storage medium
US20060259968A1 (en) Log analysis system, method and apparatus
EP2759938A1 (en) Operations management device, operations management method, and program
US11640459B2 (en) Abnormality detection device
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
JP2015028700A (en) Failure detection device, failure detection method, failure detection program and recording medium
CN106951776A (en) A kind of Host Anomaly Detection method and system
JP2021528743A (en) Time behavior analysis of network traffic
US11297082B2 (en) Protocol-independent anomaly detection
KR20130020265A (en) Method for anomaly detection using statistical process control
WO2022115419A1 (en) Method of detecting an anomaly in a system
CN108804914A (en) A kind of method and device of anomaly data detection
CN113901441A (en) User abnormal request detection method, device, equipment and storage medium
KR20170123324A (en) Relay device and program
US20230385411A1 (en) Systems and methods for side-channel monitoring of a processor on a communication network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180703

Termination date: 20200603

CF01 Termination of patent right due to non-payment of annual fee