CN109829315A - The method, apparatus and computer readable storage medium of log processing - Google Patents
The method, apparatus and computer readable storage medium of log processing Download PDFInfo
- Publication number
- CN109829315A CN109829315A CN201711180639.2A CN201711180639A CN109829315A CN 109829315 A CN109829315 A CN 109829315A CN 201711180639 A CN201711180639 A CN 201711180639A CN 109829315 A CN109829315 A CN 109829315A
- Authority
- CN
- China
- Prior art keywords
- application operating
- log
- processing
- journal entries
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of method, apparatus of log processing and computer readable storage mediums, which comprises carries out data cleansing processing to the application operating log of at least one user terminal obtained in advance, obtains processing result;According to the processing result, analysis is associated to the suspicious sequence of operation of the application operating log and setting, when analyzing result instruction exception, generates potential leaking data behavior alarm event.The embodiment of the present invention efficiently solves the technical problem that pending data in anti-data leak equipment in the prior art is numerous and jumbled, equipment processing load is big.
Description
Technical field
The present invention relates to technical field of data processing, especially a kind of log processing method, device and computer-readable deposit
Storage media.
Background technique
With the continuous development of network technology, data leak has become the major issue for influencing enterprise information security.Usually
In the case of, to prevent internal sensitive information or leaking data, each enterprise, which mostly uses greatly through personal management and technical management, to be prevented
The only sensitive information or leaking data of enterprises.Wherein, personal management mainly passes through enterprise and employee signs confidentiality agreement
Mode is realized, and technical management then mainly prevents the equipment of data leak come real by disposing in the IT environment of enterprises
It is existing.
Currently, preventing the basic functional principle of the equipment of data leak as follows: acquiring the behaviour of the user terminal of enterprises
Make log, judges which operation of user terminal violates the safe plan of enterprise by the way that safety regulation is arranged on the server
Slightly, and these operations are blocked.In practical applications, the equipment of these anti-data leaks will often handle a large amount of alarm thing of generation
Part, processing load are larger.
Summary of the invention
In view of this, proposing the method, apparatus and computer-readable storage of a kind of log processing in the embodiment of the present invention
Medium solves in the prior art the technical problem that anti-data leak equipment pending data is numerous and jumbled, processing load is big.
First aspect according to an embodiment of the present invention provides a kind of method of log processing, comprising:
Data cleansing processing is carried out to the application operating log of at least one user terminal obtained in advance, obtains processing knot
Fruit;
According to the processing result, analysis is associated to the suspicious sequence of operation of the application operating log and setting,
When analyzing result instruction exception, potential leaking data behavior alarm event is generated.
Data cleansing processing is carried out by the application operating log at least one user terminal, anti-number can be optimized
According to the bulk redundancy information and the normal operation behavior of user of leakage at least one collected user terminal of equipment, anti-number is solved
According to the technical problem that the data of leakage equipment are numerous and jumbled, processing load is big, a small amount of effective alarm event is generated, convenient for further preventing
Only leaking data.
In embodiments of the present invention, the application operating log include: application operating type, Apply Names, user account,
At least two in operation object and object location information.
The application operating log at least one user terminal obtained in advance carries out data cleansing processing
According to the application operating type of the application operating log, Apply Names, user account, operation object and object position
One of confidence breath is a variety of, is grouped to the journal entries of the application operating log, obtains the journal entries
Data distribution;
According to the data distribution of the journal entries, data cleansing processing is carried out to the application operating log.
In embodiments of the present invention, by the application operating journal entries according to application operating type, Apply Names,
One of user account, operation object and object location information etc. or it is a variety of be grouped, the available journal entries
Data distribution optimize the application operating day convenient for further handling the data cleansing of the application operating log
The flow chart of data processing of will.
In embodiments of the present invention, the data distribution according to the journal entries, to the application operating log into
Row data cleaning treatment includes:
According to the data distribution of journal entries, each group is determined by the specific gravity that each group journal entries account for the journal entries sum
The priority of journal entries chooses at least one set of journal entries of the high priority of setting, as the application behaviour obtained after screening
Make log, data cleansing processing is carried out to the application operating log.
In embodiments of the present invention, according to the application operating type of the application operating log, Apply Names, user's account
Number, one of operation object and object location information or a variety of, the journal entries of the application operating log are grouped
It include: the application operating type for choosing the application operating log, Apply Names, user account, operation object, object's position letter
At least two in breath, constitute a node tree including root node and at least one level child node;Respectively in the node tree
Each node is keyword, is successively grouped to the journal entries of the application operating log, and a tree-shaped packet configuration is generated.
The data distribution according to the journal entries carries out data cleansing processing packet to the application operating log
It includes: according to the data distribution of journal entries, being higher than the preferential of child node by the priority of father node in the tree-shaped packet configuration
The principle of grade determines the priority of each group journal entries;At least one set of journal entries for choosing the high priority of setting, as sieve
The application operating log obtained after choosing carries out data cleansing processing to the application operating log.
In embodiments of the present invention, according to application operating type, Apply Names, user account, operation object and object position
Confidence breath etc. carries out basic grouped to the application operating log, also or, being based on application operating type, Apply Names, user's account
Number, operation object, object location information etc. nested type grouping is carried out to the application operating log, convenient for the application operating
Log carries out data cleansing processing according to the priority of setting, improves the work effect of the application operating daily record data cleaning treatment
Rate.
In embodiments of the present invention, described pair of application operation log carries out data cleansing processing, including in lower column processing
Any or any combination:
Based on expertise, journal entries unrelated to leaking data behavioural analysis in the application operating log are filtered;
Based on duplicate removal strategy, the repetition journal entries in the application operating log are compressed;
Based on consolidation strategy, merge the correlation log entry in the application operating log.
In embodiments of the present invention, it is based on expertise, such as by the way that useless List Names, useless account inventory are arranged
Deng the journal entries unrelated to leaking data behavioural analysis in filtration application operation log retain in the application operating log
Journal entries relevant to leaking data behavior;Based on duplicate removal strategy, to similar action type, identical Apply Names and operation
The entry of object retains one, compresses the repetition journal entries in the application operating log;Based on consolidation strategy, for similar
Action type merges the entry of the different operation object of same application title.Pass through any one of above data cleaning way
Or any combination, the redundant data information in the application operating log is eliminated, the data knot of application operating log is simplified
Structure.
In embodiments of the present invention, the application operating log includes operating time, user account and application operating type;
It is described according to the processing result, the suspicious sequence of operation of the application operating log and setting is associated point
Analysis obtains potential leaking data behavior alarm event when analyzing result instruction exception, comprising:
For each user account, chosen in the application operating log of at least one user terminal obtained in advance
Comprising the processing result correspond to the period and its before with or setting operation period thereafter in correspond to the user account
Each application operating type application operating log;
The suspicious sequence of operation of application operating log and the setting of selected each application operating type is associated, is obtained
To an operation degree of association of the correspondence user account, the operation degree of association is used to evaluate selected each application operating class
The similarity of the suspicious sequence of operation of application operating log and the setting of type.
In embodiments of the present invention, it is counted by the application operating log at least one user terminal obtained in advance
According to cleaning treatment, the data structure of application operating log is simplified;According to the processing result that data cleansing is handled, for each use
Family account, choosing in the application operating log of at least one user terminal obtained in advance includes the processing result pair
Answer each application operating type that the user account is corresponded in period and its setting operation period before with or thereafter
Application operating log expands data acquisition range on the basis of simplifying to the application operating log, improves result
Accuracy.
In embodiments of the present invention, which comprises when the operation degree of association is greater than a given threshold, analysis knot
Fruit instruction is abnormal, generates a potential leaking data behavior alarm event.
In the embodiment of the present invention, the given threshold of the operation degree of association can be adjusted according to expertise etc., be fitted
Answer different susceptibility requirements.When the operation degree of association is greater than a given threshold, analysis result instruction is abnormal, and it is latent to generate one
In leaking data behavior alarm event, it is based on the alarm event convenient for subsequent, corresponding actions is taken, is asked to solve leaking data
Topic.
The second aspect according to an embodiment of the present invention, provides a kind of log processing device, and described device includes:
One processing module 100 carries out at data cleansing for the application operating log to the user terminal obtained in advance
Reason, obtains processing result, the application operating log includes operating time, user account and application operating type;
One analysis module 200 is used for according to the processing result, to the suspicious behaviour of the application operating log and setting
It is associated analysis as sequence, when analyzing result instruction exception, generates potential leaking data behavior alarm event.
In embodiments of the present invention, processing module 100 passes through the application operating log at least one user terminal
Data cleansing processing is carried out, the bulk redundancy information of anti-at least one collected user terminal of data leak equipment can be optimized
And the normal operation behavior of user, the technical problem that the data for solving anti-data leak equipment are numerous and jumbled, processing load is big analyze mould
Block 200 is associated analysis to the suspicious sequence of operation of the application operating log and setting, when analyzing result instruction exception,
A small amount of effective alarm event is generated, convenient for further preventing leaking data.
In embodiments of the present invention, the application operating log include: application operating type, Apply Names, user account,
At least two in operation object and object location information, processing module 100 includes: grouped element 110 and processing unit 120.
Wherein, grouped element 110 is for the application operating type according to the application operating log, Apply Names, user
One of account, operation object and object location information are a variety of, divide the journal entries of the application operating log
Group obtains the data distribution of the journal entries;
Processing unit 120 is used for the data distribution according to the journal entries, carries out data to the application operating log
Cleaning treatment.
In embodiments of the present invention, grouped element 110 by the application operating journal entries according to application operating class
One of type, Apply Names, user account, operation object and object location information etc. or it is a variety of be grouped, also or, being based on
Application operating type, Apply Names, user account, operation object, object location information etc. carry out the application operating log
Nested type grouping, the data distribution of the available application operating journal entries.Processing unit 120 is based on above-mentioned data
Distribution situation can further handle the data cleansing of the application operating log, optimize the number of the application operating log
According to process flow.
In embodiments of the present invention, processing unit 120 includes: filtering subelement 121, duplicate removal subelement 122 and merges son
Any one of unit 123 or any combination.
Wherein, filtering subelement 121 is used to filter in the application operating log based on expertise to leaking data row
To analyze unrelated journal entries;Duplicate removal subelement 122 is used to compress the weight in the application operating log based on duplicate removal strategy
Multiple journal entries;Merge subelement 123 to be used to merge the correlation log entry in the application operating log based on consolidation strategy.
In embodiments of the present invention, filtering subelement 121 is based on expertise, for example, by be arranged useless List Names,
Useless account inventory etc., the journal entries unrelated to leaking data behavioural analysis in filtration application operation log are answered described in reservation
With journal entries relevant to leaking data behavior in operation log;Duplicate removal subelement 122 is based on duplicate removal strategy, to same generic operation
The entry of type, identical Apply Names and operation object retains one, compresses the repetition log in the application operating log
Entry;Merge subelement 123 and be based on consolidation strategy, for similar action type, merges the different operation pair of same application title
The entry of elephant.By each subelement in the above processing unit any one or any combination, the application operating log is eliminated
In redundant data information, simplify the data structure of application operating log.
In embodiments of the present invention, the application operating log includes operating time, user account and application operating type.
The analysis module is associated point the suspicious sequence of operation of the application operating log and setting according to the processing result
Analysis obtains potential leaking data behavior alarm event when analyzing result instruction exception.The analysis module 200 includes: to choose
Unit 210, associative cell 220 and Alarm Unit 230.
Wherein, selection unit 210 is used to be directed to each user account, in described at least one user terminal obtained in advance
Application operating log in choose comprising the processing result correspond to the period and its before with or setting operation time thereafter
The application operating log of each application operating type of the user account is corresponded in section.
Associative cell 220 is used for the suspicious operation of application operating log and the setting to selected each application operating type
Sequence is associated, and obtains an operation degree of association for corresponding to the user account, and the operation degree of association is selected for evaluating
The similarity of the suspicious sequence of operation of application operating log and the setting of each application operating type taken.
Alarm Unit 230 is used for when the operation degree of association is greater than a given threshold, and analysis result instruction is abnormal, is generated
One potential leaking data behavior alarm event.
In terms of third according to an embodiment of the present invention, a kind of log processing device is provided, comprising: at least one storage
Device, at least one processor, in which:
At least one processor 301, for storing computer program;
At least one described processor 302, for calling the computer journey of 301 storages in at least one processor
Sequence executes log processing method described in any of the above item.
The 4th aspect according to an embodiment of the present invention, provides a kind of computer readable storage medium, is stored thereon with
Computer program;The computer program can be executed by a processor and realize the side of log processing described in any of the above item
Method.
It can be seen that the embodiment of the present invention from above scheme, by least one user terminal obtained in advance
Application operating log carries out data cleansing processing, obtains processing result;According to the processing result, to the application operating log
It is associated analysis with the suspicious sequence of operation of setting, when analyzing result instruction exception, potential leaking data behavior is generated and accuses
Alert event.The embodiment of the present invention, the data that log processing method solves anti-data leak equipment in the prior art are numerous and jumbled, handle
The big technical problem of load.
Detailed description of the invention
Below will detailed description of the present invention preferred embodiment by referring to accompanying drawing, make those skilled in the art more
Clear above and other feature and advantage of the invention, in attached drawing:
Fig. 1 is the method flow diagram of the log processing in one embodiment of the invention;
Fig. 2 is the schematic device for showing the log processing in one embodiment of the invention;
Fig. 3 indicate another embodiment of the present invention provides log processing device structural schematic diagram.
Wherein, appended drawing reference is as follows:
Specific embodiment
The embodiment of the present invention be solve anti-data leak equipment in the prior art data are numerous and jumbled, skill that processing load is big
Art problem carries out data cleansing processing by the application operating log at least one user terminal obtained in advance, obtains everywhere
Manage result;According to the processing result, analysis is associated to the suspicious sequence of operation of the application operating log and setting,
When analyzing result instruction exception, potential leaking data behavior alarm event is generated.Technical solution of the present invention is suitable for including industry
The various technical fields for needing to handle alarm event including field can effectively mitigate equipment use using the embodiment of the present invention
In the load of processing alarm event.
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached in the embodiment of the present invention
Figure, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is the present invention
A part of the embodiment, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not having
Every other embodiment obtained under the premise of creative work is made, shall fall within the protection scope of the present invention.
Term " includes " and " having " and their any deformation in description and claims of this specification, meaning
Figure be to cover it is non-exclusive include, for example, containing the process, method, system, product or equipment of a series of steps or units
Those of be not necessarily limited to be clearly listed step or unit, but may include be not clearly listed or for these processes,
The intrinsic other step or units of method, product or equipment.
The embodiment of the present invention provides the method, apparatus and computer readable storage medium of a kind of log processing, solves existing
There is the technical problem that the data of anti-data leak equipment in technology are numerous and jumbled, processing load is big.
In one embodiment of the invention, referring to Fig. 1, the log processing in one embodiment of the invention is shown in figure
Method, the specific steps are as follows:
S01, data cleansing processing is carried out to the application operating log of at least one user terminal obtained in advance, obtained everywhere
Manage result.
In embodiments of the present invention, the application operating log includes such as: application operating type, Apply Names, user
The much informations such as account, operation object and object location information.The application at least one user terminal obtained in advance
It includes: firstly, according to application operating type, the application name of the application operating log that operation log, which carries out data cleansing processing,
One of title, user account, operation object and object location information are a variety of, to the journal entries of the application operating log
It is grouped, obtains the data distribution of the journal entries;Then, it according to the data distribution of the journal entries, answers described
Data cleansing processing is carried out with operation log.
Data cleansing processing is carried out by the application operating log at least one user terminal, anti-number can be optimized
It is anti-to solve according to the bulk redundancy information and the normal operation behavior of user of leakage at least one collected user terminal of equipment
The technical problem that the data of data leak equipment are numerous and jumbled, processing load is big, to prevent leaking data.Wherein, described at least one
The application operating log of a user terminal can pass through Digital Guardian, Symantec, Forcepoint, Intel
The anti-data-leakages product such as Security obtains.
In embodiments of the present invention, according to the application operating type of the application operating log, Apply Names, user's account
Number, one of operation object and object location information or a variety of, the journal entries of the application operating log are grouped,
It may include: the base according to the progress such as application operating type, Apply Names, user account, operation object and object location information
This grouping, and the nested type based on application operating type, Apply Names, user account, operation object, object location information point
Group.
Wherein, basic grouped may include: the data distribution according to journal entries, account for the log by each group journal entries
The specific gravity of entry sum determines the priority of each group journal entries, chooses at least one set of journal entries of the high priority of setting,
As the application operating log obtained after screening, data cleansing processing is carried out to the application operating log.
Nested type grouping may include: application operating type, Apply Names, the user's account for choosing the application operating log
Number, at least two in operation object, object location information, constitute one include root node and at least one level child node node
Tree;Respectively using each node in the node tree as keyword, successively the journal entries of the application operating log are carried out
Grouping generates a tree-shaped packet configuration.For example, being first root node to the log item of the application operating log using action type
Mesh is grouped, and is then grasped respectively using Apply Names and user account as level-one child node and second level child node to the application again
The journal entries for making log are grouped, and generate a tree-shaped packet configuration.
In embodiments of the present invention, carrying out data cleansing processing to the application operating log of nested type grouping includes:
According to the data distribution of journal entries, it is higher than child node by the priority of father node in the tree-shaped packet configuration
The principle of priority determines the priority of each group journal entries;At least one set of journal entries of the high priority of setting are chosen, are made
For the application operating log obtained after screening, data cleansing processing is carried out to the application operating log.
In embodiments of the present invention, the data cleansing may include any one of following data processing or any group
It closes:
Based on expertise, journal entries unrelated to leaking data behavioural analysis in the application operating log are filtered;
Based on duplicate removal strategy, the repetition journal entries in the application operating log are compressed;And it is based on consolidation strategy, described in merging
Correlation log entry in application operating log.
In the present embodiment, expertise may include: the useless Apply Names inventory of setting, the useless account inventory of setting
Deng.For example, being learnt according to expertise, application process bfsvc.exe is system-level process, and day caused by the application process
The application without practical significance, is then added to useless Apply Names inventory to leaking data behavioural analysis by will, is realized described in filtering
The purpose of the journal entries unrelated to leaking data behavioural analysis in application operating log.
Duplicate removal strategy may include: for similar action type, the entry reservation of identical Apply Names and operation object
One.For example, certain accounting number users prints 5 documents within short a few minutes, 10 parts of each document print then passes through this step,
It can be 5 by 50 log compressions.
Consolidation strategy may include: the item for merging the different operation object of same application title for similar action type
Mesh.The log of certain account of certain time is merged relevant journal entries according to consolidation strategy by this step, and consolidation strategy can wrap
The entry for including the different operation object equally applied under similar action type merges into an entry.For example, certain accounting number users is in T
Moment has sent the mail with 4 attachmentes to 5 people, then 25 logs is merged into 1 by this step.
S02, according to the processing result, the suspicious sequence of operation of the application operating log and setting is associated point
Analysis generates potential leaking data behavior alarm event when analyzing result instruction exception.
In embodiments of the present invention, described according to the processing result, to the suspicious of the application operating log and setting
The sequence of operation is associated analysis, when analyzing result instruction exception, obtains potential leaking data behavior alarm event, can wrap
It includes:
For each user account, chosen in the application operating log of at least one user terminal obtained in advance
Comprising the processing result correspond to the period and its before with or setting operation period thereafter in correspond to the user account
Each application operating type application operating log.By choose the processing result correspond to the period and its before with or its
The application operating log of each application operating type in the setting operation period afterwards is analyzed, and can be further improved analysis
As a result accuracy.
The suspicious sequence of operation of application operating log and the setting of selected each application operating type is associated, is obtained
To an operation degree of association of the correspondence user account, the operation degree of association is used to evaluate selected each application operating class
The similarity of the suspicious sequence of operation of application operating log and the setting of type.Wherein, the suspicious sequence of operation is typical latent
The sequence of operation of user under leaking data scene, can or machine learning completion specified by expertise.For example, certain is used
Family account successively has following operation: network transfer download, file within 1 hour in certain day afternoon
Rename and network transfer upload, and the entitled fsquirt.exe of application process, then the user account these
The degree of association of operation is 1.0.
And when the operation degree of association is greater than a given threshold, analysis result instruction is abnormal, generates a potential data
Leakage behavior alarm event.
In embodiments of the present invention, the given threshold can be adjusted according to expertise, different quick to adapt to
Sensitivity requirement.
In another embodiment of the present invention, referring to fig. 2, the log processing in one embodiment of the invention is shown in figure
Device, can specifically include: processing module 100 and analysis module 200.
Wherein, processing module 100 is used at the application operating log progress data cleansing to the user terminal obtained in advance
Reason, obtains processing result, the application operating log includes operating time, user account and application operating type.Analyze mould
Block 200 is used to be associated analysis to the suspicious sequence of operation of the application operating log and setting according to the processing result,
When analyzing result instruction exception, potential leaking data behavior alarm event is generated.
In embodiments of the present invention, the application operating log may include: application operating type, Apply Names, user
At least two in the information such as account, operation object and object location information, processing module 100 may include: grouped element 110
With processing unit 120.
Wherein, grouped element 110 is for the application operating type according to the application operating log, Apply Names, user
One of account, operation object and object location information are a variety of, divide the journal entries of the application operating log
Group obtains the data distribution of the journal entries.
In the present embodiment, grouped element 110 accounts for the day by each group journal entries according to the data distribution of journal entries
The specific gravity of will entry sum determines the priority of each group journal entries, chooses at least one set of log item of the high priority of setting
Mesh carries out data cleansing processing to the application operating log as the application operating log obtained after screening.
Grouped element 110 can be also used for choosing application operating type, the Apply Names, user of the application operating log
Account, operation object, at least two in object location information, constitute one include root node and at least one level child node node
Tree;Respectively using each node in the node tree as keyword, successively the journal entries of the application operating log are carried out
Grouping generates a tree-shaped packet configuration.For example, being first root node to the log item of the application operating log using action type
Mesh is grouped, and is then grasped respectively using Apply Names and user account as level-one child node and second level child node to the application again
The journal entries for making log are grouped, and generate a tree-shaped packet configuration.
Processing unit 120 is used for the data distribution according to the journal entries, carries out data to the application operating log
Cleaning treatment.
In embodiments of the present invention, processing unit 120 passes through the application operating log at least one user terminal
Data cleansing processing is carried out, the bulk redundancy information and use of anti-at least one collected user terminal of data leak equipment are optimized
The normal operation behavior in family.According to the data scrubbing to the application operating log, the processing number of anti-data leak equipment is solved
According to technical problem numerous and jumbled, that processing load is big, leaking data is further prevented.Wherein, at least one user terminal is answered
With operation log, Digital Guardian, Symantec, Forcepoint, the data such as Intel Security can be passed through
Anti-leak product obtains.
Wherein, processing unit 120 may include filtering subelement 121, duplicate removal subelement 122 and merge in subelement 123
Any or any combination.
Wherein, filtering subelement 121 is used to be based on expertise, filters in the application operating log to leaking data row
To analyze unrelated journal entries.Wherein, the expertise may include: that the useless Apply Names inventory of setting, setting are useless
Account inventory etc..
Duplicate removal subelement 122 is used to be based on duplicate removal strategy, compresses the repetition journal entries in the application operating log.Its
In, the duplicate removal strategy may include: for similar action type, the entry reservation one of identical Apply Names and operation object
It is a.
Merge subelement 123 to be used to be based on consolidation strategy, merges the correlation log entry in the application operating log.Its
In, the consolidation strategy may include: the item for merging the different operation object of same application title for similar action type
Mesh.
In embodiments of the present invention, the application operating log includes operating time, user account and application operating type.
Analysis module 200 is associated point the suspicious sequence of operation of the application operating log and setting according to the processing result
Analysis obtains potential leaking data behavior alarm event when analyzing result instruction exception.Wherein, analysis module 200 can wrap
It includes: selection unit 210, associative cell 220 and Alarm Unit 230.
Wherein, selection unit 210 is used to be directed to each user account, in described at least one user terminal obtained in advance
Application operating log in choose comprising the processing result correspond to the period and its before with or setting operation time thereafter
The application operating log of each application operating type of the user account is corresponded in section.
In the present embodiment, selection unit 210 by choose the processing result correspond to the period and its before with or its
The application operating log of each application operating type in the setting operation period afterwards is analyzed, and can be further improved analysis
As a result accuracy.
Associative cell 220 is used for the suspicious operation of application operating log and the setting to selected each application operating type
Sequence is associated, and obtains an operation degree of association for corresponding to the user account, and the operation degree of association is selected for evaluating
The similarity of the suspicious sequence of operation of application operating log and the setting of each application operating type taken.
For example, associative cell 220 is by the log and setting of a variety of action types of certain account in certain period of time window
The suspicious sequence of operation be associated, and provide the operation degree of association of quantization.The suspicious sequence of operation is typical potential number
It, can or machine learning completion specified by expertise according to the sequence of operation of user under leakage scene.
Alarm Unit 230 is used for when the operation degree of association is greater than a given threshold, and analysis result instruction is abnormal, is generated
One potential leaking data behavior alarm event.
In the present embodiment, the given threshold of Alarm Unit 230 can be adjusted according to expertise, to adapt to difference
Susceptibility requirement.
Fig. 3 be another embodiment of the present invention provides log processing structural schematic diagram.As shown in figure 3, day shown in Fig. 3
The processing unit 300 of will processing includes: at least one processor 301, processor 302.At least one processor 301 is used
In storage computer program;At least one described processor 302, for calling the calculating stored in at least one processor
Machine program executes log processing method described in any of the above item.Various components in terminal 300 pass through 303 coupling of bus system
It is combined.It is understood that bus system 303 is for realizing the connection communication between these components.It includes number that bus system 303, which is removed,
It further include power bus, control bus and status signal bus in addition except bus.But for the sake of clear explanation, in Fig. 3
Various buses are all designated as bus system 303.
It is appreciated that the memory 301 in the embodiment of the present invention can be volatile memory or nonvolatile memory,
It or may include both volatile and non-volatile memories.Wherein, nonvolatile memory can be read-only memory (Read-
Only Memory, ROM), programmable read only memory (Programmable ROM, PROM), the read-only storage of erasable programmable
Device (Erasable PROM, EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM) or
Flash memory.Volatile memory can be random access memory (Random Access Memory, RAM), be used as external high
Speed caching.By exemplary but be not restricted explanation, the RAM of many forms is available, such as static random access memory
(Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), Synchronous Dynamic Random Access Memory
(Synchronous DRAM, SDRAM), double data speed synchronous dynamic RAM (Double Data Rate
SDRAM, DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced SDRAM, ESDRAM), synchronized links
Dynamic random access memory (Synchlink DRAM, SLDRAM) and direct rambus random access memory (Direct
Rambus RAM, DRRAM).The memory 301 of the system and method for description of the embodiment of the present invention is intended to include but is not limited to these
With the memory of any other suitable type.
In some embodiments, memory 301 stores following element, executable modules or data structures, or
Their subset of person or their superset: operating system 3011 and application program 3012.
Wherein, operating system 3011 include various system programs, such as ccf layer, core library layer, driving layer etc., are used for
Realize various basic businesses and the hardware based task of processing.Application program 3012 includes various application programs, such as media
Player (Media Player), browser (Browser) etc., for realizing various applied business.Realize the embodiment of the present invention
The program of method may be embodied in application program 3012.
In embodiments of the present invention, by the program or instruction of calling memory 301 to store, specifically, can be application
The program or instruction stored in program 3012, processor 302 can execute method performed by above-mentioned log processing device.
The method that the embodiments of the present invention disclose can be applied in processor 302, or be realized by processor 302.
Processor 302 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each
Step can be completed by the integrated logic circuit of the hardware in processor 302 or the instruction of software form.Above-mentioned processing
Device 301 can be general processor, digital signal processor (Digital Signal Processor, DSP), dedicated integrated electricity
Road (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components.It may be implemented or execute disclosed each method, step and the logic diagram in the embodiment of the present invention.It is general
Processor can be microprocessor or the processor is also possible to any conventional processor etc..In conjunction with institute of the embodiment of the present invention
The step of disclosed method, can be embodied directly in hardware decoding processor and execute completion, or with the hardware in decoding processor
And software module combination executes completion.Software module can be located at random access memory, and flash memory, read-only memory may be programmed read-only
In the storage medium of this fields such as memory or electrically erasable programmable memory, register maturation.The storage medium is located at
The step of memory 302, processor 301 reads the information in memory 302, completes the above method in conjunction with its hardware.
It is understood that the embodiment of the present invention description these embodiments can with hardware, software, firmware, middleware,
Microcode or combinations thereof is realized.For hardware realization, processing unit be may be implemented in one or more specific integrated circuits
(Application Specific Integrated Circuits, ASIC), digital signal processor (Digital Signal
Processing, DSP), digital signal processing appts (DSP Device, DSPD), programmable logic device (Programmable
Logic Device, PLD), field programmable gate array (Field-Programmable Gate Array, FPGA), general place
It manages in device, controller, microcontroller, microprocessor, other electronic units for executing function of the present invention or combinations thereof.
For software implementations, can by execute the embodiment of the present invention described in function module (such as process, function etc.) come
Realize technology described in the embodiment of the present invention.Software code is storable in memory and is executed by processor.Memory can
With portion realizes in the processor or outside the processor.
In the present embodiment, processor 302 is specifically used for: to the application operating day of at least one user terminal obtained in advance
Will carries out data cleansing processing, obtains processing result;According to the processing result, to the application operating log and setting can
The doubtful sequence of operation is associated analysis, when analyzing result instruction exception, generates potential leaking data behavior alarm event.
Optionally, the application operating log includes such as: application operating type, Apply Names, user account, operation pair
As and object location information at least two, processor 302 is also used to: according to the application operating class of the application operating log
One of type, Apply Names, user account, operation object and object location information are a variety of, to the application operating log
Journal entries be grouped, obtain the data distribution of the journal entries;According to the data distribution of the journal entries, to institute
It states application operating log and carries out data cleansing processing.
Optionally, processor 302 is also used to: according to the data distribution of journal entries, accounting for the day by each group journal entries
The specific gravity of will entry sum determines the priority of each group journal entries, chooses at least one set of log item of the high priority of setting
Mesh carries out data cleansing processing to the application operating log as the application operating log obtained after screening.
Optionally, processor 302 is also used to: according to application operating type, Apply Names, the use of the application operating log
One of family account, operation object and object location information are a variety of, carry out to the journal entries of the application operating log
Grouping includes: the application operating type for choosing the application operating log, Apply Names, user account, operation object, object position
At least two in confidence breath, constitute a node tree including root node and at least one level child node;Respectively with the node tree
In each node be keyword, successively the journal entries of the application operating log are grouped, generate a tree-shaped grouping
Structure.
The data distribution according to the journal entries carries out data cleansing processing packet to the application operating log
It includes: according to the data distribution of journal entries, being higher than the preferential of child node by the priority of father node in the tree-shaped packet configuration
The principle of grade determines the priority of each group journal entries;At least one set of journal entries for choosing the high priority of setting, as sieve
The application operating log obtained after choosing carries out data cleansing processing to the application operating log.
Optionally, 302 pairs of processor application operation logs carry out any one of data cleansing processing, including lower column processing
Or any combination:
Based on expertise, journal entries unrelated to leaking data behavioural analysis in the application operating log are filtered;
Based on duplicate removal strategy, the repetition journal entries in the application operating log are compressed;
Based on consolidation strategy, merge the correlation log entry in the application operating log.
Optionally, the application operating log includes operating time, user account and application operating type;Processor 302
According to the processing result, analysis is associated to the suspicious sequence of operation of the application operating log and setting, is tied in analysis
When fruit instruction is abnormal, potential leaking data behavior alarm event is obtained, comprising:
For each user account, chosen in the application operating log of at least one user terminal obtained in advance
Comprising the processing result correspond to the period and its before with or setting operation period thereafter in correspond to the user account
Each application operating type application operating log;
The suspicious sequence of operation of application operating log and the setting of selected each application operating type is associated, is obtained
To an operation degree of association of the correspondence user account, the operation degree of association is used to evaluate selected each application operating class
The similarity of the suspicious sequence of operation of application operating log and the setting of type.
Optionally, processor 302 is also used to: when the operation degree of association is greater than a given threshold, analysis result instruction
It is abnormal, generate a potential leaking data behavior alarm event.
Those of ordinary skill in the art may be aware that the embodiment in conjunction with disclosed in the embodiment of the present invention describe it is each
Exemplary unit and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The embodiment of the present invention also provides a kind of computer readable storage medium, and meter is stored on computer readable storage medium
Calculation machine program, the computer program realize each mistake of the embodiment of the method for above-mentioned log processing when being executed by processor
Journey, and identical technical effect can be reached, to avoid repeating, which is not described herein again.Wherein, the computer-readable storage medium
Matter, such as read-only memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access
Memory, abbreviation RAM), magnetic or disk etc..
It is apparent to those skilled in the art that for convenience of description and succinctly, foregoing description is
The specific work process of system, device and unit, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In embodiment provided by the present invention, it should be understood that disclosed device and method can pass through others
Mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or
Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual
Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of device or unit
It connects, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention.
And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, ROM, RAM, magnetic or disk etc. are various can store program code
Medium.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (10)
1. a kind of log processing method, which is characterized in that the described method includes:
Data cleansing processing is carried out to the application operating log of at least one user terminal obtained in advance, obtains processing result;
According to the processing result, analysis is associated to the suspicious sequence of operation of the application operating log and setting, is being divided
When analysing result instruction exception, potential leaking data behavior alarm event is generated.
2. log processing method according to claim 1, which is characterized in that the application operating log includes: using behaviour
Make at least two in type, Apply Names, user account, operation object and object location information;
The application operating log at least one user terminal obtained in advance carries out data cleansing processing
Believed according to the application operating type of the application operating log, Apply Names, user account, operation object and object's position
One of breath is a variety of, is grouped to the journal entries of the application operating log, obtains the data of the journal entries
Distribution;
According to the data distribution of the journal entries, data cleansing processing is carried out to the application operating log.
3. log processing method according to claim 2, which is characterized in that the data according to the journal entries point
Cloth, carrying out data cleansing processing to the application operating log includes:
According to the data distribution of journal entries, each group log is determined by the specific gravity that each group journal entries account for the journal entries sum
The priority of entry chooses at least one set of journal entries of the high priority of setting, as the application operating day obtained after screening
Will carries out data cleansing processing to the application operating log.
4. log processing method according to claim 2, which is characterized in that
Believed according to the application operating type of the application operating log, Apply Names, user account, operation object and object's position
One of breath is a variety of, and being grouped to the journal entries of the application operating log includes: to choose the application operating day
The application operating type of will, Apply Names, user account, operation object, at least two in object location information, constitute a packet
Include the node tree of root node and at least one level child node;It is successively right respectively using each node in the node tree as keyword
The journal entries of the application operating log are grouped, and generate a tree-shaped packet configuration;
The data distribution according to the journal entries, carrying out data cleansing processing to the application operating log includes: root
According to the data distribution of journal entries, the original of the priority of child node is higher than by the priority of father node in the tree-shaped packet configuration
Then determine the priority of each group journal entries;At least one set of journal entries for choosing the high priority of setting are obtained as after screening
The application operating log arrived carries out data cleansing processing to the application operating log.
5. log processing method according to any one of claim 2 to 4, which is characterized in that described to application operating day
Will carries out any one of data cleansing processing, including lower column processing or any combination:
Based on expertise, journal entries unrelated to leaking data behavioural analysis in the application operating log are filtered;
Based on duplicate removal strategy, the repetition journal entries in the application operating log are compressed;And
Based on consolidation strategy, merge the correlation log entry in the application operating log.
6. log processing method according to any one of claim 1 to 5, which is characterized in that the application operating log
Including operating time, user account and application operating type;
It is described that analysis is associated to the suspicious sequence of operation of the application operating log and setting according to the processing result,
When analyzing result instruction exception, potential leaking data behavior alarm event is obtained, comprising:
For each user account, is chosen in the application operating log of at least one user terminal obtained in advance and include
The processing result correspond to the period and its before with or setting operation period thereafter in correspond to each of the user account
The application operating log of application operating type;
The suspicious sequence of operation of application operating log and the setting of selected each application operating type is associated, is obtained pair
An operation degree of association of the user account is answered, the operation degree of association is used to evaluate selected each application operating type
The similarity of the suspicious sequence of operation of application operating log and setting.
7. log processing method according to claim 6, which is characterized in that the described method includes:
When the operation degree of association is greater than a given threshold, analysis result instruction is abnormal, generates a potential leaking data behavior
Alarm event.
8. a kind of log processing device, which is characterized in that described device includes:
One processing module (100) carries out data cleansing processing for the application operating log to the user terminal obtained in advance,
Processing result is obtained, the application operating log includes operating time, user account and application operating type;
One analysis module (200), for the suspicious operation according to the processing result, to the application operating log and setting
Sequence is associated analysis, when analyzing result instruction exception, generates potential leaking data behavior alarm event.
9. a kind of log processing device characterized by comprising at least one processor (301), at least one processor
(302), in which:
At least one processor (301), for storing computer program;
At least one described processor (302), for calling the computer journey stored in at least one processor (301)
Sequence executes such as log processing method described in any item of the claim 1 to 8.
10. a kind of computer readable storage medium, is stored thereon with computer program;It is characterized in that, the computer program
It can be executed by a processor and realize the method such as log processing described in any item of the claim 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711180639.2A CN109829315A (en) | 2017-11-23 | 2017-11-23 | The method, apparatus and computer readable storage medium of log processing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711180639.2A CN109829315A (en) | 2017-11-23 | 2017-11-23 | The method, apparatus and computer readable storage medium of log processing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109829315A true CN109829315A (en) | 2019-05-31 |
Family
ID=66858434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711180639.2A Pending CN109829315A (en) | 2017-11-23 | 2017-11-23 | The method, apparatus and computer readable storage medium of log processing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109829315A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111190792A (en) * | 2019-12-20 | 2020-05-22 | 中移(杭州)信息技术有限公司 | Log storage method and device, electronic equipment and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102135979A (en) * | 2010-12-08 | 2011-07-27 | 华为技术有限公司 | Data cleaning method and device |
| CN105224884A (en) * | 2015-10-28 | 2016-01-06 | 上海翼火蛇信息技术有限公司 | A kind of data leakage prevention method |
| CN105376077A (en) * | 2014-08-06 | 2016-03-02 | 中国移动通信集团黑龙江有限公司 | Network behavior information processing method, log transmitting method, network behavior information processing device and system |
| CN107302520A (en) * | 2017-05-15 | 2017-10-27 | 北京明朝万达科技股份有限公司 | A kind of dynamic anti-leak of data and method for early warning and system |
-
2017
- 2017-11-23 CN CN201711180639.2A patent/CN109829315A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102135979A (en) * | 2010-12-08 | 2011-07-27 | 华为技术有限公司 | Data cleaning method and device |
| CN105376077A (en) * | 2014-08-06 | 2016-03-02 | 中国移动通信集团黑龙江有限公司 | Network behavior information processing method, log transmitting method, network behavior information processing device and system |
| CN105224884A (en) * | 2015-10-28 | 2016-01-06 | 上海翼火蛇信息技术有限公司 | A kind of data leakage prevention method |
| CN107302520A (en) * | 2017-05-15 | 2017-10-27 | 北京明朝万达科技股份有限公司 | A kind of dynamic anti-leak of data and method for early warning and system |
Non-Patent Citations (1)
| Title |
|---|
| 王辉 等著: "《企业内部网络信息的安全保障技术研究》", 31 December 2017, 吉林人民出版社 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111190792A (en) * | 2019-12-20 | 2020-05-22 | 中移(杭州)信息技术有限公司 | Log storage method and device, electronic equipment and readable storage medium |
| CN111190792B (en) * | 2019-12-20 | 2023-10-27 | 中移(杭州)信息技术有限公司 | Log storage method and device, electronic equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107341401B (en) | A kind of malicious application monitoring method and equipment based on machine learning | |
| CN106656536A (en) | Method and device for processing service invocation information | |
| EP3321819A1 (en) | Device, method and program for securely reducing an amount of records in a database | |
| CN109885256A (en) | A kind of date storage method based on data fragmentation, equipment and medium | |
| CN107832196A (en) | A kind of monitoring device and monitoring method for real-time logs anomalous content | |
| CN107291615A (en) | A kind of WEB front-end log-output method and device | |
| CN106202569A (en) | A kind of cleaning method based on big data quantity | |
| US8959051B2 (en) | Offloading collection of application monitoring data | |
| CN108376171A (en) | Method, apparatus, terminal device and the storage medium that big data quickly introduces | |
| CN109828958A (en) | Event recording method and record system based on block chain | |
| CN109710440A (en) | Abnormality eliminating method, device, storage medium and the terminal device of webpage front-end | |
| CN107590016A (en) | Power-down rebooting recognition methods and device | |
| CN109783457A (en) | CGI interface managerial method, device, computer equipment and storage medium | |
| CN108153891A (en) | Active time statistical method of surfing the Internet and device | |
| CN115576834A (en) | Software test multiplexing method, system, terminal and medium for supporting fault recovery | |
| CN109829315A (en) | The method, apparatus and computer readable storage medium of log processing | |
| CN108073703A (en) | A kind of comment information acquisition methods, device, equipment and storage medium | |
| CN108984362A (en) | Log collection method and device, storage medium, electronic equipment | |
| CN110246033A (en) | Credit risk monitoring method, device, equipment and storage medium | |
| CN107465652A (en) | A kind of operation behavior detection method, server and system | |
| CN114765584A (en) | User behavior monitoring method and device, electronic equipment and storage medium | |
| CN109446441A (en) | A kind of credible distributed capture storage system of general Web Community | |
| Baier et al. | Probabilistic causes in Markov chains | |
| CN110532773A (en) | Malicious access Activity recognition method, data processing method, device and equipment | |
| CN106570005A (en) | Database cleaning method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190531 |
|
| RJ01 | Rejection of invention patent application after publication |