CN111314302A - Network log auditing method, equipment and medium - Google Patents
Network log auditing method, equipment and medium Download PDFInfo
- Publication number
- CN111314302A CN111314302A CN202010052110.8A CN202010052110A CN111314302A CN 111314302 A CN111314302 A CN 111314302A CN 202010052110 A CN202010052110 A CN 202010052110A CN 111314302 A CN111314302 A CN 111314302A
- Authority
- CN
- China
- Prior art keywords
- abnormal
- data
- data set
- log data
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a weblog auditing method, which comprises the following steps: acquiring original log data from a plurality of data sources; converting an abnormal mode data set formed by the original log data which fails to be authenticated and a normal mode data set formed by the original log data which succeeds in authentication into a data set with a uniform format; extracting corresponding characteristics from the converted abnormal mode data set and the converted normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding characteristics; the abnormal network behavior of the newly entered log data is identified by the abnormal/normal pattern repository. The invention also discloses a device and a medium. The network log auditing method, the equipment and the medium have the advantages of high detection accuracy, high detection speed, high self-adaptability, unified log format and the like of log auditing.
Description
Technical Field
The present invention relates to the field of network security, and more particularly, to a method, device, and medium for auditing a blog.
Background
In recent years, with the vigorous development of domestic basic software and hardware, the application of domestic software platforms is more and more extensive. The network security problem based on the domestic platform is increasingly highlighted. The rapid development of the internet, the coverage of network application is wider and wider, the corresponding security problems are more and more diversified, and an effective network security guarantee technology is urgently needed.
The most important goal of network security is to be able to assign effective policies to network systems to ensure their security, and to achieve this goal, many different types of technologies have emerged: access control, data encryption, security audit, identity authentication and the like, wherein the security audit becomes an important component of the security of the whole system.
The computer network system consists of various basic software and hardware devices, network security devices and application services, wherein the operation of the devices and the services generates a large amount of operation logs, the main contents of the logs can record various events in the network and the system in a relatively detailed manner, and the logs have very important functions on recording, detecting, analyzing and identifying various security events based on the network.
The log audit is one of important mechanisms for realizing the network system safety audit, and plays an important role in establishing a perfect information management guarantee system, and the traditional network log audit system has the problems of low detection accuracy, low detection speed, poor self-adaptability, incapability of unifying log formats and the like.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a weblog auditing system based on a domestic platform, which is used to solve the problems of low detection accuracy, slow detection speed, poor adaptability and non-uniform log formats in the conventional weblog auditing system. The method can realize the unified collection and the comprehensive analysis of various log data with different formats at different positions of the network in a computer network system.
Based on the above purpose, an aspect of the present invention provides a weblog auditing method, including: acquiring original log data from a plurality of data sources; converting an abnormal mode data set formed by the original log data which fails to be authenticated and a normal mode data set formed by the original log data which succeeds in authentication into a data set with a uniform format; extracting corresponding features from the converted abnormal mode data set and the normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding features; and identifying abnormal network behaviors of the newly input log data through the abnormal/normal mode knowledge base.
In some embodiments of the weblog auditing method of the present invention, obtaining raw log data from a number of data sources further comprises: defining an auditing strategy through a filtering rule, and acquiring the original log data from the data sources according to the auditing strategy.
In some embodiments of the weblog auditing method of the present invention, the auditing policy includes viewing, filtering, and printing records of the audit.
In some embodiments of the weblog auditing method of the present invention, the method further comprises: displaying in real-time a security event and issuing a warning message in response to identifying said abnormal network behavior threatening network security.
In some embodiments of the weblog auditing method of the present invention, extracting corresponding features from the converted abnormal pattern dataset and the normal pattern dataset, and establishing an abnormal/normal pattern knowledge base according to the corresponding features further comprises: processing the plurality of log data in the abnormal pattern data set and the normal pattern data set by a data mining technology, thereby extracting the corresponding features of the plurality of log data.
In another aspect of the embodiments of the present invention, there is also provided a computer device, including: at least one processor; and a memory storing a computer program operable on the processor, the processor executing the program to perform the steps of: acquiring original log data from a plurality of data sources; converting an abnormal mode data set formed by the original log data which fails to be authenticated and a normal mode data set formed by the original log data which succeeds in authentication into a data set with a uniform format; extracting corresponding features from the converted abnormal mode data set and the normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding features; and identifying abnormal network behaviors of the newly input log data through the abnormal/normal mode knowledge base.
In some embodiments of the computer device of the present invention, obtaining raw log data from a number of data sources further comprises: defining an auditing strategy through a filtering rule, and acquiring the original log data from the data sources according to the auditing strategy.
In some embodiments of the computer apparatus of the present invention, the steps performed by the apparatus further comprise: displaying in real-time a security event and issuing a warning message in response to identifying said abnormal network behavior threatening network security.
In some embodiments of the computer device of the present invention, extracting corresponding features from the converted abnormal pattern dataset and the normal pattern dataset, and building an abnormal/normal pattern knowledge base according to the corresponding features further comprises: processing the plurality of log data in the abnormal pattern data set and the normal pattern data set by a data mining technology, thereby extracting the corresponding features of the plurality of log data.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, where a computer program is stored, and is characterized in that when being executed by a processor, the computer program performs the foregoing weblog auditing method.
The invention has at least the following beneficial technical effects: the problems of low detection accuracy, low detection speed, poor self-adaptability, non-uniform log formats and the like of the traditional log auditing system can be solved; the method can realize the unified collection and the comprehensive analysis of various log data with different formats at different positions of the network in a computer network system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
FIG. 1 shows a schematic block diagram of an embodiment of a weblog auditing method in accordance with the present invention;
FIG. 2 illustrates a system diagram of an embodiment of a weblog auditing method according to the present invention;
FIG. 3 illustrates a log analysis flow diagram of an embodiment of a weblog auditing method in accordance with the present invention;
FIG. 4 is a schematic diagram illustrating a log processing module according to an embodiment of the weblog auditing method of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it is understood that "first" and "second" are only used for convenience of description and should not be construed as limiting the embodiments of the present invention, and the descriptions thereof in the following embodiments are omitted.
In view of the above, a first aspect of the embodiments of the present invention provides an embodiment of a weblog auditing method. FIG. 1 is a schematic block diagram illustrating an embodiment of a weblog auditing method in accordance with the present invention. In the embodiment shown in fig. 1, the method comprises at least the following steps:
s100, acquiring original log data from a plurality of data sources;
s200, converting an abnormal mode data set formed by the original log data failed in authentication and a normal mode data set formed by the original log data successful in authentication into a data set with a uniform format;
s300, extracting corresponding characteristics from the converted abnormal mode data set and the converted normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding characteristics;
s400, identifying abnormal network behaviors of the newly input log data through an abnormal/normal mode knowledge base.
In some embodiments of the present invention, fig. 2 is a schematic system structure diagram illustrating an embodiment of a weblog auditing method according to the present invention, and as shown in fig. 2, a system of the method mainly includes three parts: the system comprises a log acquisition module, a log processing module and a user interaction module. The three modules together implement the weblog auditing method according to the present invention. The log acquisition module is used for acquiring various logs and audit data. The method is mainly deployed in network equipment which needs to be monitored in a network environment, and mainly aims to realize the acquisition and conversion of various original log information. The method comprises the steps of collecting original log data of each position in real time, respectively obtaining event records of the original log data with authentication failure and authentication success in the original log data, constructing the obtained original log data with authentication failure into an abnormal mode data set, constructing the obtained original log data with authentication success into a normal mode data set, converting the normal mode data set into an intermediate format of a log, and uploading the intermediate format of the log to a log processing module. And the log processing module is used for receiving the log data sent by the log acquisition module, and storing, analyzing and managing the log data. The module is mainly deployed in a log server in a network environment, and fig. 3 is a log analysis flowchart of an embodiment of a weblog auditing method according to the present invention, where a log analysis process is as shown in fig. 3. Fig. 4 is a schematic structural diagram of a log processing module according to an embodiment of the weblog auditing method of the present invention, and as shown in fig. 4, the log processing module implementing the method further includes the following sub-modules: the system comprises an audit strategy management module, a real-time monitoring module, a safety audit and early warning module, an audit record retrieval module, a communication control module and the like, wherein the communication control module is mainly responsible for coordinating and controlling communication between log acquisition modules and management console modules in different devices in a network. The user interaction module is mainly used for providing an operation platform for a network system administrator to realize log monitoring and safety audit system management.
According to some embodiments of the weblog auditing method of the present invention, obtaining raw log data from a number of data sources further comprises: defining an auditing strategy through a filtering rule, and acquiring original log data from a plurality of data sources according to the auditing strategy.
In some embodiments of the invention, this step is a step included in a log collection module for collecting various logs and audit data. The audit strategy management module mainly manages the audit strategy used in the log collection module. The principle of this module realization is: and defining an auditing strategy by using a filtering rule, collecting the original log data of each position in real time according to the defined auditing strategy, and converting the original log data into a log intermediate format.
According to some embodiments of the weblog auditing method of the present invention, the auditing policy includes viewing, filtering, and printing records of the audit.
In some embodiments of the invention, the audit record retrieval module is mainly used for viewing, filtering, printing and the like of the record of the log audit. The module can provide an interface to realize accurate filtering, thereby realizing detailed audit on certain specific log records.
According to some embodiments of the weblog auditing method of the present invention, the method further comprises: the method includes displaying security events in real-time and issuing warning messages in response to identifying abnormal network behavior that threatens network security.
In some embodiments of the present invention, the real-time monitoring module is primarily responsible for real-time display of various security events, and can promptly issue a warning message upon identifying an event threatening network security.
According to some embodiments of the weblog auditing method of the present invention, extracting corresponding features from the converted abnormal pattern dataset and normal pattern dataset, and establishing an abnormal/normal pattern knowledge base according to the corresponding features further comprises: and processing the plurality of log data in the abnormal mode data set and the normal mode data set by a data mining technology, so as to extract corresponding characteristics of the plurality of log data.
In some embodiments of the present invention, the security audit and early warning module is mainly used for analyzing and mining various acquired log data, so that more useful security information can be extracted from a large amount of data. The module can dynamically evaluate the security condition of the network system and generate corresponding early warning for various potential security threats; the module is realized by processing massive log data by using a data mining technology, extracting corresponding characteristics from the data, establishing a normal/abnormal mode knowledge base, distinguishing new log data by using the knowledge base and identifying abnormal network behaviors.
According to an embodiment of the weblog auditing method, 1 rack-mounted server using a bid-winning kylin server operating system and 1 desktop computer using a bid-winning kylin desktop operating system are adopted to build a testing environment, and national application software such as a vast database, a middle-created middleware and the like are deployed on the servers. The testing system is realized by adopting a C/S and B/S mixed mode, and particularly, the log acquisition module and the log processing module are realized by adopting a C/S architecture; the user interaction module is realized by adopting a B/S architecture. The log acquisition module is deployed in a desktop computer, the log processing module is deployed in a server, a server side of the user interaction module is deployed in the server, and the client side is realized by a Web browser of the desktop computer. The data mining algorithm adopts a Chameleon clustering algorithm.
Example data employs event log data collected in an office-type network based on the Linux system, which is stored in a vast database. There are 50 hosts to be audited in the network. For convenience of testing, only two data sets are selected for testing, and the main testing engineering is as follows: firstly, extracting a security log from a data source, and removing a system log and an application system log from the data source; secondly, respectively extracting the event records of authentication failure and authentication success from the security log, and constructing the extracted data into two basic data sets; then, converting the data into a data set with a uniform format through log preprocessing; and then generating a knowledge base by adopting a Chameleon clustering algorithm. And then selecting a specific event for testing, wherein the result shows that the system basically realizes the corresponding function and achieves the expected effect.
In view of the above object, another aspect of the embodiments of the present invention further provides a computer device, including: at least one processor; and a memory storing a computer program operable on the processor, the processor executing the program to perform the steps of: acquiring original log data from a plurality of data sources; converting an abnormal mode data set formed by the original log data which fails to be authenticated and a normal mode data set formed by the original log data which succeeds in authentication into a data set with a uniform format; extracting corresponding characteristics from the converted abnormal mode data set and the converted normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding characteristics; the abnormal network behavior of the newly entered log data is identified by the abnormal/normal pattern repository.
According to some embodiments of the computer apparatus of the present invention, obtaining raw log data from a number of data sources further comprises: defining an auditing strategy through a filtering rule, and acquiring original log data from a plurality of data sources according to the auditing strategy.
According to some embodiments of the computer apparatus of the present invention, the steps performed by the apparatus further comprise: the method includes displaying security events in real-time and issuing warning messages in response to identifying abnormal network behavior that threatens network security.
According to some embodiments of the computer device of the present invention, extracting corresponding features from the transformed abnormal pattern dataset and normal pattern dataset, establishing the abnormal/normal pattern knowledge base according to the corresponding features further comprises: and processing the plurality of log data in the abnormal mode data set and the normal mode data set by a data mining technology, so as to extract corresponding characteristics of the plurality of log data.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, where a computer program is stored, and is characterized in that when being executed by a processor, the computer program performs the foregoing weblog auditing method.
As such, those skilled in the art will appreciate that all of the embodiments, features and advantages set forth above with respect to the blog auditing method according to the present invention apply equally to the computer device and medium according to the present invention. For the sake of brevity of the present disclosure, no repeated explanation is provided herein.
It should be particularly noted that, the steps in the foregoing embodiments of the blog auditing method, apparatus, device and medium can be mutually intersected, replaced, added and deleted, so that these reasonable permutation and combination transformations of the blog auditing method, apparatus, device and medium also belong to the protection scope of the present invention, and should not limit the protection scope of the present invention to the embodiments.
Finally, it should be noted that, as one of ordinary skill in the art can appreciate, all or part of the processes of the methods of the above embodiments may be implemented by instructing relevant hardware by a computer program, and the program of the weblog auditing method may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium of the program may be a magnetic disk, an optical disk, a Read Only Memory (ROM), a Random Access Memory (RAM), or the like. The embodiments of the computer program may achieve the same or similar effects as any of the above-described method embodiments.
Furthermore, the methods disclosed according to embodiments of the present invention may also be implemented as a computer program executed by a processor, which may be stored in a computer-readable storage medium. Which when executed by a processor performs the above-described functions defined in the methods disclosed in embodiments of the invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, and the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A weblog auditing method, the method comprising:
acquiring original log data from a plurality of data sources;
converting an abnormal mode data set formed by the original log data which fails to be authenticated and a normal mode data set formed by the original log data which succeeds in authentication into a data set with a uniform format;
extracting corresponding features from the converted abnormal mode data set and the normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding features;
and identifying abnormal network behaviors of the newly input log data through the abnormal/normal mode knowledge base.
2. The method of claim 1, wherein obtaining raw log data from a plurality of data sources further comprises:
defining an auditing strategy through a filtering rule, and acquiring the original log data from the data sources according to the auditing strategy.
3. The method of claim 2, wherein the audit policy includes viewing, filtering, and printing records of the audit.
4. The weblog auditing method of claim 1, the method further comprising:
displaying in real-time a security event and issuing a warning message in response to identifying said abnormal network behavior threatening network security.
5. The method of claim 1, wherein extracting corresponding features from the transformed abnormal pattern dataset and the normal pattern dataset, and establishing an abnormal/normal pattern knowledge base according to the corresponding features further comprises:
processing the plurality of log data in the abnormal pattern data set and the normal pattern data set by a data mining technology, thereby extracting the corresponding features of the plurality of log data.
6. A computer device, comprising:
at least one processor; and
a memory storing computer instructions executable on the processor, the instructions when executed by the processor implementing the steps of:
acquiring original log data from a plurality of data sources;
converting an abnormal mode data set formed by the original log data which fails to be authenticated and a normal mode data set formed by the original log data which succeeds in authentication into a data set with a uniform format;
extracting corresponding features from the converted abnormal mode data set and the normal mode data set, and establishing an abnormal/normal mode knowledge base according to the corresponding features;
and identifying abnormal network behaviors of the newly input log data through the abnormal/normal mode knowledge base.
7. The computer device of claim 6, wherein the obtaining raw log data from a number of data sources further comprises:
defining an auditing strategy through a filtering rule, and acquiring the original log data from the data sources according to the auditing strategy.
8. The computer device of claim 6, wherein the device further implements the steps of:
displaying in real-time a security event and issuing a warning message in response to identifying said abnormal network behavior threatening network security.
9. The computer device of claim 6, wherein said extracting respective features from the transformed abnormal pattern dataset and the normal pattern dataset, and wherein building an abnormal/normal pattern knowledge base based on the respective features further comprises:
processing the plurality of log data in the abnormal pattern data set and the normal pattern data set by a data mining technology, thereby extracting the corresponding features of the plurality of log data.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010052110.8A CN111314302A (en) | 2020-01-17 | 2020-01-17 | Network log auditing method, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010052110.8A CN111314302A (en) | 2020-01-17 | 2020-01-17 | Network log auditing method, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111314302A true CN111314302A (en) | 2020-06-19 |
Family
ID=71148903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010052110.8A Pending CN111314302A (en) | 2020-01-17 | 2020-01-17 | Network log auditing method, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111314302A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111832072A (en) * | 2020-07-02 | 2020-10-27 | 上海识装信息科技有限公司 | Method and system for preventing illegal operation of log platform |
| CN112767106A (en) * | 2021-01-14 | 2021-05-07 | 中国科学院上海高等研究院 | Automatic auditing method, system, computer readable storage medium and auditing equipment |
| CN113079172A (en) * | 2021-04-13 | 2021-07-06 | 宁波和利时信息安全研究院有限公司 | Audit strategy matching method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105975604A (en) * | 2016-05-12 | 2016-09-28 | 清华大学 | Distribution iterative data processing program abnormity detection and diagnosis method |
| CN106911668A (en) * | 2017-01-10 | 2017-06-30 | 同济大学 | A kind of identity identifying method and system based on personal behavior model |
| CN107895039A (en) * | 2017-11-29 | 2018-04-10 | 华中科技大学 | A kind of construction method of campus network Verification System log database |
| CN109359098A (en) * | 2018-10-31 | 2019-02-19 | 云南电网有限责任公司 | A kind of dispatch data net behavior monitoring system and method |
| CN109858254A (en) * | 2019-01-15 | 2019-06-07 | 西安电子科技大学 | Platform of internet of things attack detection system and method based on log analysis |
| CN110381079A (en) * | 2019-07-31 | 2019-10-25 | 福建师范大学 | Network log method for detecting abnormality is carried out in conjunction with GRU and SVDD |
-
2020
- 2020-01-17 CN CN202010052110.8A patent/CN111314302A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105975604A (en) * | 2016-05-12 | 2016-09-28 | 清华大学 | Distribution iterative data processing program abnormity detection and diagnosis method |
| CN106911668A (en) * | 2017-01-10 | 2017-06-30 | 同济大学 | A kind of identity identifying method and system based on personal behavior model |
| CN107895039A (en) * | 2017-11-29 | 2018-04-10 | 华中科技大学 | A kind of construction method of campus network Verification System log database |
| CN109359098A (en) * | 2018-10-31 | 2019-02-19 | 云南电网有限责任公司 | A kind of dispatch data net behavior monitoring system and method |
| CN109858254A (en) * | 2019-01-15 | 2019-06-07 | 西安电子科技大学 | Platform of internet of things attack detection system and method based on log analysis |
| CN110381079A (en) * | 2019-07-31 | 2019-10-25 | 福建师范大学 | Network log method for detecting abnormality is carried out in conjunction with GRU and SVDD |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111832072A (en) * | 2020-07-02 | 2020-10-27 | 上海识装信息科技有限公司 | Method and system for preventing illegal operation of log platform |
| CN111832072B (en) * | 2020-07-02 | 2021-06-04 | 上海识装信息科技有限公司 | Method and system for preventing illegal operation of log platform |
| CN112767106A (en) * | 2021-01-14 | 2021-05-07 | 中国科学院上海高等研究院 | Automatic auditing method, system, computer readable storage medium and auditing equipment |
| CN112767106B (en) * | 2021-01-14 | 2023-11-07 | 中国科学院上海高等研究院 | Automatic auditing method, system, computer readable storage medium and auditing equipment |
| CN113079172A (en) * | 2021-04-13 | 2021-07-06 | 宁波和利时信息安全研究院有限公司 | Audit strategy matching method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111314302A (en) | Network log auditing method, equipment and medium | |
| US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
| CN108268354A (en) | Data safety monitoring method, background server, terminal and system | |
| JP4575190B2 (en) | Audit log analysis apparatus, audit log analysis method, and audit log analysis program | |
| Spyridopoulos et al. | Incident analysis & digital forensics in SCADA and industrial control systems | |
| JP2008522282A (en) | Application implementation and monitoring | |
| KR102058697B1 (en) | Financial fraud detection system by deeplearning neural-network | |
| CN112231654B (en) | Operation and data isolation method and device, electronic equipment and storage medium | |
| KR20190010956A (en) | intelligence type security log analysis method | |
| US20180034780A1 (en) | Generation of asset data used in creating testing events | |
| EP3567509B1 (en) | Systems and methods for tamper-resistant activity logging | |
| MX2008012020A (en) | Method for determining identification of an electronic device. | |
| US10140171B2 (en) | Method and apparatus for downsizing the diagnosis scope for change-inducing errors | |
| Gordon et al. | The question of data integrity in article-level metrics | |
| KR100926735B1 (en) | Web source security management system and method | |
| CN114626026A (en) | API access to security sensitive computing systems | |
| CN112988607B (en) | Application program component detection method and device and storage medium | |
| Alazab et al. | A Review on the Internet of Things (IoT) Forensics: Challenges, Techniques, and Evaluation of Digital Forensic Tools | |
| CN111339534B (en) | Method, system, equipment and medium for processing security vulnerability data | |
| Fehér et al. | Log file authentication and storage on blockchain network | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| CN116910023A (en) | Data management system | |
| Lee et al. | A proposal for automating investigations in live forensics | |
| CN111309553A (en) | Method, system, equipment and medium for monitoring storage Jbod | |
| CN111176932A (en) | Method and device for recording abnormal event log and readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |
|
| RJ01 | Rejection of invention patent application after publication |