CN111488572B - User behavior analysis log generation method and device, electronic equipment and medium - Google Patents
User behavior analysis log generation method and device, electronic equipment and medium Download PDFInfo
- Publication number
- CN111488572B CN111488572B CN202010229594.9A CN202010229594A CN111488572B CN 111488572 B CN111488572 B CN 111488572B CN 202010229594 A CN202010229594 A CN 202010229594A CN 111488572 B CN111488572 B CN 111488572B
- Authority
- CN
- China
- Prior art keywords
- log
- user behavior
- attack
- user
- internet protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 113
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012550 audit Methods 0.000 claims description 38
- 230000002265 prevention Effects 0.000 claims description 15
- 238000012544 monitoring process Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000003860 storage Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 124
- 238000007726 management method Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 9
- 230000009471 action Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The disclosure relates to a user behavior analysis log generation method, a device, an electronic device and a computer readable medium. The method comprises the following steps: obtaining an attack log, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; extracting a plurality of logs by a log management center based on the destination internet protocol address and a preset time range; retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data; and generating a user behavior analysis log based on the user behavior data. The user behavior analysis log generation method, the device, the electronic equipment and the computer readable medium can automatically and quickly determine the reason and the mode of the attack of the user, further manage the internet surfing behavior of the user, maintain the internal traffic safety and improve the work efficiency of a network administrator.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a method, an apparatus, an electronic device, and a computer readable medium for generating a user behavior analysis log.
Background
Today's society data networks and data communication services are evolving very rapidly, and network security has become a significant key issue affecting the interests of the national bureau of great importance and the long term. With the widespread use of network security technologies including firewalls, IPS, and the like, computer networks have established a relatively sophisticated defense system against external threats. Meanwhile, intranet security becomes a major problem facing network security.
The log management software is used as a data center to receive the network behavior logs sent by various network devices (such as firewall, audit device, IPS, flow cleaning device and the like), and can inquire the log information of network flow, surfing behavior and the like of a user at any time through the data center or locate the user generating the log in specific time through the information of log time, address and the like. In addition, the data center provides a powerful report analysis function, and the overall condition of the network and personnel can be analyzed through the report, so that data is provided for the optimization adjustment of the network and the personnel. When the log management center receives the attack log and analyzes the source/destination address, the port, the characteristics and other information, the log management center needs to manually query the network behavior log (flow log, audit log and the like) to analyze the network behavior, and observe and analyze the network behavior operation of the user in a specified time period. The manual analysis of various network behavior logs has the advantages of large workload, high error rate and low efficiency.
Accordingly, there is a need for a new user behavior analysis log generation method, apparatus, electronic device, and computer-readable medium.
The above information disclosed in the background section is only for enhancement of understanding of the background of the disclosure and therefore it may include information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, an electronic device, and a computer readable medium for generating a log of user behavior analysis, which can automatically and quickly determine the cause and mode of a user attack, further manage the online behavior of the user, maintain the security of internal traffic, and also improve the work efficiency of a network administrator.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to an aspect of the present disclosure, a method for generating a user behavior analysis log is provided, including: obtaining an attack log, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; extracting a plurality of logs by a log management center based on the destination internet protocol address and a preset time range; retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data; and generating a user behavior analysis log based on the user behavior data.
In an exemplary embodiment of the present disclosure, further comprising: generating an attack source analysis log based on the user behavior data; pushing the user behavior analysis log and the attack source analysis log to a user side for display.
In one exemplary embodiment of the present disclosure, generating an attack source analysis log based on the user behavior data includes: extracting user operation when the source internet protocol address is accessed for the first time from the user behavior data; or acquiring user operation at the beginning of attack from the user behavior data; and generating the attack source analysis log according to the user operation.
In an exemplary embodiment of the present disclosure, before obtaining the attack log, further includes: the attack log is discovered and generated by an intrusion prevention system.
In one exemplary embodiment of the present disclosure, the attack log is discovered and generated by an intrusion prevention system, comprising: and monitoring the access protocol and the traffic of the network in real time based on the intrusion prevention system to discover and generate the attack log.
In one exemplary embodiment of the present disclosure, extracting, by a log management center, a plurality of logs based on the destination internet protocol address and a preset time range includes: and when the destination internet protocol address is in a preset address range and the time from the previous generation of the user behavior analysis log exceeds a preset time range, extracting a plurality of logs by a log management center based on the destination internet protocol address and the preset time range.
In one exemplary embodiment of the present disclosure, extracting, by a log management center, a plurality of logs based on the destination internet protocol address and a preset time range includes: extracting, by the log management center, a plurality of logs based on the destination internet protocol address, the logs including: web application audit log, transmission audit log, mail audit log, forum audit log, and traffic analysis log; and removing logs which are not in the preset time range from the plurality of logs.
In one exemplary embodiment of the present disclosure, retrieving, based on the source internet protocol address, among the plurality of logs, user behavior data includes: searching in the logs to extract a log containing the source internet protocol address; and extracting the user behavior data from the log.
In an exemplary embodiment of the present disclosure, further comprising: when the log containing the source internet protocol address is not extracted, a session log between the source internet protocol address and the destination internet protocol address is acquired; and extracting the user behavior data from the session log.
In one exemplary embodiment of the present disclosure, generating a user behavior analysis log based on the user behavior data includes: and extracting user behavior data from the log sequentially according to time sequence to generate the user behavior analysis log.
According to an aspect of the present disclosure, there is provided a user behavior analysis log generating apparatus including: the monitoring module is used for acquiring an attack log, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; the log module is used for extracting a plurality of logs from the log management center based on the target internet protocol address and a preset time range; the data module is used for searching in the logs based on the source internet protocol address and extracting user behavior data; and the analysis module is used for generating a user behavior analysis log based on the user behavior data.
In an exemplary embodiment of the present disclosure, further comprising: the source module is used for generating an attack source analysis log based on the user behavior data; and the display module is used for pushing the user behavior analysis log and the attack source analysis log to a user side for display.
According to an aspect of the present disclosure, there is provided an electronic device including: one or more processors; a storage means for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the methods as described above.
According to an aspect of the present disclosure, a computer-readable medium is presented, on which a computer program is stored, which program, when being executed by a processor, implements a method as described above.
According to the user behavior analysis log generation method, the device, the electronic equipment and the computer readable medium, an attack log is obtained, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; extracting a plurality of logs by a log management center based on the destination internet protocol address and a preset time range; retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data; the method for generating the user behavior analysis log based on the user behavior data can automatically and quickly determine the reason and the way of the attack of the user, further manage the online behavior of the user, maintain the internal business safety and improve the working efficiency of a network manager.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely examples of the present disclosure and other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a system block diagram illustrating a method and apparatus for generating a user behavior analysis log, according to an example embodiment.
FIG. 2 is a flowchart illustrating a method of user behavior analysis log generation, according to an example embodiment.
Fig. 3 is a flowchart illustrating a user behavior analysis log generation method according to another exemplary embodiment.
Fig. 4 is a flowchart illustrating a user behavior analysis log generation method according to another exemplary embodiment.
Fig. 5 is a block diagram illustrating a user behavior analysis log generation apparatus according to an exemplary embodiment.
Fig. 6 is a block diagram illustrating a user behavior analysis log generation apparatus according to another exemplary embodiment.
Fig. 7 is a block diagram of an electronic device, according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments can be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another element. Accordingly, a first component discussed below could be termed a second component without departing from the teachings of the concepts of the present disclosure. As used herein, the term "and/or" includes any one of the associated listed items and all combinations of one or more.
Those skilled in the art will appreciate that the drawings are schematic representations of example embodiments and that the modules or flows in the drawings are not necessarily required to practice the present disclosure, and therefore, should not be taken to limit the scope of the present disclosure.
The terms involved in this disclosure are explained as follows:
the log management platform is used for receiving and storing log information such as attacks, viruses, network traffic analysis, network behavior audit, NAT, session and the like generated by the network equipment, and displaying the received log to a user in various forms.
The user behavior analysis is that an administrator statistically analyzes network actions performed by a certain IP in a selected time period according to log information such as an audit log of surfing behavior, a network flow log, NAT/session information and the like generated by a user, and helps the administrator to count what operation is performed by the user in the surfing process, browse which websites and perform which actions.
IPS (Intrusion Prevention System) intrusion prevention system is a security mechanism, which is used for analyzing network traffic, detecting intrusion (including buffer overflow attack, trojan horse, worm, etc.), and stopping intrusion behavior in real time or only carrying out alarm prompt in a certain response mode to protect enterprise information system and network architecture from being infringed.
In view of the technical problems in the prior art, the user behavior analysis log generation method provided by the present disclosure can rapidly correlate and analyze the network behavior of the user in the period of time when the user is endangered by network attack/virus, thereby facilitating analysis of reasons and modes of the user suffering from attack/virus, managing the user surfing behavior, maintaining the internal network security, reducing the workload and error rate of the manager for manually analyzing the user network behavior, and improving the working efficiency. The present disclosure is described in detail below in connection with specific embodiments.
FIG. 1 is a system block diagram of a user behavior analysis log generation method, apparatus, electronic device, and computer readable medium, according to an example embodiment.
As shown in fig. 1, the system architecture 10 may include user terminal devices 101, 102, 103, a network 104 and log management platform 105, firewall devices 106, and an intrusion prevention system 107. The network 104 is a medium for providing a communication link between the user terminal devices 101, 102, 103 and the firewall device 106, intrusion prevention system 107; the network 104 also serves as a medium to provide a communication link between the firewall device 106, the intrusion prevention system 107, and the log management platform 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with an external network through a network 104, a firewall device 106, an intrusion prevention system 107, to receive or send messages, etc. using user terminal devices 101, 102, 103. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc., may be installed on the user terminal devices 101, 102, 103.
The user terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The firewall device 106 and the intrusion prevention system 107 monitor network traffic data of the user terminal devices 101, 102, 103 in real time, and generate an attack log when external attack behaviors are found.
The log management platform 105 is configured to receive and store log information of attacks, viruses, network traffic analysis, network behavior audit, NAT, session, etc. monitored by the firewall device 106 and the intrusion prevention system 107. The log management platform 105 performs processing such as analysis on the attack log sent from the firewall device 106 and the intrusion prevention system 107, and feeds back processing results (e.g., user behavior analysis log and attack source analysis log) to the administrator.
The log management platform 105 may, for example, obtain an attack log containing source internet protocol addresses and destination internet protocol addresses; the log management platform 105 may extract a plurality of logs from the log management center, for example, based on the destination internet protocol address and a preset time frame; the log management platform 105 may retrieve user behavior data in the plurality of logs, e.g., based on the source internet protocol address; the log management platform 105 may generate a user behavior analysis log, for example, based on the user behavior data.
The log management platform 105 may also generate an attack source analysis log, for example, based on the user behavior data; the log management platform 105 may also push the user behavior analysis log and the attack source analysis log to a user side for presentation, for example.
FIG. 2 is a flowchart illustrating a method of user behavior analysis log generation, according to an example embodiment. The user behavior analysis log generation method 20 includes at least steps S202 to S208.
As shown in fig. 2, in S202, an attack log is acquired, where the attack log includes a source internet protocol address and a destination internet protocol address.
In one embodiment, before the attack log is obtained, the method further includes: the attack log is discovered and generated by an intrusion prevention system. The method specifically comprises the following steps: and monitoring the access protocol and the traffic of the network in real time based on the intrusion prevention system to discover and generate the attack log.
The firewall device can discover and report NAT/session logs to the log management platform, for example, and the log management platform carries information such as source IP, destination IP, source port, destination port, source IP after NAT, destination IP after NAT, source port after NAT, destination port after NAT and the like when a user performs network operation, and is responsible for collecting and storing the information; the IPS device may also discover and report the attack log to the log management platform, which mainly carries information: source IP, destination IP, source port, destination port, attack type, attack event, application protocol, domain name, and url.
The IP/range of the user can be configured and monitored on the log management platform, and the IPS equipment discovers that the user is attacked by the network by analyzing the user in-out protocol and the flow and sends an attack log to the log management platform.
The system also comprises user behavior auditing equipment, wherein the user behavior auditing equipment can audit and report user internet behavior audit logs to a log management platform, for example: web application audit log, transmission audit log, mail audit log, forum audit, keyword audit, traffic audit analysis. The audit log generally contains necessary information and behaviors of the user for surfing the internet, such as: the user's source IP, destination IP, source port, destination port, access website, domain name, uploading/downloading file name, email sender and content and attachment, keyword matching of surfing behavior, network protocol or application characteristics, etc.
In S204, a plurality of logs are extracted by a log management center based on the destination internet protocol address and a preset time range. For example, when the destination internet protocol address is within a preset address range and the time since the user behavior analysis log was previously generated exceeds a preset time range, a plurality of logs may be extracted by the log management center based on the destination internet protocol address and the preset time range.
In one embodiment, extracting, by the log management center, a plurality of logs based on the destination internet protocol address and a preset time range includes: extracting, by the log management center, a plurality of logs based on the destination internet protocol address, the logs including: web application audit log, transmission audit log, mail audit log, forum audit log, and traffic analysis log; and removing logs which are not in the preset time range from the plurality of logs. After the log management platform receives the attack log, monitoring whether the target IP under attack is in the monitored user IP/range, and if the user is the user in the monitored IP/range and the distance from the last generated user behavior analysis log exceeds 10 minutes, generating the attack alarm log.
In S206, user behavior data is extracted by searching among the plurality of logs based on the source internet protocol address. Comprising the following steps: searching in the logs to extract a log containing the source internet protocol address; and extracting the user behavior data from the log.
In one embodiment, when the log containing the source internet protocol address is not extracted, a session log between the source internet protocol address and a destination internet protocol address is acquired; and extracting the user behavior data from the session log.
More specifically, it is possible to find out whether the network address that the user has visited within a specified period of time, contains the source IP of the attack log (i.e., the attack source), for example, by user IP-associated web audit/web search/web transport/forum audit.
More specifically, it is possible to find out whether the address of the user's send-receive mail in a specified period of time contains the source IP of the attack log (i.e., the attack source), for example, by associating the user IP with the mail audit log.
And (3) searching whether the address uploaded/downloaded by the user through the FTP in a specified time period contains the source IP (i.e. attack source) of the attack log or not by correlating the FTP audit log with the user IP.
More specifically, the traffic protocol and rate size between the user and the attack source IP within a specified time period may be looked up, for example, by correlating the user IP with a traffic analysis log.
In S208, a user behavior analysis log is generated based on the user behavior data. Comprising the following steps: and extracting user behavior data from the log sequentially according to time sequence to generate the user behavior analysis log. And ordering the searched information according to the occurrence time, and counting network behavior operation performed by a user within 10 minutes to be used as a user behavior analysis log display.
According to the user behavior analysis log generation method, an attack log is obtained, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; extracting a plurality of logs by a log management center based on the destination internet protocol address and a preset time range; retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data; the method for generating the user behavior analysis log based on the user behavior data can automatically and quickly determine the reason and the way of the attack of the user, further manage the online behavior of the user, maintain the internal business safety and improve the working efficiency of a network manager.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 3 is a flowchart illustrating a user behavior analysis log generation method according to another exemplary embodiment. The flow shown in fig. 3 is a complementary description of the flow shown in fig. 2.
As shown in fig. 3, in S302, a user operation when the source internet protocol address is first accessed is extracted from the user behavior data.
In S304, a user operation at the start of an attack is acquired in the user behavior data.
In S306, the attack source analysis log is generated according to the user operation.
In S308, the user behavior analysis log and the attack source analysis log are pushed to the user side for display.
According to the logs extracted in fig. 2, actions (such as web searching) of a user accessing the attack source IP for the first time and actions (such as web transmission) performed by the user and the attack source IP at the beginning of an attack are analyzed and extracted, and an attack source analysis log is generated.
The user behavior analysis log and the attack source analysis log obtained by the analysis log are provided for an administrator, so that the administrator can conveniently analyze and observe the user network behavior and the reason of the attack of the user.
According to the method for generating the user behavior analysis log, the network behavior analysis is carried out on the attacked user by monitoring the attack log in real time, so that the actions of the user for accessing the attack source IP for the first time and the network behavior operation which is carried out by the user when the attack is generated for the first time are obtained in a certain period of time before the attack occurs, the reason of the attack is further judged, and the manager does not need to manually inquire the network behavior of the user.
Fig. 4 is a flowchart illustrating a user behavior analysis log generation method according to another exemplary embodiment.
As shown in fig. 4, in S402, the log management platform configures a monitoring user IP range.
In S404, an attack log is received.
In S406, whether the destination IP carried by the attack log is within the monitoring IP range.
In S408, whether the current time is more than 10 minutes from the time the IP distance last generated the user behavior analysis log.
In S410, a plurality of logs generated by the user within a specified period of time are searched, and the plurality of logs may include: web application audit log, transmission audit log, mail audit log, forum audit log, and traffic analysis log.
In S412, it is determined whether or not the plurality of logs include the attack source IP.
In S414, the behavior of the extracted user is analyzed, and for example, an action of the first access of the user to the attack source, an action performed by the user and the attack source IP at the start of the attack, or the like may be generated, so that an attack source analysis log is generated.
In S416, when no network behavior log is associated, only the session log between the user and the attack source IP for a specified period of time is queried.
In S418, a user behavior analysis log and an attack source analysis log are generated and associated with the current alarm log for viewing by an administrator.
Those skilled in the art will appreciate that all or part of the steps implementing the above described embodiments are implemented as a computer program executed by a CPU. The above-described functions defined by the above-described methods provided by the present disclosure are performed when the computer program is executed by a CPU. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic disk or an optical disk, etc.
Furthermore, it should be noted that the above-described figures are merely illustrative of the processes involved in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Fig. 5 is a block diagram illustrating a user behavior analysis log generation apparatus according to an exemplary embodiment. As shown in fig. 5, the user behavior analysis log generation apparatus 50 includes: a monitoring module 502, a logging module 504, a data module 506, and an analysis module 508.
The monitoring module 502 is configured to obtain an attack log, where the attack log includes a source internet protocol address and a destination internet protocol address;
the log module 504 is configured to extract a plurality of logs from a log management center based on the destination internet protocol address and a preset time range; for example, when the destination internet protocol address is within a preset address range and the time since the user behavior analysis log was previously generated exceeds a preset time range, a plurality of logs may be extracted by the log management center based on the destination internet protocol address and the preset time range.
The data module 506 is configured to retrieve from the plurality of logs based on the source internet protocol address, and extract user behavior data; comprising the following steps: searching in the logs to extract a log containing the source internet protocol address; and extracting the user behavior data from the log.
The analysis module 508 is configured to generate a user behavior analysis log based on the user behavior data. User behavior data may be extracted from the log sequentially, e.g., in chronological order, to generate the user behavior analysis log.
Fig. 6 is a block diagram illustrating a user behavior analysis log generation apparatus according to another exemplary embodiment. As shown in fig. 6, the user behavior analysis log generation device 60 further includes, on the basis of the user behavior analysis log generation device 50: a source module 602, a display module 604.
The source module 602 is configured to generate an attack source analysis log based on the user behavior data; user operations when the source internet protocol address is first accessed may be extracted, for example, in the user behavior data; or acquiring user operation at the beginning of attack from the user behavior data; and generating the attack source analysis log according to the user operation.
The display module 604 is configured to push the user behavior analysis log and the attack source analysis log to a user side for display.
According to the user behavior analysis log generating device, an attack log is obtained, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; extracting a plurality of logs by a log management center based on the destination internet protocol address and a preset time range; retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data; the method for generating the user behavior analysis log based on the user behavior data can automatically and quickly determine the reason and the way of the attack of the user, further manage the online behavior of the user, maintain the internal business safety and improve the working efficiency of a network manager.
Fig. 7 is a block diagram of an electronic device, according to an example embodiment.
An electronic device 700 according to such an embodiment of the present disclosure is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 7, the electronic device 700 is embodied in the form of a general purpose computing device. Components of electronic device 700 may include, but are not limited to: at least one processing unit 710, at least one memory unit 720, a bus 730 connecting the different system components (including the memory unit 720 and the processing unit 710), a display unit 740, and the like.
Wherein the storage unit stores program code executable by the processing unit 710 such that the processing unit 710 performs steps according to various exemplary embodiments of the present disclosure described in the above-described electronic prescription flow processing methods section of the present specification. For example, the processing unit 710 may perform the steps as shown in fig. 2, 3, and 4.
The memory unit 720 may include readable media in the form of volatile memory units, such as Random Access Memory (RAM) 7201 and/or cache memory 7202, and may further include Read Only Memory (ROM) 7203.
The storage unit 720 may also include a program/utility 7204 having a set (at least one) of program modules 7205, such program modules 7205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 730 may be a bus representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 700 may also communicate with one or more external devices 700' (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 700, and/or any device (e.g., router, modem, etc.) that enables the electronic device 700 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 750. Also, electronic device 700 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, through network adapter 760. Network adapter 760 may communicate with other modules of electronic device 700 via bus 730. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 700, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. The technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a usb disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, or a network device, etc.) to perform the above-described method according to the embodiments of the present disclosure.
The computer-readable medium carries one or more programs, which when executed by one of the devices, cause the computer-readable medium to perform the functions of: obtaining an attack log, wherein the attack log comprises a source internet protocol address and a destination internet protocol address; extracting a plurality of logs by a log management center based on the destination internet protocol address and a preset time range; retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data; and generating a user behavior analysis log based on the user behavior data.
Those skilled in the art will appreciate that the modules may be distributed throughout several devices as described in the embodiments, and that corresponding variations may be implemented in one or more devices that are unique to the embodiments. The modules of the above embodiments may be combined into one module, or may be further split into a plurality of sub-modules.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that this disclosure is not limited to the particular arrangements, instrumentalities and methods of implementation described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (9)
1. A method for generating a log of user behavior analysis, comprising:
monitoring access protocols and traffic of a network in real time based on an intrusion prevention system to discover and generate an attack log;
obtaining an attack log, wherein the attack log comprises a source internet protocol address and a destination internet protocol address;
when the target internet protocol address is in a preset address range and the time from the previous generation of the user behavior analysis log exceeds a preset time range, extracting a plurality of logs from a log management center based on the target internet protocol address and the preset time range, and removing the logs which are not in the preset time range from the plurality of logs to form an attack alarm log in real time, wherein the log comprises: web application audit log, transmission audit log, mail audit log, forum audit log, and traffic analysis log;
retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data;
generating a user behavior analysis log based on the user behavior data;
and carrying out network behavior analysis on the attacked user in the user behavior data, extracting user operation when the source internet protocol address is accessed for the first time in a certain period of time before the attack occurs or acquiring operation which is carried out by the user when the attack is generated for the first time in the user behavior data, and generating an attack source analysis log according to the user operation.
2. The method as recited in claim 1, further comprising:
pushing the user behavior analysis log and the attack source analysis log to a user side for display.
3. The method of claim 1, wherein retrieving in the plurality of logs based on the source internet protocol address, extracting user behavior data, comprises:
searching in the logs to extract a log containing the source internet protocol address;
and extracting the user behavior data from the log.
4. A method as recited in claim 3, further comprising:
when the log containing the source internet protocol address is not extracted, a session log between the source internet protocol address and the destination internet protocol address is acquired;
and extracting the user behavior data from the session log.
5. The method of claim 1, wherein generating a user behavior analysis log based on the user behavior data comprises:
and extracting user behavior data from the log sequentially according to time sequence to generate the user behavior analysis log.
6. A user behavior analysis log generation apparatus, comprising:
the monitoring module is used for monitoring the access protocol and the flow of the network in real time based on the intrusion protection system so as to find and generate an attack log, and acquiring the attack log, wherein the attack log comprises a source internet protocol address and a destination internet protocol address;
the log module is used for extracting a plurality of logs from a log management center based on the target internet protocol address and a preset time range when the target internet protocol address is in the preset address range and the time from the previous generation of the user behavior analysis log exceeds the preset time range, removing the logs which are not in the preset time range from the plurality of logs, and forming an attack alarm log in real time, wherein the log comprises: web application audit log, transmission audit log, mail audit log, forum audit log, and traffic analysis log;
the data module is used for searching in the logs based on the source internet protocol address and extracting user behavior data;
the analysis module is used for generating a user behavior analysis log based on the user behavior data;
a source module for generating an attack source analysis log based on the user behavior data, comprising: and carrying out network behavior analysis on the attacked user in the user behavior data, extracting user operation when the source internet protocol address is accessed for the first time in a certain period of time before the attack occurs or acquiring operation which is carried out by the user when the attack is generated for the first time in the user behavior data, and generating the attack source analysis log according to the user operation.
7. The apparatus as recited in claim 6, further comprising:
and the display module is used for pushing the user behavior analysis log and the attack source analysis log to a user side for display.
8. An electronic device, comprising:
one or more processors;
a storage means for storing one or more programs;
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-5.
9. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010229594.9A CN111488572B (en) | 2020-03-27 | 2020-03-27 | User behavior analysis log generation method and device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010229594.9A CN111488572B (en) | 2020-03-27 | 2020-03-27 | User behavior analysis log generation method and device, electronic equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111488572A CN111488572A (en) | 2020-08-04 |
| CN111488572B true CN111488572B (en) | 2024-01-19 |
Family
ID=71811668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010229594.9A Active CN111488572B (en) | 2020-03-27 | 2020-03-27 | User behavior analysis log generation method and device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111488572B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112350993A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | IP automatic plugging method, device, monitoring terminal and computer storage medium |
| CN111985192A (en) * | 2020-09-28 | 2020-11-24 | 杭州安恒信息安全技术有限公司 | Web attack report generation method, device, equipment and computer medium |
| CN112738087A (en) * | 2020-12-29 | 2021-04-30 | 杭州迪普科技股份有限公司 | Attack log display method and device |
| CN113807862A (en) * | 2021-01-29 | 2021-12-17 | 北京沃东天骏信息技术有限公司 | Access security control method, device, equipment and storage medium |
| CN115174249A (en) * | 2022-07-18 | 2022-10-11 | 湖北天融信网络安全技术有限公司 | Method for processing security log, electronic device and storage medium |
| CN115913683B (en) * | 2022-11-07 | 2024-04-30 | 中国联合网络通信集团有限公司 | Risk access record generation method, apparatus, device and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105049232A (en) * | 2015-06-19 | 2015-11-11 | 成都艾尔普科技有限责任公司 | Network information log audit system |
| CN107566163A (en) * | 2017-08-10 | 2018-01-09 | 北京奇安信科技有限公司 | A kind of alarm method and device of user behavior analysis association |
| CN108900514A (en) * | 2018-07-04 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | Attack tracking of information source tracing method and device based on homogeneous assays |
| CN109471846A (en) * | 2018-11-02 | 2019-03-15 | 中国电子科技网络信息安全有限公司 | User behavior auditing system and method on a kind of cloud based on cloud log analysis |
| CN110719194A (en) * | 2019-09-12 | 2020-01-21 | 中国联合网络通信集团有限公司 | Network data analysis method and device |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6201614B2 (en) * | 2013-10-11 | 2017-09-27 | 富士通株式会社 | Log analysis apparatus, method and program |
-
2020
- 2020-03-27 CN CN202010229594.9A patent/CN111488572B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105049232A (en) * | 2015-06-19 | 2015-11-11 | 成都艾尔普科技有限责任公司 | Network information log audit system |
| CN107566163A (en) * | 2017-08-10 | 2018-01-09 | 北京奇安信科技有限公司 | A kind of alarm method and device of user behavior analysis association |
| CN108900514A (en) * | 2018-07-04 | 2018-11-27 | 杭州安恒信息技术股份有限公司 | Attack tracking of information source tracing method and device based on homogeneous assays |
| CN109471846A (en) * | 2018-11-02 | 2019-03-15 | 中国电子科技网络信息安全有限公司 | User behavior auditing system and method on a kind of cloud based on cloud log analysis |
| CN110719194A (en) * | 2019-09-12 | 2020-01-21 | 中国联合网络通信集团有限公司 | Network data analysis method and device |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111488572A (en) | 2020-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111488572B (en) | User behavior analysis log generation method and device, electronic equipment and medium | |
| US11924251B2 (en) | System and method for cybersecurity reconnaissance, analysis, and score generation using distributed systems | |
| JP6585131B2 (en) | Graph database analysis for network anomaly detection system | |
| US10121000B1 (en) | System and method to detect premium attacks on electronic networks and electronic devices | |
| US9503468B1 (en) | Detecting suspicious web traffic from an enterprise network | |
| US8375120B2 (en) | Domain name system security network | |
| US10795991B1 (en) | Enterprise search | |
| EP3111616B1 (en) | Detecting and managing abnormal data behavior | |
| US20160164893A1 (en) | Event management systems | |
| US20120047581A1 (en) | Event-driven auto-restoration of websites | |
| US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
| US20210297427A1 (en) | Facilitating security orchestration, automation and response (soar) threat investigation using a machine-learning driven mind map approach | |
| WO2011153227A2 (en) | Dynamic multidimensional schemas for event monitoring priority | |
| US12003544B2 (en) | System and methods for automatically assessing and improving a cybersecurity risk score | |
| US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
| US8146146B1 (en) | Method and apparatus for integrated network security alert information retrieval | |
| US11968235B2 (en) | System and method for cybersecurity analysis and protection using distributed systems | |
| Serketzis et al. | Actionable threat intelligence for digital forensics readiness | |
| WO2021202833A1 (en) | A system and method for self-adjusting cybersecurity analysis and score generation | |
| WO2021243321A1 (en) | A system and methods for score cybersecurity | |
| CN111079138A (en) | Abnormal access detection method and device, electronic equipment and readable storage medium | |
| US20230094119A1 (en) | Scanning of Content in Weblink | |
| Tedyyana et al. | Real-time Hypertext Transfer Protocol Intrusion Detection System on Web Server using Firebase Cloud Messaging | |
| JP2006295232A (en) | Security monitoring apparatus, and security monitoring method and program | |
| US11770388B1 (en) | Network infrastructure detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |