CN112134719A - Method and system for analyzing base station security log - Google Patents

Method and system for analyzing base station security log Download PDF

Info

Publication number
CN112134719A
CN112134719A CN201910556924.2A CN201910556924A CN112134719A CN 112134719 A CN112134719 A CN 112134719A CN 201910556924 A CN201910556924 A CN 201910556924A CN 112134719 A CN112134719 A CN 112134719A
Authority
CN
China
Prior art keywords
log
data
safety
characteristic value
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910556924.2A
Other languages
Chinese (zh)
Inventor
穆青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201910556924.2A priority Critical patent/CN112134719A/en
Priority to PCT/CN2020/083742 priority patent/WO2020258982A1/en
Publication of CN112134719A publication Critical patent/CN112134719A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The embodiment of the invention discloses a method and a system for analyzing a base station security log, wherein the method comprises the following steps: the data aggregation system caches the safety logs reported by the base station in real time to a first data cache system based on a first distributed cluster base station; the log feature calculation system calculates the feature value of the security log based on the second distributed cluster, and caches the feature value of the security log into the second data cache system; the characteristic value real-time analysis system analyzes the characteristic value of the safety log in real time based on a stream type calculation frame to obtain an analysis result; and the data presentation device displays the analysis result. The embodiment of the invention realizes the real-time analysis of the safety log reported by the base station in real time based on the distributed cluster and the streaming computing framework, thereby shortening the discovery time of high-risk safety problems, greatly reducing the time of manual analysis, shortening the problem feedback period, reducing the labor input and improving the management efficiency.

Description

Method and system for analyzing base station security log
Technical Field
The embodiments of the present invention relate to, but not limited to, the field of computers and communications, and more particularly, to a method and system for analyzing a security log of a base station.
Background
With the development of 5G wireless network technology, the number of base stations in a wireless access network is increasing, and the requirements for acquisition and analysis of instruction operation and data operation and access security of the base stations are more and more important. The traditional base station safety logs are acquired from a base station through a timing task period, all the safety logs are analyzed and stored in a warehouse after acquisition, and after a fault occurs, manual analysis is carried out. 5G, the network scale is greatly expanded along with the development of wireless networks and Internet of things, and a large amount of manpower needs to be invested in the face of thousands of security logs in the existing network every day.
Disclosure of Invention
The embodiment of the invention provides a method and a system for analyzing a base station safety log, which can realize real-time analysis of the base station safety log, thereby shortening the time for discovering high-risk safety problems.
The embodiment of the invention provides a method for analyzing a base station security log, which comprises the following steps:
the data aggregation system caches the safety logs reported by the base station in real time to a first data cache system based on a first distributed cluster base station;
the log feature calculation system calculates the feature value of the security log based on the second distributed cluster, and caches the feature value of the security log into the second data cache system;
the characteristic value real-time analysis system analyzes the characteristic value of the safety log in real time based on a stream type calculation frame to obtain an analysis result;
and the data presentation device displays the analysis result.
The embodiment of the invention provides a system for analyzing a base station security log, which comprises:
the data aggregation system is used for caching the safety logs reported by the base station in real time into the first data caching system based on the first distributed cluster base station;
the log characteristic computing system is used for computing the characteristic value of the security log based on the second distributed cluster and caching the characteristic value of the security log into the second data caching system;
the characteristic value real-time analysis system is used for carrying out real-time analysis on the characteristic value of the safety log based on a streaming computation framework to obtain an analysis result;
and the data presentation device is used for displaying the analysis result.
The embodiment of the invention comprises the following steps: the data aggregation system caches the safety logs reported by the base station in real time to a first data cache system based on the first distributed cluster; the log feature calculation system calculates the feature value of the security log based on the second distributed cluster, and caches the feature value of the security log into the second data cache system; the characteristic value real-time analysis system analyzes the characteristic value of the safety log in real time based on a stream type calculation frame to obtain an analysis result; and the data presentation device displays the analysis result. The embodiment of the invention realizes the real-time analysis of the safety log reported by the base station in real time based on the distributed cluster and the streaming computing framework, thereby shortening the discovery time of high-risk safety problems, greatly reducing the time of manual analysis, shortening the problem feedback period, reducing the labor input and improving the management efficiency.
Additional features and advantages of embodiments of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of embodiments of the invention. The objectives and other advantages of the embodiments of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the examples of the invention serve to explain the principles of the embodiments of the invention and not to limit the embodiments of the invention.
Fig. 1 is a flowchart of a method for analyzing a security log of a base station according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a system for analyzing a security log of a base station according to another embodiment of the present invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments and features of the embodiments of the present invention may be arbitrarily combined with each other without conflict.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
Referring to fig. 1, an embodiment of the present invention provides a method for analyzing a security log of a base station, including:
step 100, the data aggregation system caches the security log reported by the base station in real time to a first data caching system based on the first distributed cluster base station.
In an embodiment of the present invention, the security log includes one or more records, each record including: the log type, log level, base station Identification (ID), base station Internet Protocol (IP) address, service name, PID, and other basic information, and the specific content of the log is as follows: the source of the security log, the reason for the generation, etc.
For example, a certain record of a certain security log is:
45673491238900123<37>1 2017-12-13T05:42:16.156Z gnb1 g2z7p -2–src_ip:192.254.1.100,u:ad,content:login fail.
wherein 45673491238900123 is a recorded unique identifier (i.e. a security log identifier), <37> is PRI (), 1 is a version number, 2017-12-13T05:42:16.156Z is the generation time of the record, gnb1 is a host name, g2Z7p is a service name, PID number, no PID is occupied by "-", 2 is an event number, a structure definition is defined, no structure is occupied by "-", src _ ip:192.254.1.100, u: ad, content: logfail is the specific content of the log.
By the above explanation, each log record includes PRI, log version, time, base station identifier (i.e. host name), service name (i.e. service name), PID number, event number, structure, and log content.
The log type and the log level can be analyzed through the PRI value; different event numbers specify different formats of log content, and in this example, event number 2 is a user login failure, and the log content includes three attributes: the src _ IP is the IP of the login user; u is a login name used by the user; content is illustrative.
In the embodiment of the invention, the parameter modification or access login of the base station can generate the safety log, and the safety log is reported in real time after being generated.
In one illustrative example, the first data caching system is message middleware and is implemented based on an open source distributed message system Kafka.
In another embodiment of the present invention, the data aggregation system caching the security log in the first data caching system based on the first distributed cluster comprises:
the data aggregation system distributes a safety log identifier for the safety log based on a first distributed cluster, and caches a first corresponding relation between the safety log identifier and the safety log in the first data caching system;
the characteristic value of the security log comprises the security log identification;
the method further comprises the following steps: and the data storage system stores the first corresponding relation, the characteristic value of the safety log and the analysis result in a persistent mode.
In one illustrative example, the first distributed cluster includes: the system comprises an access gateway, a zookeeper and two or more than two Collection servers (Collection-Server); the data aggregation system allocates a security log identifier for the security log based on a first distributed cluster, and caches a first correspondence between the security log identifier and the security log in the first data caching system, including:
the zookeeper maintains cluster states of the two or more acquisition servers; wherein the cluster state comprises: logging in a cluster state or exiting the cluster state;
the access gateway acquires the cluster states of the two or two acquisition servers from the zookeeper, and distributes the security logs to the acquisition servers in the cluster logging state in the two or two acquisition servers;
and the acquisition server in the logging cluster state distributes a safety log identifier for the safety log, and caches the first corresponding relation between the safety log identifier and the safety log in the first data cache system.
Wherein, the access gateway exposes a uniform access entrance for the base station.
In one illustrative example, the method further comprises: zookeeper assigns an identifier to the acquisition server.
In an exemplary instance, the security log identifier is a globally unique identifier of each security log, and the security log identifier may be allocated by using a snowflash distributed global identifier allocation algorithm of Twitter open source.
In one illustrative example, the data storage system comprises: two or more data servers and search server clusters;
the data storage system persists the first corresponding relationship, the characteristic value of the security log, and the analysis result, including:
for each data server, the data server obtains the first corresponding relationship from the first data cache system, obtains the characteristic value from the second data cache system, and stores the first corresponding relationship and the characteristic value in the search server cluster;
and the data server acquires the analysis result from the characteristic value real-time analysis system and stores the analysis result into the search server cluster.
In one illustrative example, the cluster of search servers is an ES (elastic search) cluster.
In another illustrative example, the data server also maintains the first correspondence and a storage time of the feature values in the cluster of search servers.
Step 101, the log feature calculation system calculates a feature value of the security log based on the second distributed cluster, and caches the feature value of the security log in the second data cache system.
In one illustrative example, the second data caching system is message middleware and is implemented based on an open source distributed message system Kafka.
In one illustrative example, the second distributed cluster includes: two or more feature computation servers; the log feature calculation system calculates a feature value of the security log based on the second distributed cluster, and caches the feature value of the security log in the second data cache system, including:
for each feature calculation server, the feature calculation server calculates a feature value of the security log and caches the feature value of the security log in the second data caching system.
In one illustrative example, the feature calculation server calculating the feature values of the security log comprises:
the feature computation server extracts one or more pre-defined feature vector values from the security log, combining the one or more feature vector values into the feature value.
For example, as shown in Table 1, a security log includes the following fields: id. The system comprises PRI, time, hostname, app-name and msgld, wherein ID is a unique identifier of a record, PRI is a primary key value, time is a recorded event, hostname is a host name, app-name is a service name, and magld is an event ID;
the feature vectors employed include: id. Facility, coverage, Time, NBId, ServerName, EventId; wherein ID is the unique identifier of the record, facility is a facility code, Severity is a Severity level, time is the generation time of the record, NBId is a base station identifier, SeverName is a service name, and eventId is an event ID.
Wherein, Facility and coverage are both calculated according to the field PRI, and other feature vectors are extracted from the security log, as shown in table 1, Facility ═ PRI > >3, coverage ═ PRI &0x 7.
Feature vector Fields in a security log
Id Id
Facility PRI>>3
Severity PRI&0x7
Time Time
NBId Hostname
ServerName App-name
EventId Msgld
TABLE 1
Extracting a characteristic vector Id, wherein the Id is a unique identifier distributed to log records by a data aggregation system, and the Id is extracted without an algorithm;
extracting feature vector Facility, wherein the Facility is obtained by bit operation (right shift by 3 bits) through the value of PRI in the log record;
extracting a feature vector, wherein the feature vector is obtained by bit operation (at 0x7) according to the value of PRI in the log record;
extracting a feature vector Time, wherein the Time is obtained through the Time in the log record;
extracting a feature vector NBId, wherein the NBId is obtained through the Hostname in the log record;
extracting a characteristic vector ServerName, wherein the ServerName is obtained through App-name in a log record;
extracting a characteristic vector EventId, wherein the EventId is obtained through Msgld in a log record, the MsgId also comprises some internal special marks, and the EventId can be stripped when being extracted;
other feature vectors such as client IP, login user name and the like are obtained from the log content, and the log content is in an internally defined normalized format and is suitable for each service module.
In one illustrative example, to associate a feature value with a security log, the security log may be identified as one of the feature vectors.
In the embodiment of the invention, different feature calculation servers can adopt the same feature vector and can also adopt different feature vectors so as to flexibly meet the service requirement.
And 102, the characteristic value real-time analysis system carries out real-time analysis on the characteristic value of the safety log based on a streaming computation framework to obtain an analysis result.
In the embodiment of the invention, the feature vector Facility extracts the type information of a program generating the log, the Severity level in the log record is extracted by the security, and the ServerName extracts a program module generating the security log by the base station, so that the score of the log record can be calculated by a scoring algorithm formed by predefining the Facility, the Severity and the ServerName, and whether the log is a serious security problem of a main program module is evaluated by the score;
the feature vector NBId extracts the base station identity and can therefore identify that base station that created a security problem.
In an exemplary example, the streaming computing framework may be a jstom streaming computing framework, topology is defined according to a service scene and deployed to a jstom cluster, the topology analyzes the characteristic value, sends the analysis result to the data presentation device for presentation, and stores the analysis result in the data storage system.
Wherein, Topology is a section of code running on the jstom cluster, that is, a data stream conversion diagram, which defines the flow of data acquisition, calculation and distribution.
In an illustrative example, a defined topology may include, but is not limited to, one or more of the following scenarios:
n base stations with the largest number of characteristic values meeting a first preset condition;
the number of the characteristic values meeting a second preset condition within a preset time;
and the safety log meets a third preset condition.
And 103, displaying the analysis result by the data presentation device.
In another embodiment of the present invention, the method further comprises: and the base station reports the safety log in real time.
In the embodiment of the present invention, the message of the security log reported by the base station may conform to any protocol definition, for example, RFC5424 protocol.
In another embodiment of the present invention, the method further comprises:
the data presentation device searches the first corresponding relationship corresponding to the analysis result and the characteristic value of the safety log in the data storage system, associates the searched first corresponding relationship with the characteristic value of the safety log to obtain a second corresponding relationship among the analysis result, the searched first corresponding relationship and the characteristic value of the safety log, and displays the second corresponding relationship;
or, the data presentation device searches the first corresponding relationship corresponding to a search instruction input by a user and the characteristic value of the security log in the data storage system, associates the searched first corresponding relationship with the characteristic value of the security log to obtain a second corresponding relationship among the searched analysis result, the first corresponding relationship and the characteristic value of the security log, and displays the second corresponding relationship.
Specifically, when searching, the search may be performed based on the security log identifier.
The embodiment of the invention realizes the real-time analysis of the safety log reported by the base station in real time based on the distributed cluster and the streaming computing framework, thereby shortening the discovery time of high-risk safety problems, greatly reducing the time of manual analysis, shortening the problem feedback period, reducing the labor input and improving the management efficiency.
The following examples are provided to illustrate specific implementations of the above method and are not intended to limit the scope of the embodiments of the present invention.
Example 1
In this example, the number of security logs of the service at the Warning level and above is counted, and the base station of the top 20 bits is displayed.
First defining the feature values includes the following feature vector values: id. Facility, preference, Time, NBId, ServerName, and the correspondence between these feature vectors and the fields in the security log is shown in table 2.
Feature vector Fields in a security log
Id Id
Facility PRI>>3
Severity PRI&0x7
Time Time
NBId Hostname
ServerName App-name
TABLE 2
To count the number of security logs at the Warning level and above, it is necessary to obtain 8 values as shown in table 3 according to the feature vector change and according to the definition of RFC5424 protocol that the security logs conform to.
Figure BDA0002107132750000091
Figure BDA0002107132750000101
TABLE 3
As shown in Table 3, the value of Warning is 4, and the values of Warning and above are: 0,1,2,3,4 have 5 values. Due to the ranking of the base stations, the number of security logs needs to be counted according to the unique ID of the base station represented by the feature vector NBId, that is, for the base stations with the same NBId, the number of security logs with the feature vector sensitivity of 0,1,2,3, or 4 is counted every 30 minutes, and the base station with the top 20 digits in each calculation is sent to the data presentation device for display.
Example 2
In this example, the number of base station logins within a 5 minute window is counted.
First defining the feature values includes the following feature vector values: id. The correspondence between the feature vectors and the fields in the security log is shown in table 1.
To count the number of base station logins in a 5-minute window, a field of base station login needs to be determined first, for example, msgId of login time in a security log is defined as 1, and a value of a feature vector EventId is required to be 1. That is, for base stations with the same NBId, the number of security logs with the value of 1 for the feature vector EventId is counted, and the data presentation device displays the number of logins per base station in 5 minutes (i.e., the number of security logs with the value of 1 for the feature vector EventId).
Example 3
In this example, a security log with service as Critical is obtained.
First defining the feature values includes the following feature vector values: id. Facility, preference, Time, NBId, ServerName, and the correspondence between these feature vectors and the fields in the security log is shown in table 2.
To obtain a Critical-level security log, it is necessary that the security log can take 8 values as shown in table 3 according to the definition of RFC5424 protocol followed by the security log according to the feature vector security.
As shown in Table 3, the Critical value is 2. Because of the statistics of the base stations, the number of the security logs needs to be counted according to the unique ID of the base station represented by the feature vector NBId, that is, for the base stations with the same NBId, the feature vector sensitivity is obtained as 2 feature values, the corresponding security logs are obtained according to the security log identifiers in the feature values, and the obtained security logs are sent to the data presentation device for display.
Referring to fig. 2, another embodiment of the present invention provides a system for analyzing a security log of a base station, including:
the data aggregation system 201 is configured to cache, based on the first distributed cluster 2011 base station, a security log reported in real time by the base station in the first data caching system 202;
the log feature calculation system 203 is configured to calculate a feature value of the security log based on the second distributed cluster 2031, and cache the feature value of the security log in the second data cache system 204;
the characteristic value real-time analysis system 205 is configured to analyze the characteristic value of the security log in real time based on the streaming computation framework 2051 to obtain an analysis result;
and a data presentation device 206 for displaying the analysis result.
In another embodiment of the present invention, the method further comprises: and the base station 207 is used for reporting the security log in real time.
In this embodiment of the present invention, the data aggregation system 201 is specifically configured to:
allocating a security log identifier to the security log based on a first distributed cluster 2011, and caching a first corresponding relationship between the security log identifier and the security log in the first data caching system;
the characteristic value of the security log comprises the security log identification;
the system further comprises:
and the data storage system 208 is configured to perform persistent storage on the first corresponding relationship, the feature value of the security log, and the analysis result.
In this embodiment of the present invention, the data presentation device 206 is further configured to:
searching the first corresponding relation corresponding to the analysis result and the characteristic value of the safety log in the data storage system, associating the searched first corresponding relation with the characteristic value of the safety log to obtain a second corresponding relation among the analysis result, the searched first corresponding relation and the characteristic value of the safety log, and displaying the second corresponding relation;
or searching the first corresponding relation corresponding to a search instruction input by a user and the characteristic value of the safety log in the data storage system, associating the searched first corresponding relation with the characteristic value of the safety log to obtain a second corresponding relation among the searched analysis result, the first corresponding relation and the characteristic value of the safety log, and displaying the second corresponding relation.
In this embodiment of the present invention, the first distributed cluster 2011 includes: an access gateway 2012, a zookeeper2013 and two or more acquisition servers 2014;
the zookeeper2013 is used for maintaining the cluster state of the two or more acquisition servers; wherein the cluster state comprises: logging in a cluster state or exiting the cluster state;
the access gateway 2012 is configured to obtain cluster states of the two or more acquisition servers from the zookeeper, and allocate the security log to the acquisition server in the cluster logging state in the two or more acquisition servers;
the collection server 2014 in the log-in cluster state is configured to allocate a security log identifier to the security log, and cache the first correspondence between the security log identifier and the security log in the first data caching system.
In an embodiment of the present invention, the data storage system 208 includes: two or more data servers 2081 and search server clusters 2082;
the data server 2081, configured to obtain the first corresponding relationship from the first data cache system, obtain the feature value from the second data cache system, determine the second corresponding relationship according to the first corresponding relationship and the feature value, and store the second corresponding relationship in the search server cluster 2082;
the analysis result is obtained from the feature value real-time analysis system 201, and the analysis result is stored in the search server cluster 2082.
In this embodiment of the present invention, the second distributed cluster 2021 includes: two or more feature computation servers 2022;
the feature calculation server 2022 is configured to calculate a feature value of the security log, and cache the feature value of the security log in the second data cache system.
In this embodiment of the present invention, the feature calculation server 2022 is specifically configured to calculate the feature value of the security log by using the following method:
one or more predefined feature vector values are extracted from the security log, the one or more feature vector values being combined into the feature value.
In an exemplary example, the streaming computing framework may be a jstom streaming computing framework, topology is defined according to a service scene and deployed to a jstom cluster, the topology analyzes the characteristic value, sends the analysis result to the data presentation device for presentation, and stores the analysis result in the data storage system.
In an illustrative example, a defined topology may include, but is not limited to, one or more of the following scenarios:
n base stations with the largest number of characteristic values meeting a first preset condition;
the number of the characteristic values meeting a second preset condition within a preset time;
and the safety log meets a third preset condition.
The specific implementation process of the system for analyzing the base station security log is the same as that of the method for analyzing the base station security log in the foregoing embodiment, and is not described herein again.
The embodiment of the invention realizes the real-time analysis of the safety log reported by the base station in real time based on the distributed cluster and the streaming computing framework, thereby shortening the discovery time of high-risk safety problems, greatly reducing the time of manual analysis, shortening the problem feedback period, reducing the labor input and improving the management efficiency.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Although the embodiments of the present invention have been described above, the descriptions are only used for understanding the embodiments of the present invention, and are not intended to limit the embodiments of the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the embodiments of the invention as defined by the appended claims.

Claims (16)

1. A method of analyzing a base station security log, comprising:
the data aggregation system caches the safety logs reported by the base station in real time to a first data cache system based on a first distributed cluster base station;
the log feature calculation system calculates the feature value of the security log based on the second distributed cluster, and caches the feature value of the security log into the second data cache system;
the characteristic value real-time analysis system analyzes the characteristic value of the safety log in real time based on a stream type calculation frame to obtain an analysis result;
and the data presentation device displays the analysis result.
2. The method of claim 1, further comprising:
and the base station reports the safety log in real time.
3. The method of claim 1, wherein the data aggregation system caching the security log into the first data caching system based on the first distributed cluster comprises:
the data aggregation system distributes a safety log identifier for the safety log based on a first distributed cluster, and caches a first corresponding relation between the safety log identifier and the safety log in the first data caching system;
the characteristic value of the security log comprises the security log identification;
the method further comprises the following steps:
and the data storage system stores the first corresponding relation, the characteristic value of the safety log and the analysis result in a persistent mode.
4. The method of claim 3, further comprising:
the data presentation device searches the first corresponding relationship corresponding to the analysis result and the characteristic value of the safety log in the data storage system, associates the searched first corresponding relationship with the characteristic value of the safety log to obtain a second corresponding relationship among the analysis result, the searched first corresponding relationship and the characteristic value of the safety log, and displays the second corresponding relationship;
or, the data presentation device searches the first corresponding relationship corresponding to a search instruction input by a user and the characteristic value of the security log in the data storage system, associates the searched first corresponding relationship with the characteristic value of the security log to obtain a second corresponding relationship among the searched analysis result, the first corresponding relationship and the characteristic value of the security log, and displays the second corresponding relationship.
5. The method of claim 3, wherein the first distributed cluster comprises: the system comprises an access gateway, a zookeeper and two or more acquisition servers; the data aggregation system allocates a security log identifier for the security log based on a first distributed cluster, and caches a first correspondence between the security log identifier and the security log in the first data caching system, including:
the zookeeper maintains cluster states of the two or more acquisition servers; wherein the cluster state comprises: logging in a cluster state or exiting the cluster state;
the access gateway acquires the cluster states of the two or two acquisition servers from the zookeeper, and distributes the security logs to the acquisition servers in the cluster logging state in the two or two acquisition servers;
and the acquisition server in the logging cluster state distributes a safety log identifier for the safety log, and caches the first corresponding relation between the safety log identifier and the safety log in the first data cache system.
6. The method of claim 3, wherein the data storage system comprises: two or more data servers and search server clusters;
the data storage system persists the security log, the characteristic values of the security log, and the analysis result, and includes:
for each data server, the data server acquires the first corresponding relation from the first data cache system, acquires the characteristic value from the second data cache system, determines the second corresponding relation according to the first corresponding relation and the characteristic value, and stores the second corresponding relation into the search server cluster;
and the data server acquires the analysis result from the characteristic value real-time analysis system and stores the analysis result into the search server cluster.
7. The method of claim 1, wherein the second distributed cluster comprises: two or more feature computation servers; the log feature calculation system calculates a feature value of the security log based on the second distributed cluster, and caches the feature value of the security log in the second data cache system, including:
for each feature calculation server, the feature calculation server calculates a feature value of the security log and caches the feature value of the security log in the second data caching system.
8. The method of claim 7, wherein the computing the feature value of the security log by the feature computation server comprises:
the feature computation server extracts one or more pre-defined feature vector values from the security log, combining the one or more feature vector values into the feature value.
9. A system for analyzing a base station security log, comprising:
the data aggregation system is used for caching the safety logs reported by the base station in real time into the first data caching system based on the first distributed cluster base station;
the log characteristic computing system is used for computing the characteristic value of the security log based on the second distributed cluster and caching the characteristic value of the security log into the second data caching system;
the characteristic value real-time analysis system is used for carrying out real-time analysis on the characteristic value of the safety log based on a streaming computation framework to obtain an analysis result;
and the data presentation device is used for displaying the analysis result.
10. The system of claim 9, further comprising:
and the base station is used for reporting the security log in real time.
11. The system of claim 9, wherein the data aggregation system is specifically configured to:
the data aggregation system distributes a safety log identifier for the safety log based on a first distributed cluster, and caches a first corresponding relation between the safety log identifier and the safety log in the first data caching system;
the characteristic value of the security log comprises the security log identification;
the system further comprises:
and the data storage system is used for carrying out persistent storage on the first corresponding relation, the characteristic value of the safety log and the analysis result.
12. The system of claim 11, wherein the data presentation device is further configured to:
searching the first corresponding relation corresponding to the analysis result and the characteristic value of the safety log in the data storage system, associating the searched first corresponding relation with the characteristic value of the safety log to obtain a second corresponding relation among the analysis result, the searched first corresponding relation and the characteristic value of the safety log, and displaying the second corresponding relation;
or searching the first corresponding relation corresponding to a search instruction input by a user and the characteristic value of the safety log in the data storage system, associating the searched first corresponding relation with the characteristic value of the safety log to obtain a second corresponding relation among the searched analysis result, the first corresponding relation and the characteristic value of the safety log, and displaying the second corresponding relation.
13. The system of claim 11, wherein the first distributed cluster comprises: the system comprises an access gateway, a zookeeper and two or more acquisition servers;
the zookeeper is used for maintaining the cluster state of the two or more acquisition servers; wherein the cluster state comprises: logging in a cluster state or exiting the cluster state;
the access gateway is used for acquiring the cluster states of the two or two acquisition servers from the zookeeper, and distributing the security logs to the acquisition servers in the cluster logging state in the two or two acquisition servers;
the collection server in the log-in cluster state is used for distributing a safety log identifier for the safety log and caching the first corresponding relation between the safety log identifier and the safety log into the first data caching system.
14. The system of claim 11, wherein the data storage system comprises: two or more data servers and search server clusters;
the data server is configured to obtain the first corresponding relationship from the first data cache system, obtain the feature value from the second data cache system, determine the second corresponding relationship according to the first corresponding relationship and the feature value, and store the second corresponding relationship in the search server cluster;
and acquiring the analysis result from the characteristic value real-time analysis system, and storing the analysis result into the search server cluster.
15. The system of claim 9, wherein the second distributed cluster comprises: two or more feature computation servers;
the characteristic calculation server is used for calculating the characteristic value of the security log and caching the characteristic value of the security log into the second data caching system.
16. The system of claim 15, wherein the feature computation server is specifically configured to implement computing the feature value of the security log by:
one or more predefined feature vector values are extracted from the security log, the one or more feature vector values being combined into the feature value.
CN201910556924.2A 2019-06-25 2019-06-25 Method and system for analyzing base station security log Pending CN112134719A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910556924.2A CN112134719A (en) 2019-06-25 2019-06-25 Method and system for analyzing base station security log
PCT/CN2020/083742 WO2020258982A1 (en) 2019-06-25 2020-04-08 Method and system for analyzing security log of base station, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910556924.2A CN112134719A (en) 2019-06-25 2019-06-25 Method and system for analyzing base station security log

Publications (1)

Publication Number Publication Date
CN112134719A true CN112134719A (en) 2020-12-25

Family

ID=73850153

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910556924.2A Pending CN112134719A (en) 2019-06-25 2019-06-25 Method and system for analyzing base station security log

Country Status (2)

Country Link
CN (1) CN112134719A (en)
WO (1) WO2020258982A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112463772A (en) * 2021-02-02 2021-03-09 北京信安世纪科技股份有限公司 Log processing method and device, log server and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113792340B (en) * 2021-09-09 2023-09-05 烽火通信科技股份有限公司 Method and device for auditing logical logs of database
CN114860774A (en) * 2022-05-19 2022-08-05 宁波奥克斯电气股份有限公司 Big data real-time analysis method and system of air conditioner, storage medium and air conditioner

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103838867A (en) * 2014-03-20 2014-06-04 网宿科技股份有限公司 Log processing method and device
US20160094620A1 (en) * 2014-09-26 2016-03-31 Lenovo Enterprise Solutions (Singapore) Pte, Ltd. Scalable logging control for distributed network devices
CN107622084A (en) * 2017-08-10 2018-01-23 深圳前海微众银行股份有限公司 Blog management method, system and computer-readable recording medium
CN107786565A (en) * 2017-11-02 2018-03-09 江苏物联网研究发展中心 A kind of distributed real-time intrusion detection method and detecting system
CN108647139A (en) * 2018-03-19 2018-10-12 北京趣拿软件科技有限公司 Test method, device, storage medium and the electronic device of system
CN108985981A (en) * 2018-06-28 2018-12-11 北京奇虎科技有限公司 Data processing system and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10210115B2 (en) * 2015-06-02 2019-02-19 Box, Inc. System for handling event messages for file collaboration
US10560544B2 (en) * 2015-08-25 2020-02-11 Box, Inc. Data caching in a collaborative file sharing system
CN105224445B (en) * 2015-10-28 2017-02-15 北京汇商融通信息技术有限公司 Distributed tracking system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103838867A (en) * 2014-03-20 2014-06-04 网宿科技股份有限公司 Log processing method and device
US20160094620A1 (en) * 2014-09-26 2016-03-31 Lenovo Enterprise Solutions (Singapore) Pte, Ltd. Scalable logging control for distributed network devices
CN107622084A (en) * 2017-08-10 2018-01-23 深圳前海微众银行股份有限公司 Blog management method, system and computer-readable recording medium
CN107786565A (en) * 2017-11-02 2018-03-09 江苏物联网研究发展中心 A kind of distributed real-time intrusion detection method and detecting system
CN108647139A (en) * 2018-03-19 2018-10-12 北京趣拿软件科技有限公司 Test method, device, storage medium and the electronic device of system
CN108985981A (en) * 2018-06-28 2018-12-11 北京奇虎科技有限公司 Data processing system and method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112463772A (en) * 2021-02-02 2021-03-09 北京信安世纪科技股份有限公司 Log processing method and device, log server and storage medium

Also Published As

Publication number Publication date
WO2020258982A1 (en) 2020-12-30

Similar Documents

Publication Publication Date Title
US11641319B2 (en) Network health data aggregation service
US20210119890A1 (en) Visualization of network health information
US10560465B2 (en) Real time anomaly detection for data streams
US10243820B2 (en) Filtering network health information based on customer impact
AU2019201687B2 (en) Network device vulnerability prediction
US10911263B2 (en) Programmatic interfaces for network health information
US10592666B2 (en) Detecting anomalous entities
US9379949B2 (en) System and method for improved end-user experience by proactive management of an enterprise network
US20150039749A1 (en) Detecting traffic anomalies based on application-aware rolling baseline aggregates
US20160359701A1 (en) Parallel coordinate charts for flow exploration
US10805163B2 (en) Identifying device types based on behavior attributes
CN109684052B (en) Transaction analysis method, device, equipment and storage medium
CN112134719A (en) Method and system for analyzing base station security log
US8533279B2 (en) Method and system for reconstructing transactions in a communication network
CN107092686B (en) File management method and device based on cloud storage platform
CN104486116A (en) Multidimensional query method and multidimensional query system of flow data
CN111258798A (en) Fault positioning method and device for monitoring data, computer equipment and storage medium
CN113505048A (en) Unified monitoring platform based on application system portrait and implementation method
US20170235785A1 (en) Systems and Methods for Robust, Incremental Data Ingest of Communications Networks Topology
CN111275495A (en) Advertisement putting monitoring method, device and system based on block chain
CN110677327A (en) Chip-based real-time detection method for RTP flow fault
CN113297253A (en) Equipment identification method, device, equipment and readable storage medium
CN108337100B (en) Cloud platform monitoring method and device
CN111338888A (en) Data statistical method and device, electronic equipment and storage medium
CN103414593A (en) Trans-disciplinary engineering network element cascading shielding system and shielding method based on network resources

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20201225

WD01 Invention patent application deemed withdrawn after publication