CN113496031A - Enhanced analysis method, device, equipment and storage medium based on log security audit - Google Patents

Enhanced analysis method, device, equipment and storage medium based on log security audit Download PDF

Info

Publication number
CN113496031A
CN113496031A CN202010202538.6A CN202010202538A CN113496031A CN 113496031 A CN113496031 A CN 113496031A CN 202010202538 A CN202010202538 A CN 202010202538A CN 113496031 A CN113496031 A CN 113496031A
Authority
CN
China
Prior art keywords
log
data
security audit
based security
various types
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010202538.6A
Other languages
Chinese (zh)
Other versions
CN113496031B (en
Inventor
余江
王洪波
张三海
陈倩倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tols Tianxiang Net An Information Technology Co ltd
Original Assignee
Tols Tianxiang Net An Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tols Tianxiang Net An Information Technology Co ltd filed Critical Tols Tianxiang Net An Information Technology Co ltd
Priority to CN202010202538.6A priority Critical patent/CN113496031B/en
Publication of CN113496031A publication Critical patent/CN113496031A/en
Application granted granted Critical
Publication of CN113496031B publication Critical patent/CN113496031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/254Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases

Abstract

The application discloses a log-based security audit enhancement analysis method, a log-based security audit enhancement analysis device, log-based security audit enhancement analysis equipment and a log-based security audit enhancement analysis storage medium, wherein the method comprises the steps of calling a first big data assembly to collect various types of data and cleaning the various types of data; and calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance. The embodiment of the application can simplify a complex log analysis model, more fit with actual combat and business requirements, efficiently perform calculation processing, and simultaneously can support PB magnitude data, and the stability is strong.

Description

Enhanced analysis method, device, equipment and storage medium based on log security audit
Technical Field
The invention relates to the technical field of information security, in particular to a log security audit enhancement analysis method, a device, equipment and a storage medium based on multidimensional track analysis of personal daily business system operation, which relate to the technical field of big data analysis technology and artificial intelligence, natural language processing engine based on deep learning and full-stack NLP technical capability.
The method adopts big data related processing technology which mainly comprises stream computing, distributed search engines, natural language understanding and the like, and realizes the storage and access of mass data and unstructured data which cannot be solved by the traditional database.
Background
With the increasing informatization degree of various organizations such as governments, enterprises and public institutions and the like, the dependence degree on information systems is increased. Therefore, how to secure the information system is an important issue that all units need to face.
The current security audit system analyzes and discovers illegal operation and use phenomena of the application system by collecting historical access operation logs of each application system, and provides a mechanism for checking back after the incident when security events such as information leakage occur. However, with the increase of the application log quantity and the expansion of the related data of the application log, the log analysis model close to actual combat and business is more and more complex, the security audit system is insufficient in support capacity, poor in stability and low in calculation processing efficiency.
Disclosure of Invention
In view of the above defects or shortcomings in the prior art, it is desirable to provide a log security audit-based enhanced analysis method, device, equipment and storage medium, which can simplify a complex log analysis model, better meet actual combat and business requirements, efficiently perform calculation processing, support PB-level data, and have high stability.
In a first aspect, the present application provides a log-based security audit enhancement analysis method, including:
calling a first big data component to collect various types of data and cleaning the various types of data;
and calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance.
Optionally, the alarm threshold is learned by:
acquiring historical access operation logs of a user in a preset period, and respectively extracting operation times in the same preset time period from the historical access operation logs;
and calculating the average value of the operation times in the same preset time period to be used as an alarm threshold corresponding to the preset time period.
Optionally, the various types of data include an application log, a database log, and a traffic log.
Optionally, when the application log is missing, extracting an HTTP protocol in the traffic log, and generating the application log corresponding to the traffic log according to the HTTP protocol.
In a second aspect, the present application provides an enhanced analysis apparatus based on log security audit, the apparatus comprising:
the data acquisition module is configured to call the first big data assembly to acquire various types of data and clean the various types of data;
and the data analysis module is configured for calling the second big data component to analyze the cleaned data and display the result according to the alarm threshold value obtained by machine learning in advance.
Optionally, the data analysis module further comprises:
the device comprises an extraction unit, a storage unit and a processing unit, wherein the extraction unit is configured to acquire a historical access operation log of a user in a preset period and respectively extract operation times of the same preset time period from the historical access operation log;
and the calculating unit is configured to calculate the average value of the operation times in the same preset time period and is used as an alarm threshold corresponding to the preset time period.
Optionally, the various types of data include an application log, a database log, and a traffic log.
Optionally, the data acquisition module further comprises:
and the generating unit is configured to extract an HTTP protocol in the flow log when the application log is missing, and generate the application log corresponding to the flow log according to the HTTP protocol.
In a third aspect, the present application provides an apparatus comprising:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the log-based security audit enhancement analysis method of the first aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored thereon a computer program for implementing the steps of the log-based security audit enhancement analysis method according to the first aspect.
In summary, according to the enhanced analysis method, device, equipment and storage medium based on log security audit provided by the embodiment of the application, various types of data are collected by calling the first big data component, and the various types of data are cleaned; and then, calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance. Based on this, this application embodiment can be with complicated log analysis model simplification, and the actual combat and the business demand of laminating more carry out the calculation processing high-efficiently, can support the data of PB magnitude simultaneously, and stability is strong.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 is a schematic basic flowchart of an enhanced analysis method based on log security audit according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of an overall architecture of a log security audit system according to an embodiment of the present application;
fig. 3 is a schematic diagram of a deployment architecture of a log security audit system according to an embodiment of the present application;
fig. 4 is a schematic diagram of a basic structure of an enhanced analysis apparatus based on log security audit according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of another enhanced analysis apparatus based on log security audit according to an embodiment of the present disclosure;
FIG. 6 is a schematic structural diagram of another enhanced analysis apparatus based on log security audit according to an embodiment of the present application;
fig. 7 is a computer system according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described are capable of operation in sequences other than those illustrated or otherwise described herein.
Moreover, the terms "comprises," "comprising," and any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules explicitly listed, but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
For convenience of understanding and explanation, the log-based security audit enhancement analysis method, apparatus, device and storage medium provided by the embodiments of the present application are explained in detail in fig. 1 to 7.
Please refer to fig. 1, which is a schematic diagram illustrating a basic flow of a log-based security audit enhancement analysis method according to an embodiment of the present application, where the method includes the following steps:
and S101, calling a first big data assembly to collect various types of data and cleaning the various types of data.
It should be noted that various types of data in the embodiments of the present application include an application log, a database log, and a traffic log. When the application log is missing, the HTTP protocol in the flow log is extracted, and the application log corresponding to the flow log is generated according to the HTTP protocol, so that various different service systems are compatible, and log collection is diversified.
For example, as shown in fig. 2, it is a schematic diagram of an overall architecture of a log security audit system provided in an embodiment of the present application. In the embodiment of the application, a Flume component is used for respectively collecting database logs, flow logs and application logs, and an ETL (Extract/Transform/Load) component is used for cleaning various collected types of data and generating an available output data set. Then, the data sets are respectively input into HDFS (Hadoop Distributed File System) and Kafka for storage calculation. Among them, since the application logs of different service systems have different formats, the application logs need to be standardized. Optionally, the application log is saved to an Oracle database for backup use.
And S102, calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance.
Specifically, in the embodiment of the present application, the alarm threshold is learned in the following manner: firstly, acquiring historical access operation logs of a user in a preset period, and respectively extracting operation times in the same preset time period from the historical access operation logs; and further, calculating the average value of the operation times in the same preset time period to be used as an alarm threshold corresponding to the preset time period. For example, a historical access operation log of a user a to a certain service system within 30 days of a preset period is obtained, then the operation times of each 24 monday periods within the 30 days are extracted, and the average value of the operation times is calculated to serve as an alarm threshold corresponding to the 24 monday periods. In the future, when the user A uses the service system every Monday, the operation times of the day are compared with the alarm threshold, if the operation times of the day are larger than the alarm threshold, the operation of the user A is abnormal, then the alarm is triggered, and the alarm information is recorded in a log, so that the audit is facilitated and the service system is clear at a glance. The embodiment of the application utilizes a machine learning mode to automatically generate the multi-dimensional alarm threshold value for each operation user, and can continuously perform real-time machine learning to update the alarm threshold value, so that the correctness of the alarm result is ensured. Meanwhile, in the embodiment of the application, alarm handling and electronic government affairs are combined, offline business is carried out online, and audit processing efficiency is improved.
Still taking the log security audit system shown in fig. 2 as an example for explanation, in the embodiment of the present application, offline and real-time calculation is performed through a Spark component, where the Spark Streaming component performs real-time calculation. And then, storing the calculation result into a Mysql database, and displaying the calculation result through Web application. In addition, the embodiment of the application can also provide retrieval service through an ES (elastic search) component and an Impala component, and can quickly inquire and count the original data.
It should be noted that, in order to improve the operation security, in the embodiment of the present application, a mode of separating application from data is adopted, so as to avoid a single point of failure, and meanwhile, both the application server and the database server use high-end servers. Therefore, please refer to fig. 3, which is a schematic diagram of a deployment architecture of a log security audit system according to an embodiment of the present application. The deployment architecture has the advantages of high performance, high stability and high computing capacity, the storage access capacity and the storage space can be flexibly expanded in parallel, the number of equipment is optimized, and excessive occupation of cabinet, electric power and space resources is reduced.
The description of the same steps and the same contents in this embodiment as those in other embodiments may refer to the description in other embodiments, and will not be repeated here.
Based on the foregoing embodiments, an electronic device provided in the embodiments of the present application may be applied to the log-based security audit enhancement analysis method provided in the embodiments corresponding to fig. 1 to 3, and specifically includes one or more processors and a memory for storing one or more programs; the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the log-based security audit enhancement analysis method described above.
It should be noted that the electronic devices referred to in the embodiments of the present application may include, but are not limited to, a Personal Computer (PC), a Personal Digital Assistant (PDA), a Tablet Computer (Tablet Computer), a wireless handheld device, a mobile phone, and the like.
According to the enhanced analysis method based on log security audit, various types of data are collected by calling the first big data assembly, and the various types of data are cleaned; and then, calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance. Based on this, this application embodiment can be with complicated log analysis model simplification, and the actual combat and the business demand of laminating more carry out the calculation processing high-efficiently, can support the data of PB magnitude simultaneously, and stability is strong.
Based on the foregoing embodiments, the embodiments of the present application provide an enhanced analysis device based on log security audit, and the device can be applied to the enhanced analysis method based on log security audit provided in the embodiments corresponding to fig. 1 to 3. Referring to fig. 4, the enhanced analysis apparatus 4 based on log security audit includes:
a data acquisition module 41 configured to invoke the first big data component to acquire various types of data and to clean the various types of data;
and the data analysis module 42 is configured to invoke the second big data component to analyze the cleaned data and display a result according to the alarm threshold obtained by machine learning in advance.
Optionally, in other embodiments of the present application, as shown in fig. 5, the data analysis module 42 further includes:
the extracting unit 421 is configured to obtain historical access operation logs of a user in a preset period, and respectively extract operation times of the same preset time period from the historical access operation logs;
the calculating unit 422 is configured to calculate an average value of the operation times in the same preset time period, and is used as an alarm threshold corresponding to the preset time period.
Optionally, the various types of data include application logs, database logs, and traffic logs.
Optionally, in other embodiments of the present application, as shown in fig. 6, the data acquisition module 41 further includes:
the generating unit 411 is configured to extract the HTTP protocol in the traffic log when the application log is missing, and generate the application log corresponding to the traffic log according to the HTTP protocol.
It should be noted that, for the descriptions of the same steps and the same contents in this embodiment as those in other embodiments, reference may be made to the descriptions in other embodiments, which are not described herein again.
According to the enhanced analysis device based on log security audit, the data acquisition module acquires various types of data by calling the first big data assembly and cleans the various types of data; and then, the data analysis module calls a second big data component to analyze the cleaned data and display the result according to the alarm threshold value obtained by machine learning in advance. Based on this, this application embodiment can be with complicated log analysis model simplification, and the actual combat and the business demand of laminating more carry out the calculation processing high-efficiently, can support the data of PB magnitude simultaneously, and stability is strong.
Based on the foregoing embodiments, the present application provides a computer system. Referring to fig. 7, the computer system 700 includes a Central Processing Unit (CPU)701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section into a Random Access Memory (RAM) 703. In the RAM703, various programs and data necessary for system operation are also stored. The CPU701, the ROM702, and the RAM703 are connected to each other via a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
In particular, according to embodiments of the present application, the process described above with reference to the flowchart fig. 1 may be implemented as a computer software program. For example, embodiment 1 of the present application includes a computer program product including a computer program carried on a computer-readable medium, the computer program being executed by the CPU701 to implement the steps of:
calling a first big data assembly to collect various types of data and cleaning the various types of data;
and calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of log-based security audit enhanced analysis methods, apparatus, devices and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves. The described units or modules may also be provided in a processor, and may be described as: a processor includes a data acquisition module and a data analysis module. Wherein the designation of a unit or module does not in some way constitute a limitation of the unit or module itself.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by a device, cause the electronic device to implement the log-based security audit enhancement analysis method as in the above embodiments.
For example, the electronic device may implement the following as shown in fig. 1: s101, calling a first big data assembly to collect various types of data and cleaning the various types of data; and S102, calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by a person skilled in the art that the scope of the invention as referred to in the present application is not limited to the embodiments with a specific combination of the above-mentioned features, but also covers other embodiments with any combination of the above-mentioned features or their equivalents without departing from the inventive concept. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.

Claims (10)

1. A log-based security audit enhanced analysis method, the method comprising:
calling a first big data component to collect various types of data and cleaning the various types of data;
and calling a second big data component to analyze the cleaned data and display the result according to the alarm threshold obtained by machine learning in advance.
2. The log-based security audit enhancement analysis method of claim 1 wherein the alarm threshold is learned by:
acquiring historical access operation logs of a user in a preset period, and respectively extracting operation times in the same preset time period from the historical access operation logs;
and calculating the average value of the operation times in the same preset time period to be used as an alarm threshold corresponding to the preset time period.
3. The log-based security audit enhanced analysis method of claim 1 wherein the various types of data include application logs, database logs and traffic logs.
4. The log-based security audit enhancement analysis method of claim 3, wherein the method further comprises:
and when the application log is missing, extracting an HTTP protocol in the flow log, and generating the application log corresponding to the flow log according to the HTTP protocol.
5. An enhanced analysis apparatus based on log security audit, the apparatus comprising:
the data acquisition module is configured to call the first big data assembly to acquire various types of data and clean the various types of data;
and the data analysis module is configured for calling the second big data component to analyze the cleaned data and display the result according to the alarm threshold value obtained by machine learning in advance.
6. The log-based security audit enhancement analysis device of claim 5, wherein the data analysis module further comprises:
the device comprises an extraction unit, a storage unit and a processing unit, wherein the extraction unit is configured to acquire a historical access operation log of a user in a preset period and respectively extract operation times of the same preset time period from the historical access operation log;
and the calculating unit is configured to calculate the average value of the operation times in the same preset time period and is used as an alarm threshold corresponding to the preset time period.
7. The log-based security audit enhancement analysis apparatus of claim 5 wherein the various types of data include application logs, database logs and traffic logs.
8. The log-based security audit enhancement analysis device of claim 7 wherein the data collection module further comprises:
and the generating unit is configured to extract an HTTP protocol in the flow log when the application log is missing, and generate the application log corresponding to the flow log according to the HTTP protocol.
9. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the log-based security audit enhancement analysis method of any of claims 1 to 4.
10. A computer-readable storage medium having stored thereon a computer program for implementing the steps of the log-based security audit enhancement analysis method according to any one of claims 1 to 4.
CN202010202538.6A 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium Active CN113496031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010202538.6A CN113496031B (en) 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010202538.6A CN113496031B (en) 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113496031A true CN113496031A (en) 2021-10-12
CN113496031B CN113496031B (en) 2023-09-22

Family

ID=77993687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010202538.6A Active CN113496031B (en) 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113496031B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108763957A (en) * 2018-05-29 2018-11-06 电子科技大学 A kind of safety auditing system of database, method and server
CN110347653A (en) * 2019-07-10 2019-10-18 中国工商银行股份有限公司 Data processing method and device, electronic equipment and readable storage medium storing program for executing
CN110555011A (en) * 2018-03-29 2019-12-10 深信服科技股份有限公司 Application audit failure identification method, device and system and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110555011A (en) * 2018-03-29 2019-12-10 深信服科技股份有限公司 Application audit failure identification method, device and system and readable storage medium
CN108763957A (en) * 2018-05-29 2018-11-06 电子科技大学 A kind of safety auditing system of database, method and server
CN110347653A (en) * 2019-07-10 2019-10-18 中国工商银行股份有限公司 Data processing method and device, electronic equipment and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN113496031B (en) 2023-09-22

Similar Documents

Publication Publication Date Title
CN110855473B (en) Monitoring method, device, server and storage medium
CN110362544B (en) Log processing system, log processing method, terminal and storage medium
CN111752799A (en) Service link tracking method, device, equipment and storage medium
Zawoad et al. Digital forensics in the age of big data: Challenges, approaches, and opportunities
CN103838867A (en) Log processing method and device
CN108039959A (en) Situation Awareness method, system and the relevant apparatus of a kind of data
CN113448812A (en) Monitoring alarm method and device under micro-service scene
CN112948492A (en) Data processing system, method and device, electronic equipment and storage medium
Zainab et al. Big data management in smart grids: Technologies and challenges
CN110928934A (en) Data processing method and device for business analysis
CN111240940A (en) Real-time service monitoring method and device, electronic equipment and storage medium
CN110727700A (en) Method and system for integrating multi-source streaming data into transaction type streaming data
CN113721856A (en) Digital community management data storage system
CN113704178A (en) Big data management method, system, electronic device and storage medium
CN108628954A (en) A kind of mass data self-service query method and apparatus
CN112507265A (en) Method and device for anomaly detection based on tree structure and related products
CN113496031B (en) Log security audit-based enhanced analysis method, device, equipment and storage medium
CN111324583B (en) Service log classification method and device
CN114756301B (en) Log processing method, device and system
CN215298210U (en) Multistage edge computing system of electric power thing networking
CN112286918B (en) Method and device for fast access conversion of data, electronic equipment and storage medium
CN113778777A (en) Log playback method and device
CN113407491A (en) Data processing method and device
CN112769755A (en) DNS log statistical feature extraction method for threat detection
CN110727532A (en) Data restoration method, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100096 101, 1st to 7th floors, Building 3, Yard 6, Jianfeng Road (South Extension), Haidian District, Beijing

Applicant after: TOLS TIANXIANG NET AN INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 100084 2a201, 202, building 2, yard 1, Nongda South Road, Haidian District, Beijing

Applicant before: TOLS TIANXIANG NET AN INFORMATION TECHNOLOGY Co.,Ltd.

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant