CN113496031B - Log security audit-based enhanced analysis method, device, equipment and storage medium - Google Patents

Log security audit-based enhanced analysis method, device, equipment and storage medium Download PDF

Info

Publication number
CN113496031B
CN113496031B CN202010202538.6A CN202010202538A CN113496031B CN 113496031 B CN113496031 B CN 113496031B CN 202010202538 A CN202010202538 A CN 202010202538A CN 113496031 B CN113496031 B CN 113496031B
Authority
CN
China
Prior art keywords
log
data
security audit
threshold value
alarm threshold
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010202538.6A
Other languages
Chinese (zh)
Other versions
CN113496031A (en
Inventor
余江
王洪波
张三海
陈倩倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tols Tianxiang Net An Information Technology Co ltd
Original Assignee
Tols Tianxiang Net An Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tols Tianxiang Net An Information Technology Co ltd filed Critical Tols Tianxiang Net An Information Technology Co ltd
Priority to CN202010202538.6A priority Critical patent/CN113496031B/en
Publication of CN113496031A publication Critical patent/CN113496031A/en
Application granted granted Critical
Publication of CN113496031B publication Critical patent/CN113496031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/254Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases

Abstract

The application discloses a log-based security audit enhancement analysis method, a device, equipment and a storage medium, wherein the method comprises the steps of calling a first big data component to collect various types of data and cleaning the various types of data; and calling a second big data component to analyze the cleaned data and display the result according to an alarm threshold value obtained by machine learning in advance. The embodiment of the application can simplify a complex log analysis model, is more suitable for actual combat and business requirements, efficiently carries out calculation processing, can support PB-level data, and has strong stability.

Description

Log security audit-based enhanced analysis method, device, equipment and storage medium
Technical Field
The application relates to the technical field of information safety, relates to the technical fields of big data analysis technology and artificial intelligence, and relates to a deep learning-based natural language processing engine and full stack NLP (non-linear language) technology capability, in particular to a log safety audit enhancement analysis method, device, equipment and storage medium based on multi-dimensional track analysis of personal daily business system operation.
The large data related processing technology is adopted, and mainly comprises stream calculation, a distributed search engine, natural language understanding and the like, so that the storage and access of massive data and unstructured data which cannot be solved by the traditional database are realized.
Background
Along with the continuous improvement of informatization degree of various organizations such as government, enterprises and institutions, the dependence on an information system is increased. Therefore, how to secure an information system is an important issue that all units need to face.
The current security audit system analyzes and discovers illegal operation and use phenomena of the application system by collecting historical access operation logs of each application system, and provides a post-investigation mechanism when security events such as information leakage occur. However, as the application log amount increases and the application log related data expands, the log analysis model close to actual combat and business becomes more and more complex, the security audit system is insufficient in supporting capacity, poor in stability and low in calculation processing efficiency.
Disclosure of Invention
In view of the above-mentioned drawbacks or shortcomings in the prior art, it is desirable to provide a method, a device, equipment and a storage medium for enhancing analysis based on log security audit, which can simplify a complex log analysis model, more fit actual combat and business requirements, efficiently perform calculation processing, and support PB-level data at the same time, and has strong stability.
In a first aspect, the present application provides a log-based security audit enhancement analysis method, the method comprising:
calling a first big data component to collect various types of data and cleaning the various types of data;
and calling a second big data component to analyze the cleaned data and display the result according to an alarm threshold value obtained by machine learning in advance.
Optionally, the alarm threshold is learned by:
acquiring a history access operation log of a user in a preset period, and respectively extracting operation times in the same preset time period from the history access operation log;
and calculating the average value of the operation times of the same preset time period to serve as an alarm threshold value corresponding to the preset time period.
Optionally, the various types of data include an application log, a database log, and a traffic log.
Optionally, when the application log is missing, extracting an HTTP protocol in the traffic log, and generating an application log corresponding to the traffic log according to the HTTP protocol.
In a second aspect, the present application provides a log-based security audit enhancement analysis apparatus, the apparatus comprising:
the data acquisition module is configured to call the first big data component to acquire various types of data and clean the various types of data;
and the data analysis module is configured to call a second big data component to analyze the cleaned data and display the result according to an alarm threshold value obtained by machine learning in advance.
Optionally, the data analysis module further includes:
the extraction unit is configured to acquire a history access operation log of a user in a preset period and extract operation times of the same preset time period from the history access operation log respectively;
and the calculating unit is configured to calculate an average value of the operation times of the same preset time period and serve as an alarm threshold value corresponding to the preset time period.
Optionally, the various types of data include an application log, a database log, and a traffic log.
Optionally, the data acquisition module further includes:
and the generating unit is configured to extract an HTTP protocol in the flow log when the application log is missing, and generate an application log corresponding to the flow log according to the HTTP protocol.
In a third aspect, the present application provides an apparatus comprising:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the log-based security audit enhancement analysis method as described in the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program for implementing the steps of the log-based security audit enhancement analysis method according to the first aspect.
In summary, the method, the device, the equipment and the storage medium for enhanced analysis based on log security audit provided by the embodiment of the application collect various types of data by calling the first big data component and clean the various types of data; and then, according to an alarm threshold value obtained by machine learning in advance, calling a second big data component to analyze the cleaned data and display a result. Based on the above, the embodiment of the application can simplify a complex log analysis model, is more suitable for actual combat and business requirements, can efficiently perform calculation processing, can support PB-level data, and has strong stability.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
fig. 1 is a basic flow diagram of an enhanced analysis method based on log security audit provided in an embodiment of the present application;
fig. 2 is a schematic diagram of an overall architecture of a log security audit system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a deployment architecture of a log security audit system according to an embodiment of the present application;
fig. 4 is a schematic diagram of a basic structure of an enhanced analysis device based on log security audit according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of another log-based security audit enhancement analysis device according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of another log-based security audit enhancement analysis device according to an embodiment of the present application;
fig. 7 is a schematic diagram of a computer system according to an embodiment of the present application.
Detailed Description
In order to make the present application better understood by those skilled in the art, the following description will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the described embodiments of the application may be implemented in other sequences than those illustrated or otherwise described herein.
Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules that are expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
For ease of understanding and explanation, the log-based security audit enhancement analysis method, apparatus, device and storage medium provided by the embodiments of the present application are described in detail below with reference to fig. 1 to 7.
Please refer to fig. 1, which is a basic flow chart of a log security audit enhancement analysis method according to an embodiment of the present application, the method includes the following steps:
s101, calling a first big data component to collect various types of data and cleaning the various types of data.
It should be noted that, in the embodiment of the present application, various types of data include an application log, a database log, and a traffic log. When the application log is missing, the HTTP protocol in the flow log is extracted, and the application log corresponding to the flow log is generated according to the HTTP protocol, so that various different service systems are compatible, and log collection is diversified.
For example, as shown in fig. 2, a schematic diagram of an overall architecture of a log security audit system according to an embodiment of the present application is shown. In the embodiment of the application, a flash component is used for respectively acquiring a database log, a flow log and an application log, and an ETL (Extract/Transform/Load) component is used for cleaning various types of acquired data and generating an available output data set. The data set is then input HDFS (Hadoop Distributed File Syste) and Kafka, respectively, for storage calculations. Among them, since application log formats of different service systems are different, it is necessary to standardize the application log. Optionally, the application log is saved to an Oracle database for backup use.
S102, according to an alarm threshold value obtained through machine learning in advance, a second big data component is called to analyze the cleaned data and display the result.
Specifically, in the embodiment of the application, the alarm threshold value is learned by the following way: firstly, acquiring a historical access operation log of a user in a preset period, and respectively extracting operation times in the same preset time period from the historical access operation log; further, an average value of the operation times in the same preset time period is calculated and used as an alarm threshold corresponding to the preset time period. For example, a historical access operation log of the user a to a certain service system in a preset period of 30 days is obtained, then the operation times of 24 time periods per monday in the 30 days are extracted, and the average value of the operation times is calculated as an alarm threshold corresponding to the 24 time periods of monday. In the future, when the user A uses the service system every week, the operation times of the current day are compared with the alarm threshold, if the operation times are larger than the alarm threshold, the operation of the user A is abnormal, the alarm is triggered, and the alarm information is recorded in a log, so that the audit is convenient and clear. The embodiment of the application automatically generates the multi-dimensional alarm threshold value for each operation user by using a machine learning mode, and can continuously perform real-time machine learning to update the alarm threshold value, thereby ensuring the correctness of an alarm result. Meanwhile, in the embodiment of the application, alarm disposal and electronic government affairs are combined, off-line business is carried out on line, and the auditing processing efficiency is improved.
Still taking the log security audit system shown in fig. 2 as an example, in the embodiment of the present application, offline and real-time computation is performed by a Spark component, where the Spark Streaming component performs real-time computation. And then, storing the calculation result into a Mysql database, and further displaying the calculation result through Web application. In addition, the embodiment of the application can also provide retrieval service through the ES (Elastic Search) component and the Impala component to quickly inquire and count the original data.
It should be noted that, in order to improve operation security, the embodiment of the present application adopts a mode of separating application and data, so as to avoid single point failure, and both the application server and the database server use high-end servers. Accordingly, please refer to fig. 3, which is a schematic diagram of a deployment architecture of a log security audit system according to an embodiment of the present application. The deployment architecture has the advantages of high performance, high stability and high computing capacity, the storage access capacity and the storage space can be flexibly and parallelly expanded, the number of devices is optimized, and excessive occupation of cabinet, electric power and space resources is reduced.
The descriptions of the same steps and the same contents in this embodiment as those in other embodiments may refer to the descriptions in other embodiments, and are not repeated here.
Based on the foregoing embodiments, the present application provides an electronic device, which may be applied to the log-based security audit enhancement analysis method provided in the corresponding embodiments of fig. 1 to 3, and specifically includes one or more processors, and a memory for storing one or more programs; the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the log-based security audit enhancement analysis method described above.
It should be noted that, the electronic device according to the embodiment of the present application may include, but is not limited to, a personal Computer (Personal Computer, PC), a personal digital assistant (Personal Digital Assistant, PDA), a Tablet Computer (Tablet Computer), a wireless handheld device, a mobile phone, and the like.
According to the log security audit-based enhancement analysis method provided by the embodiment of the application, various types of data are collected by calling the first big data component, and the various types of data are cleaned; and then, according to an alarm threshold value obtained by machine learning in advance, calling a second big data component to analyze the cleaned data and display a result. Based on the above, the embodiment of the application can simplify a complex log analysis model, is more suitable for actual combat and business requirements, can efficiently perform calculation processing, can support PB-level data, and has strong stability.
Based on the foregoing embodiments, the embodiment of the present application provides a log-based security audit enhancement analysis device, which may be applied to the log-based security audit enhancement analysis methods provided in the embodiments corresponding to fig. 1 to 3. Referring to fig. 4, the log-based security audit enhancement analysis apparatus 4 includes:
a data acquisition module 41 configured to call the first big data component to acquire various types of data and to clean the various types of data;
the data analysis module 42 is configured to invoke the second big data component to analyze the cleaned data and display the result according to the alarm threshold value obtained by machine learning in advance.
Optionally, in other embodiments of the present application, as shown in fig. 5, the data analysis module 42 further includes:
an extracting unit 421 configured to obtain a history access operation log of a user in a preset period, and extract operation times of the same preset period from the history access operation log, respectively;
a calculating unit 422 configured to calculate an average value of the operation times for the same preset time period as an alarm threshold corresponding to the preset time period.
Optionally, the various types of data include application logs, database logs, and traffic logs.
Optionally, in other embodiments of the present application, as shown in fig. 6, the data acquisition module 41 further includes:
the generating unit 411 is configured to extract an HTTP protocol in the traffic log when the application log is missing, and generate an application log corresponding to the traffic log according to the HTTP protocol.
It should be noted that, in this embodiment, the descriptions of the same steps and the same content as those in other embodiments may refer to the descriptions in other embodiments, and are not repeated here.
According to the log security audit-based enhancement analysis device provided by the embodiment of the application, the data acquisition module is used for acquiring various types of data by calling the first big data component and cleaning the various types of data; and the data analysis module calls a second big data component to analyze the cleaned data and display the result according to an alarm threshold value obtained by machine learning in advance. Based on the above, the embodiment of the application can simplify a complex log analysis model, is more suitable for actual combat and business requirements, can efficiently perform calculation processing, can support PB-level data, and has strong stability.
Based on the foregoing embodiments, embodiments of the present application provide a computer system. Referring to fig. 7, the computer system 700 includes a Central Processing Unit (CPU) 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section into a Random Access Memory (RAM) 703. In the RAM703, various programs and data required for the system operation are also stored. The CPU701, ROM702, and RAM703 are connected to each other through a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
The following components are connected to the I/O interface 705: an input section 706 including a keyboard, a mouse, and the like; an output portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
In particular, the process described above with reference to flowchart 1 may be implemented as a computer software program according to an embodiment of the application. For example, embodiment 1 of the present application includes a computer program product including a computer program loaded on a computer-readable medium, the computer program being executed by the CPU701 to realize the steps of:
calling a first big data component to collect various types of data and cleaning the various types of data;
and calling a second big data component to analyze the cleaned data and display the result according to an alarm threshold value obtained by machine learning in advance.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711.
The computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods, apparatus, devices and computer program products for enhanced analysis of log security audit based according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases. The described units or modules may also be provided in a processor, for example, as: a processor comprises a data acquisition module and a data analysis module. Wherein the names of the units or modules do not in some cases constitute a limitation of the units or modules themselves.
As another aspect, the present application also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer readable medium carries one or more programs which, when executed by one of the devices, cause the electronic device to implement the log-based security audit enhancement analysis method as in the above embodiments.
For example, the electronic device may implement as shown in fig. 1: s101, calling a first big data component to collect various types of data and cleaning the various types of data; s102, according to an alarm threshold value obtained through machine learning in advance, a second big data component is called to analyze the cleaned data and display the result.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware.
The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the application referred to in the present application is not limited to the specific combinations of the technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the inventive concept. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.

Claims (8)

1. A log-based security audit enhancement analysis method, the method comprising:
calling a first big data component to collect various types of data and cleaning the various types of data;
calling a second big data component to analyze the cleaned data and display a result according to an alarm threshold value obtained by machine learning in advance;
the alarm threshold value is learned by the following mode:
acquiring a history access operation log of a user in a preset period, and respectively extracting operation times in the same preset time period from the history access operation log;
calculating an average value of the operation times of the same preset time period to serve as an alarm threshold value corresponding to the preset time period;
and calling a second big data component to analyze the cleaned data and display the result, wherein the method comprises the following steps of:
comparing the cleaned data with the alarm threshold value to obtain a comparison result;
and if the comparison result is that the cleaned data is larger than the alarm threshold value, acquiring the display result as triggering alarm.
2. The log-based security audit enhancement analysis method according to claim 1 wherein the various types of data include application logs, database logs, and traffic logs.
3. The log-based security audit enhancement analysis method according to claim 2 further comprising:
when the application log is missing, extracting an HTTP protocol in the flow log, and generating an application log corresponding to the flow log according to the HTTP protocol.
4. A log-based security audit enhancement analysis device, the device comprising:
the data acquisition module is configured to call the first big data component to acquire various types of data and clean the various types of data;
the data analysis module is configured to call a second big data component to analyze the cleaned data and display a result according to an alarm threshold value obtained by machine learning in advance;
wherein, the data analysis module further includes:
the extraction unit is configured to acquire a history access operation log of a user in a preset period and extract operation times of the same preset time period from the history access operation log respectively;
a calculating unit configured to calculate an average value of the operation times of the same preset time period, and to serve as an alarm threshold value corresponding to the preset time period;
the data analysis module further comprises:
a comparison unit configured to compare the cleaned data with the alarm threshold value to obtain a comparison result;
and the obtaining unit is configured to obtain the display result as triggering alarm if the comparison result is that the cleaned data is larger than the alarm threshold value.
5. The log-based security audit enhancement analysis device of claim 4 wherein the various types of data include an application log, a database log, and a traffic log.
6. The log-based security audit enhancement analysis device of claim 4 wherein the data collection module further comprises:
and the generating unit is configured to extract an HTTP protocol in the flow log when the application log is missing, and generate an application log corresponding to the flow log according to the HTTP protocol.
7. An apparatus, the apparatus comprising:
one or more processors;
a memory for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the log-based security audit enhancement analysis method of any of claims 1-3.
8. A computer readable storage medium having stored thereon a computer program for implementing the steps of the log-based security audit enhancement analysis method according to any of claims 1 to 3.
CN202010202538.6A 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium Active CN113496031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010202538.6A CN113496031B (en) 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010202538.6A CN113496031B (en) 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113496031A CN113496031A (en) 2021-10-12
CN113496031B true CN113496031B (en) 2023-09-22

Family

ID=77993687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010202538.6A Active CN113496031B (en) 2020-03-20 2020-03-20 Log security audit-based enhanced analysis method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113496031B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108763957A (en) * 2018-05-29 2018-11-06 电子科技大学 A kind of safety auditing system of database, method and server
CN110347653A (en) * 2019-07-10 2019-10-18 中国工商银行股份有限公司 Data processing method and device, electronic equipment and readable storage medium storing program for executing
CN110555011A (en) * 2018-03-29 2019-12-10 深信服科技股份有限公司 Application audit failure identification method, device and system and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110555011A (en) * 2018-03-29 2019-12-10 深信服科技股份有限公司 Application audit failure identification method, device and system and readable storage medium
CN108763957A (en) * 2018-05-29 2018-11-06 电子科技大学 A kind of safety auditing system of database, method and server
CN110347653A (en) * 2019-07-10 2019-10-18 中国工商银行股份有限公司 Data processing method and device, electronic equipment and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN113496031A (en) 2021-10-12

Similar Documents

Publication Publication Date Title
CN110347716B (en) Log data processing method, device, terminal equipment and storage medium
CN111352808B (en) Alarm data processing method, device, equipment and storage medium
CN111752799A (en) Service link tracking method, device, equipment and storage medium
CN103838867A (en) Log processing method and device
EP3494506A1 (en) Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform
CN110928934A (en) Data processing method and device for business analysis
CN113704065A (en) Monitoring method, device, equipment and computer storage medium
CN113448812A (en) Monitoring alarm method and device under micro-service scene
CN112948492A (en) Data processing system, method and device, electronic equipment and storage medium
US20130198381A1 (en) Optimizing Data Extraction from Distributed Systems into a Unified Event Aggregator Using Time-Outs
CN113496031B (en) Log security audit-based enhanced analysis method, device, equipment and storage medium
CN113704178A (en) Big data management method, system, electronic device and storage medium
CN110650126A (en) Method and device for preventing website traffic attack, intelligent terminal and storage medium
CN215298210U (en) Multistage edge computing system of electric power thing networking
CN110928938B (en) Interface middleware system
CN112783615B (en) Data processing task cleaning method and device
CN113779017A (en) Method and apparatus for data asset management
CN113778777A (en) Log playback method and device
CN110727532A (en) Data restoration method, electronic device and storage medium
Arora et al. A streamlined approach for real-time data analytics
CN111177704B (en) Binding identification method, binding identification device, binding identification equipment and binding identification medium
US20230169345A1 (en) Multiscale dimensional reduction of data
CN112882992A (en) Method and apparatus for displaying information
CN117499265A (en) Abnormality processing method, abnormality processing device, electronic equipment and computer readable medium
CN112598408A (en) Method and device for automatic account-arrival freezing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 100096 101, 1st to 7th floors, Building 3, Yard 6, Jianfeng Road (South Extension), Haidian District, Beijing

Applicant after: TOLS TIANXIANG NET AN INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 100084 2a201, 202, building 2, yard 1, Nongda South Road, Haidian District, Beijing

Applicant before: TOLS TIANXIANG NET AN INFORMATION TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant