CN114020726A - Log audit method, system, device and medium based on multivariate log data analysis - Google Patents

Log audit method, system, device and medium based on multivariate log data analysis Download PDF

Info

Publication number
CN114020726A
CN114020726A CN202111424905.8A CN202111424905A CN114020726A CN 114020726 A CN114020726 A CN 114020726A CN 202111424905 A CN202111424905 A CN 202111424905A CN 114020726 A CN114020726 A CN 114020726A
Authority
CN
China
Prior art keywords
log
data
data analysis
traceability
structured
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111424905.8A
Other languages
Chinese (zh)
Other versions
CN114020726B (en
Inventor
刘�东
杨清波
张周杰
宋磊
狄方春
何明
冯琼
路轶
武书舟
温丽丽
张媛一
叶瑞丽
刘蒙
谢琳
曹良晶
李立新
杨小磊
崔灿
范曦露
宫玲琳
俞灵
盛歆歆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electric Power Research Institute Co Ltd CEPRI
State Grid Jibei Electric Power Co Ltd
State Grid Sichuan Electric Power Co Ltd
Electric Power Research Institute of State Grid Sichuan Electric Power Co Ltd
Original Assignee
China Electric Power Research Institute Co Ltd CEPRI
State Grid Jibei Electric Power Co Ltd
State Grid Sichuan Electric Power Co Ltd
Electric Power Research Institute of State Grid Sichuan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electric Power Research Institute Co Ltd CEPRI, State Grid Jibei Electric Power Co Ltd, State Grid Sichuan Electric Power Co Ltd, Electric Power Research Institute of State Grid Sichuan Electric Power Co Ltd filed Critical China Electric Power Research Institute Co Ltd CEPRI
Priority to CN202111424905.8A priority Critical patent/CN114020726B/en
Publication of CN114020726A publication Critical patent/CN114020726A/en
Application granted granted Critical
Publication of CN114020726B publication Critical patent/CN114020726B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/211Schema design and management
    • G06F16/212Schema design and management with details for data modelling support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2462Approximate or statistical queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2216/00Indexing scheme relating to additional aspects of information retrieval not explicitly covered by G06F16/00 and subgroups
    • G06F2216/03Data mining

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Probability & Statistics with Applications (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Fuzzy Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Computation (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种基于多元日志数据分析的日志审计方法、系统、设备及介质,所述方法包括以下步骤:获取日志数据分析目标;基于所述日志数据分析目标,利用基于区块链的日志存证、溯源方法,对分布于国分、省地两级的关联服务进行多元日志数据源定位,获得广域日志;将所述广域日志中非结构化、半结构化的原始日志记录解析成结构化形式,并与所述广域日志中结构化的原始日志记录组合,形成结构化数据日志记录;基于所述结构化数据日志记录进行审计并获得审计报告,完成基于多元日志数据分析的日志审计。本发明提供的日志审计方法,采用基于区块链的广域数据交互日志溯源技术,可避免人工干预,具有较高的可靠性及权威性。

Figure 202111424905

The invention discloses a log auditing method, system, equipment and medium based on multivariate log data analysis. The method includes the following steps: acquiring a log data analysis target; and using a blockchain-based log based on the log data analysis target. Evidence storage and source tracing method, locates multiple log data sources for associated services distributed at the national, provincial and local levels to obtain wide-area logs; parses the unstructured and semi-structured original log records in the wide-area logs into Structured form, and combined with the structured original log records in the wide-area log to form a structured data log record; audit based on the structured data log record and obtain an audit report to complete the log based on multivariate log data analysis audit. The log auditing method provided by the present invention adopts the block chain-based wide-area data interaction log traceability technology, which can avoid manual intervention and has high reliability and authority.

Figure 202111424905

Description

Log auditing method, system, equipment and medium based on multivariate log data analysis
Technical Field
The invention belongs to the technical field of log auditing, and particularly relates to a log auditing method, system, equipment and medium based on multivariate log data analysis.
Background
Along with the development and the deepening of the regulation cloud construction, the interaction among the regulation cloud leading node, the cooperative node and the source data end is tighter; in wide-area data interaction, data ontology security and data manipulation security are the key factors in determining data quality. The application service access log data has the characteristics of full service range, full time type and full time dimension, key information for regulating and controlling the operation of the cloud system is contained, version backtracking and problem positioning can be performed to a great extent by recording the log of wide area data interaction, and the application service access log data plays a vital guiding role in the activities of system maintenance, equipment state monitoring and the like of operation and maintenance personnel in actual production work; wherein, the data source tracing technology is involved in the version backtracking and problem location.
At present, the research on data tracing technology at home and abroad mainly focuses on academic circles, and with the maturity of the technology of big data, data sharing becomes an important way for mining data value, and the research on data tracing is also known to the public. Illustratively, Bower S et al points out technical problems faced in the current data security tracing aspect, and proposes that secure and trusted tracing needs to provide integrity, confidentiality and availability guarantees for tracing records; on the research of a data traceability model, Sudha et al propose a w7 model; then, in 2006, an International Provenance and Annotation organization (IPAW) is established, and research on data traceability related technologies and standardization thereof is dedicated; in 2008, Sahoo et al propose a Provenir data tracing model, which mainly aims at database data tracing and forms a complete system covering data storage to upper-layer services; in 2012, the fourth IPAW conference proposes a PROV data model (PROV-DM), which is a relatively common data source tracing model at present; the paper of Yogesh considers data tracing as metadata for tracking a data evolution process, and provides a classification standard of data tracing according to the metadata, so that the data tracing is divided into four classes, and the importance of the data tracing is emphasized. However, the traditional data tracing adopts a centralized tracing system at present, and the unreliability of a single-point system exists; in addition, on the data traceability model, the current traceability model related to data lacks a uniform standard, and difficulty is added to information integration analysis between data platforms. Based on the defects of the existing tracing technology, the existing method for auditing the cloud wide area data interaction log based on the existing tracing technology also has the defects of poor reliability and low authority.
In conclusion, the field of power dispatching automation is actively building an open shared data ecology so as to further promote the landing application of big data and artificial intelligence; in the dispatching automation production system, the data importance and privacy degree is high, data operation logs are very necessary to be recorded in a data sharing service of cross-region and cross-department except that data needs to be encrypted and transmitted, the existing method for auditing the cloud wide area data interaction logs cannot meet the reliability requirement, and a new log auditing method and a system based on multivariate log data analysis are urgently needed.
Disclosure of Invention
The invention aims to provide a log auditing method, a log auditing system, log auditing equipment and a log auditing medium based on multivariate log data analysis, so as to solve one or more technical problems. The log auditing method provided by the invention adopts a wide area data interaction log tracing technology based on the block chain, can avoid manual intervention, and has higher reliability and authority.
In order to achieve the purpose, the invention adopts the following technical scheme:
the log auditing method based on multivariate log data analysis provided by the first aspect of the invention comprises the following steps:
acquiring a log data analysis target;
based on the log data analysis target, performing multi-element log data source positioning on the associated services distributed in the country and the province and the region by using a log evidence storing and tracing method based on a block chain to obtain a wide-area log;
analyzing unstructured and semi-structured original log records in the wide area log into a structured form, and combining the unstructured and semi-structured original log records in the wide area log to form a structured data log record;
auditing is carried out based on the structured data log record, an audit report is obtained, and log auditing based on multivariate log data analysis is completed.
A further improvement of the present invention is that the step of obtaining the log data analysis target specifically includes: and obtaining a log data analysis target based on preset service requirements and regulation cloud service types.
The invention is further improved in that, in the log evidence storing and tracing method based on the block chain:
the block chain is a alliance chain;
the block chain stores pre-constructed regulation and control model data traceability model information suitable for the block chain; the pre-constructed regulation and control model data traceability model suitable for the block chain is established based on PROV, and comprises the following steps: entities, activities, and agents;
the object of the entity description is data interactive operation, and the data interactive operation formalized description is that the data interactive operation is (data abstract, interactive ID, initiating terminal, operation name, extension field); in the formula, the data abstract is the data abstract of the data operated by the data interaction operation, and the interaction ID is used as the unique identifier of the interaction initiator;
the activity formalization description is that activity ═ (activity type, activity proxy, extension field); wherein the activity type is used to specify the data operation type, the activity agent field is used for the agent associated with the activity, and the extension field is used for the function extension;
the proxy formalization is described as proxy ═ (proxy type, proxy ID, extension field);
in the log storage process, chaining is realized based on a preset operation log tracing contract;
in the log tracing process, query is realized based on a preset operation tracing verification contract.
In the log certification storing process, the step of implementing uplink based on the preset operation log source-tracing contract specifically includes:
when a client initiates wide area data interaction, the wide area data interaction middleware triggers an operation log tracing contract to develop uplink records of the operation log to form an operation log tracing chain;
the operation log source-tracing contract is encapsulated with Put, Delete, Update and Query operations and is used for calling under different conditions of data adding, deleting, modifying and checking; put operation means remote data interactive operation as new data, Delete operation means remote data interactive operation as Delete data, Update operation means remote data interactive operation as change, Query operation means remote data interactive operation as Query;
the chain structure of the operation log tracing chain consists of nodes; each node comprises a node head and a node body, wherein the node head stores a Hash value of interactive operation data content, and the node body comprises an interactive ID, an activity, an agent, a source end and a forward pointer; the source field is used for storing the Chinese name of the operation user, and the forward pointer is used for storing the head Hash of the previous node.
In the log tracing process, the query implementation step based on the preset operation tracing verification contract specifically includes:
and taking the Hash value of the specified data content as a parameter, and inputting the Hash value from an interface preset by the operation tracing verification contract to realize the historical version query of the operation log tracing chain.
The invention is further improved in that the blockchain is realized by adopting a Fabric alliance chain platform under the super ledger project.
The invention has the further improvement that the step of auditing and obtaining an audit report based on the structured data log record and finishing log auditing based on multivariate log data analysis specifically comprises the following steps:
inputting the structured data log record into a pre-constructed log sequence anomaly detection model based on a self-attention mechanism, outputting a result through the log sequence anomaly detection model to form an audit report, and finishing log audit based on multivariate log data analysis;
the log sequence anomaly detection model models a log template sequence into a natural language sequence, and word embedding based on neural network training is used as input; the log sequence anomaly detection model is provided with a stacking LSTM layer and is used for extracting an implicit mode of a log sequence, and the log sequence anomaly detection model is provided with a self-attention layer and is used for representing the dependency relationship of logs in a sequence by calculating the similarity between the logs.
The log auditing system based on multivariate log data analysis provided by the second aspect of the invention comprises:
the analysis target acquisition module is used for acquiring a log data analysis target;
the wide-area log obtaining module is used for carrying out multi-element log data source positioning on the associated services distributed in the country and the province and the region by utilizing a log evidence storing and tracing method based on the block chain based on the log data analysis target to obtain a wide-area log;
the structured data log record acquisition module is used for analyzing unstructured and semi-structured original log records in the wide area log into a structured form and combining the unstructured and semi-structured original log records with the structured original log records in the wide area log to form structured data log records;
and the audit report acquisition module is used for auditing based on the structured data log record, acquiring an audit report and finishing log audit based on multivariate log data analysis.
A third aspect of the present invention provides a computer device, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the log auditing method based on multivariate log data analysis according to any one of the above aspects of the present invention.
A fourth aspect of the present invention provides a computer-readable storage medium, which stores a computer program, and the computer program, when executed by a processor, implements the steps of the log auditing method based on multivariate log data analysis according to any one of the above aspects of the present invention.
Compared with the prior art, the invention has the following beneficial effects:
the log auditing method provided by the invention adopts a wide area data interaction log tracing technology based on the block chain, can avoid manual intervention, and has higher reliability and authority.
In the invention, firstly, a wide area data interaction model is modeled (exemplarily, the model is established on the basis of a PROV standard model); secondly, the data tracing model is realized by using a block chain bottom layer distributed account book and programmability thereof, and the record of a data interaction action log is realized; and finally, automatically triggering uplink of the log by using a block chain intelligent contract technology. The principle is explained, the non-tamper property of the block chain can ensure the non-repudiation of the data interaction log, and the reliability is improved; the automatic triggering and chaining of the log are realized by using a block chain intelligent contract technology, so that manual intervention can be avoided, and the authority of log interaction is improved.
In the invention, the log sequence anomaly detection model can detect the unknown execution workflow sequence anomaly by inputting a normal log sequence mode into the model for training; the exemplary experimental results show that the overall accuracy of the detection model for log sequence anomaly detection is better than that of the existing method, and the time overhead is lower.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art are briefly introduced below; it is obvious that the drawings in the following description are some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic flow chart of a log auditing method based on multivariate log data analysis according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a regulatory cloud architecture according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a regulation cloud data system partition according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of a log auditing method based on multivariate log data analysis according to another embodiment of the present invention;
FIG. 5 is a schematic diagram of a regulation model data tracing model applied to a blockchain according to an embodiment of the present invention;
FIG. 6 is a block chain-based data tracing architecture in an embodiment of the present invention;
FIG. 7 is a schematic diagram of a data tracing singly-linked list according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of a collaborative flow of an operation log tracing contract according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a basic structure of an oplog traceback chain in an embodiment of the present invention;
FIG. 10 is a schematic diagram of a log auditing system based on multivariate log data analysis according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the accompanying drawings:
example 1
Referring to fig. 1, a log auditing method based on multivariate log data analysis according to an embodiment of the present invention includes the following steps:
acquiring a log data analysis target;
based on the log data analysis target, performing multi-element log data source positioning on the associated services distributed in the country and the province and the region by using a log evidence storing and tracing method based on a block chain to obtain a wide-area log;
analyzing unstructured and semi-structured original log records in the wide area log into a structured form, and combining the unstructured and semi-structured original log records in the wide area log to form a structured data log record;
auditing is carried out based on the structured data log record, an audit report is obtained, and log auditing based on multivariate log data analysis is completed.
According to the log auditing method provided by the embodiment of the invention, the wide area data interaction log tracing technology based on the block chain is adopted, so that manual intervention can be avoided, and the log auditing method has higher reliability and authority.
Example 2
At present, with further deepening of the construction of the regulation cloud, the regulation cloud becomes a data collection center of a dispatching automation system, and data interaction among nodes of the regulation cloud deployed in a cross-region mode is increasingly tight; the privacy and accuracy requirements of the data of the dispatching automation system are high, the regulation and control cloud adopts a two-stage deployment mode of national dispatching and provincial dispatching, the data and service interaction between two stages of nodes is essentially required to have high safety and reliability, and data leakage and data tampering in wide area data interaction are required to be avoided. The embodiment of the invention aims to research a data tracing technology suitable for two-stage regulation and control of the cloud wide area data interaction log by utilizing a data tracing and block chain technology, and realize credible recording and tracing of the wide area data interaction log; specifically, the method adopts a wide area data interaction log tracing technology based on a block chain, firstly, a wide area data interaction process is modeled based on a tracing model of a data tracing related research topic, and secondly, the data tracing model is realized through the block chain technology, so that the record of a data interaction action log is realized; and finally, automatically triggering uplink of the log by using a block chain intelligent contract technology, avoiding manual intervention and further improving the authority of the interactive log.
Referring to fig. 2, fig. 2 illustrates a regulation cloud overall architecture; specifically, the regulation cloud is an analysis decision center for power grid dispatching business, and aims to break through data barriers among power grid dispatching professionals, integrate various data such as power grid models, operation and real-time data, realize safe sharing of power grid data, improve power grid cognition, analysis and decision capability, guarantee safe operation of an extra-high voltage alternating current-direct current hybrid large power grid, and support clean energy consumption and market reformation. The overall design of the regulation cloud is a two-stage structure, the regulation cloud is divided into a leading node and a cooperative node, and each node constructs a double-active AB site; the leading node is deployed in national dispatching, and the cooperative nodes are deployed in each provincial dispatching center.
Referring to fig. 3, fig. 3 illustrates regulation cloud data system partitioning; specifically, the regulation and control cloud is constructed with a model data platform, an operation data platform, a real-time data platform and a big data platform for converging various data of the service system; meanwhile, a data exchange platform is established as a central pivot for regulating and controlling data exchange between the cloud and other external systems. Inside the regulation cloud, data of each data platform are not isolated islands, data of the operation data platform are collected by the real-time data platform, and historical data stored by the big data platform and data stored by the operation data platform are also overlapped. Data of each service system is collected into the platform according to service requirements, the data are shared externally through the data exchange platform, and data interaction of two-stage regulation cloud is carried out through the wide area data interaction assembly. Aiming at various operations in the data interaction process, the whole data interaction process is tracked and traced on the premise of regulating and controlling the concept of cloud data sharing, so that the data quality is guaranteed, and key links are controlled.
Referring to fig. 4, in the log auditing method based on multivariate log data analysis according to the embodiment of the present invention, specifically, the log auditing is divided into the following key steps according to the characteristic structure characteristics of the wide area log on the regulation cloud, including:
(1) business analysis, comprising: and determining the target of log data analysis by combining daily work business requirements and specific service types (such as consistency check, metadata and the like) of a regulation cloud.
(2) Log data source location, including: and positioning the associated services distributed in the national and provincial levels by using a log evidence storage and source tracing technology based on the block chain.
Illustratively, the key to data tracing technology is to perform a formal data tracing model description around the data body, and the model specifically defines the functional boundaries of data tracing, i.e., which information of data is to be traced, which operations of data are to be traced, and in which form these "metadata" are stored. The data usage modes in different business scenarios are different, so modeling needs to be performed on the regulation model data and the related specific business to meet the actual data tracing requirements. Referring to fig. 5, a regulation and control cloud architecture provides a requirement for wide area data interaction, in the wide area data interaction, data ontology security and data operation security are key factors for determining data quality, and version backtracking and problem location can be performed to a great extent by recording logs of the wide area data interaction. The embodiment of the invention is based on the PROV standard of data tracing, faces to a two-stage regulation cloud system, and provides an operation log data tracing model based on a block chain (alliance chain); meanwhile, an operation log traceability model is actually constructed based on a block chain intelligent contract, and two intelligent contracts working cooperatively are designed to complete chain recording and operation log verification of the operation log. The invention also prevents the possibility of tampering the data by malicious users/malicious contracts by utilizing the characteristics of the blockchain in the aspects of member management, distributed consensus and the like, and ensures the reliability of the operation log source tracing history.
The block chain of the embodiment of the invention stores pre-constructed regulation and control model data traceability model information suitable for the block chain; the pre-constructed regulation and control model data traceability model suitable for the block chain is established based on PROV, and comprises the following steps: entities, activities, and agents. The embodiment of the invention mainly aims at the tracing of the wide area data interaction action, and the object described by the data entity is the operation of 'data interaction'; wherein, abstract the 'data interaction operation' as an object as follows: data interactive operation ═ data digest, interactive ID, initiator, operation name, extension field; the data abstract is a data abstract of data operated by the data interactive operation and is used for quickly positioning data in the process of analyzing the operation log in the later period; the unique identifier of the interaction ID interaction initiator, the Source marks the Chinese name of the data interaction initiator, manual identification is facilitated, and the Ext field is used for future function extension. The Activity (Activity) at the time of wide area data interaction can be described in the same way as the following structure: activity ═ (activity type, activity proxy, extension field); wherein, the activity type designates which operation this operation belongs to, including: data addition, deletion, modification, and retrieval, active agent fields for agents associated with the activity, and extension fields for future function extensions. The modeling of the agent is simpler, and the main body which generally initiates the wide area data interaction mainly comprises 2 types, namely a production system and a business system; the production system mainly operates data by 'adding', the operation of the business system on the data mainly comprises 'deleting, modifying and searching', and the business system also adds own business data; there may also be a process of human intervention data, such as the operation and maintenance personnel manually maintaining the data, so the agent modeling mainly considers the agent type and the agent identification, and the formalization is described as follows: agent ═ (agent type, agent ID, extension field); after the entity performs a certain activity, the state changes, and different agents continuously initiate the activity to form a single linked list, as shown in fig. 5, the state of a certain node entity can be used to trace back the complete change process of the entity. In an exemplary embodiment of the present invention, the information of entities, activities, agents, and the like in the data tracing model is stored by using a block chain. Data stored in the block chain distributed account book are globally consistent and can not be tampered, so that the safety and the credibility of data traceability evidences are guaranteed; meanwhile, the automatic execution of the data tracing process is realized by using an intelligent contract technology.
Referring to fig. 6, based on the data tracing model, in the embodiment of the present invention, two intelligent contracts for operation log tracing and operation tracing verification are designed to cooperatively complete work, and the work of log tracing metadata chaining and query in the tracing process are respectively completed. The oplog tracing contract interacts directly with the user program, and when the client (which may be manual or program) initiates the wide-area data interaction, the middleware of the wide-area interaction triggers the oplog tracing contract to develop the ul record of the oplog. The alliance chain intelligent contract only provides basic Put and Get operations, friendly data read-write interfaces are further provided, Put, Delete, Update and Query operations are packaged by an operation log traceability contract according to a common mode of service data and are used for calling under different conditions of data adding, deleting, modifying and checking, and a wide area data interaction middleware transmits data abstracts, application IDs, operation names and the like of the operation data to the intelligent contract in a JSON mode. After the intelligent contract is triggered to start execution, firstly, identity verification is carried out, and after the identity verification is passed, a homonymous interface function in the intelligent contract is called to complete operation and is returned to an operation initiator; four interfaces of Put, Delete, Update and Query are designed in the operation log traceability contract, and the construction of an operation log traceability chain is completed through the operations, and the traceability chain structure is shown in fig. 7.
For four operations of the operation log tracing chain, the functions are explained as follows: put operation represents that the remote data interactive operation is newly added data, and a new operation log traceability chain, namely an initialization head node, is synchronously initialized; delete operation means that remote data interaction operation is data deletion, and for the operation log traceability chain, the traceability chain is not increased after data deletion; the Update operation represents that the remote data interaction operation is changed, and for the operation log traceability chain, the Update operation can prolong the traceability chain; and fourthly, the Query operation represents that the remote data interaction operation is Query, and for the operation log traceability chain, the Query operation can prolong the traceability chain.
Referring to fig. 7, the chain structure of oplog tracing consists of nodes, each of which includes a node Header (Header) and a node Body (Body). The node head stores the Hash value of the interactive operation data content, and can quickly index actual data; the node body comprises five contents of application ID, action, proxy, source end and forward pointer. Wherein the application ID is a unique identifier of the application or person initiating the operation; the action represents the operation executed on the data at this time; the agent represents a user name for initiating an action, and the source end field stores the Chinese name of the user who operates the time; and the forward pointer stores the head Hash of the last node and is used for history tracing when the data is traced to the source.
For example, the blockchain can be classified into three categories according to the open form of the blockchain network: public, federation, and private chains; among them, the public chain appeared first and is continuously developed as a basic technology of the digital currency bitcoin. The network of the public chain is open to all users, is 'completely decentralized', and clients complying with a given network protocol can freely join or quit the network; the operation management authority of the private chain is completely subordinate to the owner, and is completely centralized in the business mode, and the difference between the private chain and the public chain can be analogized to the difference between the Internet and an Intranet; the openness degree of the alliance chain is between a public chain and a private chain, the alliance chain is 'multicentralized', the operation management authority of the alliance chain belongs to a plurality of organizations in an alliance, a management user and a common user are distinguished in the structure, and the admission control can be performed on nodes which are added into a network. The alliance chain has a consensus mechanism and a trust model of the block chain, has the characteristics of controllable authority and excellent performance, is suitable for use in cross-department or cross-enterprise inside an enterprise, and is an important reason for realizing the invention by selecting the alliance chain as a prototype. The power grid regulation belongs to a service which needs to be integrated and overall, the regulation data are various in source and scattered in scheduling mechanisms and departments at all levels, the requirements of data sharing and authority control are provided at the same time, the accuracy and the reliability of the data are guaranteed by using a trust model of a block chain, and the alliance chain technology is developed to meet the requirements.
The term "smart contract" (smart contract) was proposed by the cross-domain legal chemist in 1995 by nicak sabo (Nick Szabo). He defines an intelligent contract as a "set of numerically defined commitments (promises) including agreements on which the contract participants can execute the commitments". Beginning in 2009, intelligent contract concepts were increasingly practiced in the technical frameworks where etherhouses, hyperlegger, etc. represent blockchains 2.0. The intelligent contract is a program running on a blockchain system, and the blockchain ensures that the content of the intelligent contract and the execution result of the intelligent contract are not falsifiable. The advent of smart contracts has given the programmable nature of blockchains, making the trust model offered by blockchains more versatile and not limited to digital currency. In the embodiment of the invention, a wide area data interaction log traceability model based on a block chain is designed, and meanwhile, a group of intelligent contract programs capable of being automatically triggered are designed and realized by utilizing a block chain intelligent contract, so that the manual intervention in the interaction log recording process is reduced. The data interaction log tracing technology based on the block chain firstly completes the design of a data tracing model, secondly designs an intelligent contract group according to the data tracing model and deploys the intelligent contract group to the block chain for execution, and a wide area interaction application program needs to call an intelligent contract interface for operation log recording during data interaction. The intelligent contract technology of the alliance chain ensures that each step of operation of the data is authorized; and ensuring that any interactive operation triggers the execution of the log record contract once being completed, and writing the log record contract into a block chain account book.
Referring to fig. 8 and 9, in the embodiment of the present invention, implemented by using a Fabric alliance link platform under the super book project, when a user performs wide area data interaction, the user triggers an operation log initialization program to start performing operation log recording on a blockchain. In the embodiment of the present invention, the step of writing the operation log record into the block chain includes: firstly, access control is completed based on a unique identity authentication and authority control mechanism of a alliance chain, a Public Key Infrastructure (PKI) system is adopted by Fabric to generate a digital certificate for a member so as to identify the identity of the user, and a modular member Management Service (MSP) component is adopted to perform identity authentication and authority control; secondly, data interaction is completed in an intelligent contract layer after the identity of the user is verified, the intelligent contract layer designs two contracts for tracing the source of the operation log and verifying the tracing of the operation log to complete the work cooperatively, wherein the contract for tracing the source of the operation log is called when the wide area interactive program sends data and completes the writing of the operation log, and the contract for verifying the tracing of the operation log is used for tracing and verifying the data operation record of the user with the ID as an index; the writing process and multipoint storage of the distributed ledger ensure that the operation records are reliable.
The operation traceability verification contract is in butt joint with an application layer visualization tool or other related applications, an interface is provided for inquiring an operation log traceability chain, the functions mainly comprise current version inquiry and history backtracking, a Hash value of data content can be designated as a parameter, the current version inquiry function returns the latest operation information of data, the history backtracking function returns the version of the data for N times, the history of data change is returned, and N is used as a parameter and is transmitted into a calling interface. By utilizing the authority control mechanism of the alliance chain, the operation traceability verification contract can be opened to the user as required, before the intelligent contract is executed, identity authentication is carried out, and only when the authentication is passed, actual interface calling can be carried out to obtain required data.
(3) The log analysis comprises the following steps: each unstructured and semi-structured original log record is parsed into a structured form by a log template extraction method.
(4) The log abnormity detection and diagnosis mainly comprises establishing an abnormity detection model and analyzing reasons of abnormity, and provides important reference for system and application service management of research and development personnel. Based on the historical abnormal data of the system, adopting artificial intelligence algorithms such as data classification, data analysis, data mining and the like to establish the relation between the historical abnormal condition of the system, the current operating state and the future potential abnormal condition, and realizing the prediction of the abnormal condition of the control cloud system; and judging the local and overall running states of the system according to the access log records of each application service of the system, realizing the monitoring of the current system abnormity, and simultaneously predicting the occurrence of future system faults or application service faults. Finally, on one hand, the formed related audit conclusion provides an auxiliary strategy for regulating and controlling the engineering deficiency and schedule operation and maintenance of cloud research and development personnel, and the safe and stable operation of application service access is guaranteed; on the other hand, a basis is provided for formulating scientific and reasonable maintenance plans and emergency response measures, so that the purposes of reducing the occurrence probability of abnormal events in application service access and shortening the processing time of the abnormal events are achieved, and the effect of predicting data, service or system abnormity in advance is achieved.
Illustratively, the invention provides a log sequence anomaly detection model based on an attention mechanism, which can effectively detect anomalies in a shorter log sequence, and the model models a log template sequence into a natural language sequence and takes word embedding based on neural network training as the input of an anomaly detection model, so that semantic rules of the log template in the current log sequence can be expressed, the purpose of reducing dimension is realized, and the operational efficiency of the whole model is accelerated. The stack LSTM layer in the model effectively extracts the implicit mode of the log sequence, and the self-attention layer can better learn the internal structure of a sequence by calculating the similarity between logs in the sequence to express the dependency relationship. The abnormal detection model can detect the abnormal of the unknown execution workflow sequence by inputting the normal log sequence mode into the model for training. The experimental result shows that the overall accuracy of the detection model for detecting the log sequence abnormality is better than that of the existing method, and the time overhead is lower.
In summary, log audit refers to that various information such as system security events, user access records, system operation logs and system operation states in an information system are collected in a centralized manner, and after processing such as normalization, filtering, merging and alarm analysis, centralized storage and management are performed in a log form with a uniform format, and comprehensive audit of information system logs is realized by combining rich log statistics and summarization and correlation analysis functions. In the invention, multi-element log data are collected from multiple dimensions such as service range, time dimension, network security, operation and maintenance requirements and the like, data-driven correlation modeling is carried out by utilizing the collected service access logs, a log anomaly detection model based on an intelligent algorithm is established, data multi-dimensional analysis and mining are carried out, the influence of the internal relation of multi-parallel application service is tracked, and the analysis of unified management, hidden danger analysis, fault positioning, safety early warning and the like of defect faults and the pre-prevention and post-analysis of the faults are realized. The core invention points of the technical scheme of the invention comprise: (1) the method comprises the steps of firstly modeling a wide area data interaction model, utilizing a distributed account book at the bottom of a block chain and programmability thereof to realize the data traceability model, ensuring non-repudiation of a data interaction log by the non-repugnability of the block chain, preventing a malicious user/a malicious contract from tampering the data, and ensuring reliability of traceability history of an operation log. (2) And the automatic triggering and chaining of the log are realized by utilizing a block chain intelligent contract technology, so that manual intervention is avoided, and the authority of interactive log is further improved. (3) Based on the historical abnormal data of the system, the relation among the historical abnormal condition of the system, the current running state and the future potential abnormal condition is established through log storage and log source tracing by adopting artificial intelligent algorithms such as data classification, data analysis and data mining, and the prediction of the abnormal condition of the control cloud system is realized. (4) The invention provides a block chain (alliance chain) based application service log data traceability model based on a PROV standard of data traceability based on a block chain wide area data interaction log storage and auditing technology, and simultaneously, an application service log traceability model is actually constructed based on a block chain intelligent contract, and two cooperative intelligent contracts are designed to finish application service log chain storage and application service log traceability.
Example 3
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention; for details of non-careless mistakes in the embodiment of the apparatus, please refer to the embodiment of the method of the present invention.
Referring to fig. 10, a log auditing system based on multivariate log data analysis according to an embodiment of the present invention includes:
the analysis target acquisition module is used for acquiring a log data analysis target;
the wide-area log obtaining module is used for carrying out multi-element log data source positioning on the associated services distributed in the country and the province and the region by utilizing a log evidence storing and tracing method based on the block chain based on the log data analysis target to obtain a wide-area log;
the structured data log record acquisition module is used for analyzing unstructured and semi-structured original log records in the wide area log into a structured form and combining the unstructured and semi-structured original log records with the structured original log records in the wide area log to form structured data log records;
and the audit report acquisition module is used for auditing based on the structured data log record, acquiring an audit report and finishing log audit based on multivariate log data analysis.
Example 4
In yet another embodiment of the present invention, a computer device is provided that includes a processor and a memory for storing a computer program comprising program instructions, the processor for executing the program instructions stored by the computer storage medium. The Processor may be a Central Processing Unit (CPU), or may be other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, etc., which is a computing core and a control core of the terminal, and is specifically adapted to load and execute one or more instructions in a computer storage medium to implement a corresponding method flow or a corresponding function; the processor provided by the embodiment of the invention can be used for the operation of the log auditing method based on multivariate log data analysis.
Example 5
In yet another embodiment of the present invention, a storage medium, in particular a computer-readable storage medium (Memory), is provided, which is a Memory device in a computer device for storing programs and data. It is understood that the computer readable storage medium herein can include both built-in storage media in the computer device and, of course, extended storage media supported by the computer device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also, one or more instructions, which may be one or more computer programs (including program code), are stored in the memory space and are adapted to be loaded and executed by the processor. It should be noted that the computer-readable storage medium may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as at least one disk memory. One or more instructions stored in the computer-readable storage medium may be loaded and executed by a processor to perform the corresponding steps of the log auditing method based on multivariate log data analysis in the above embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (10)

1.一种基于多元日志数据分析的日志审计方法,其特征在于,包括以下步骤:1. a log audit method based on multivariate log data analysis, is characterized in that, comprises the following steps: 获取日志数据分析目标;Get the log data analysis target; 基于所述日志数据分析目标,利用基于区块链的日志存证、溯源方法,对分布于国分、省地两级的关联服务进行多元日志数据源定位,获得广域日志;Based on the log data analysis target, using the blockchain-based log storage and source tracing method, locate multiple log data sources for associated services distributed at the national and provincial levels, and obtain wide-area logs; 将所述广域日志中非结构化、半结构化的原始日志记录解析成结构化形式,并与所述广域日志中结构化的原始日志记录组合,形成结构化数据日志记录;Parse the unstructured and semi-structured original log records in the wide-area log into a structured form, and combine with the structured original log records in the wide-area log to form structured data log records; 基于所述结构化数据日志记录进行审计并获得审计报告,完成基于多元日志数据分析的日志审计。Auditing is performed based on the structured data log records and an audit report is obtained, and log auditing based on multivariate log data analysis is completed. 2.根据权利要求1所述的一种基于多元日志数据分析的日志审计方法,其特征在于,所述获取日志数据分析目标的步骤具体包括:2. a kind of log auditing method based on multivariate log data analysis according to claim 1, is characterized in that, the described step of obtaining log data analysis target specifically comprises: 基于预设的业务需求和调控云服务类型,获得日志数据分析目标。Obtain log data analysis targets based on preset business requirements and control cloud service types. 3.根据权利要求1所述的一种基于多元日志数据分析的日志审计方法,其特征在于,所述利用基于区块链的日志存证、溯源方法中:3. a kind of log audit method based on multivariate log data analysis according to claim 1, is characterized in that, described utilizes in the log storage certificate, traceability method based on block chain: 所述区块链为联盟链;The blockchain is a consortium chain; 所述区块链存储有预构建的适用于区块链的调控模型数据溯源模型信息;其中,所述预构建的适用于区块链的调控模型数据溯源模型基于PROV建立,包括:实体、活动和代理;The blockchain stores pre-built control model data traceability model information suitable for blockchain; wherein, the pre-built control model data traceability model suitable for blockchain is established based on PROV, including: entities, activities and agents; 所述实体描述的对象为数据交互操作,所述数据交互操作形式化描述为,数据交互操作=(数据摘要,交互ID,发起端,操作名,扩展字段);式中,数据摘要是数据交互操作所操作的数据的数据摘要,交互ID用于作为交互发起方的唯一标识符;The object described by the entity is a data interaction operation, and the data interaction operation is formally described as, data interaction operation=(data abstract, interaction ID, initiator, operation name, extension field); in the formula, data abstract is data interaction The data digest of the data operated by the operation, and the interaction ID is used as the unique identifier of the interaction initiator; 所述活动形式化描述为,活动=(活动类型,活动代理,扩展字段);式中,活动类型用于指定数据操作类型,活动代理字段用于与该活动关联的代理,扩展字段用于功能扩展;The activity is formally described as, activity=(activity type, activity agent, extension field); in the formula, the activity type is used to specify the data operation type, the activity agent field is used for the agent associated with the activity, and the extension field is used for the function expand; 所述代理形式化描述为,代理=(代理类型,代理ID,扩展字段);The agent is formally described as, agent=(agent type, agent ID, extension field); 日志存证过程中,基于预设的操作日志溯源合约实现上链;During the log storage process, the chain is realized based on the preset operation log traceability contract; 日志溯源过程中,基于预设的操作溯源验证合约实现查询。During the log traceability process, the query is implemented based on the preset operation traceability verification contract. 4.根据权利要求3所述的一种基于多元日志数据分析的日志审计方法,其特征在于,所述日志存证过程中,基于预设的操作日志溯源合约实现上链的步骤具体包括:4. A log auditing method based on multivariate log data analysis according to claim 3, characterized in that, in the log storage process, the step of implementing on-chain based on a preset operation log traceability contract specifically comprises: 在客户端发起广域数据交互时,广域数据交互中间件触发操作日志溯源合约开展操作日志上链记录,形成操作日志溯源链;When the client initiates wide-area data interaction, the wide-area data interaction middleware triggers the operation log traceability contract to record the operation log on the chain, forming an operation log traceability chain; 其中,所述操作日志溯源合约封装有Put、Delete、Update和Query操作,用于数据增删改查不同情况下的调用;Put操作表示远程数据交互操作为新增数据,Delete操作表示远程数据交互操作为删除数据,Update操作表示远程数据交互操作为更改,Query操作表示远程数据交互操作为查询;Among them, the operation log traceability contract is encapsulated with Put, Delete, Update and Query operations, which are used for data addition, deletion, modification and checking in different situations; Put operation means that the remote data interaction operation is new data, and Delete operation means the remote data interaction operation In order to delete data, the Update operation indicates that the remote data interaction operation is a change, and the Query operation indicates that the remote data interaction operation is a query; 所述操作日志溯源链的链式结构由节点组成;每个节点均包括节点头和节点体,节点头存储交互操作数据内容的Hash值,节点体包括交互ID、活动、代理、源端和前向指针;其中,源端字段用于存储操作用户的中文名称,前向指针用于保存上一节点的头Hash。The chain structure of the operation log traceability chain is composed of nodes; each node includes a node header and a node body, the node header stores the Hash value of the interactive operation data content, and the node body includes the interaction ID, activity, agent, source and front end. The forward pointer; the source field is used to store the Chinese name of the operating user, and the forward pointer is used to save the head Hash of the previous node. 5.根据权利要求3所述的一种基于多元日志数据分析的日志审计方法,其特征在于,所述日志溯源过程中,基于预设的操作溯源验证合约实现查询的步骤具体包括:5. A log auditing method based on multivariate log data analysis according to claim 3, characterized in that, in the log traceability process, the step of implementing a query based on a preset operation traceability verification contract specifically comprises: 以指定数据内容的Hash值为参数,自所述操作溯源验证合约预设的接口输入,实现对操作日志溯源链的历史版本查询。Taking the Hash value of the specified data content as a parameter, and inputting from the interface preset by the operation traceability verification contract, the historical version query of the operation log traceability chain is realized. 6.根据权利要求3所述的一种基于多元日志数据分析的日志审计方法,其特征在于,所述区块链采用超级账本项目下的Fabric联盟链平台实现。6 . A log auditing method based on multi-log data analysis according to claim 3 , wherein the blockchain is implemented by the Fabric alliance chain platform under the Hyperledger project. 7 . 7.根据权利要求1所述的一种基于多元日志数据分析的日志审计方法,其特征在于,所述基于所述结构化数据日志记录进行审计并获得审计报告,完成基于多元日志数据分析的日志审计的步骤具体包括:7. a kind of log auditing method based on multivariate log data analysis according to claim 1, is characterized in that, described based on described structured data log record to audit and obtain audit report, complete the log based on multivariate log data analysis The steps of the audit include: 将所述结构化数据日志记录输入预构建的基于自注意力机制的日志序列异常检测模型中,通过日志序列异常检测模型输出结果形成审计报告,完成基于多元日志数据分析的日志审计;Inputting the structured data log records into a pre-built log sequence anomaly detection model based on a self-attention mechanism, and forming an audit report by outputting the results of the log sequence anomaly detection model to complete log auditing based on multivariate log data analysis; 其中,所述日志序列异常检测模型将日志模板序列建模为自然语言序列,以基于神经网络训练的词嵌入作为输入;所述日志序列异常检测模型设置有堆叠LSTM层,用于提取日志序列的隐含模式,所述日志序列异常检测模型设置有自注意力层,用于通过计算一个序列中日志之间的相似度来表示其依赖关系。The log sequence anomaly detection model models the log template sequence as a natural language sequence, and uses the word embedding based on neural network training as input; the log sequence anomaly detection model is provided with a stacked LSTM layer for extracting the log sequence In the latent mode, the log sequence anomaly detection model is provided with a self-attention layer, which is used to express its dependencies by calculating the similarity between logs in a sequence. 8.一种基于多元日志数据分析的日志审计系统,其特征在于,包括:8. A log auditing system based on multivariate log data analysis, characterized in that, comprising: 分析目标获取模块,用于获取日志数据分析目标;The analysis target acquisition module is used to obtain the log data analysis target; 广域日志获取模块,用于基于所述日志数据分析目标,利用基于区块链的日志存证、溯源方法,对分布于国分、省地两级的关联服务进行多元日志数据源定位,获得广域日志;The wide-area log acquisition module is used to locate multiple log data sources for the associated services distributed at the national and provincial levels by using the blockchain-based log storage and traceability method based on the log data analysis target, and obtain a wide range of log data sources. domain log; 结构化数据日志记录获取模块,用于将所述广域日志中非结构化、半结构化的原始日志记录解析成结构化形式,并与所述广域日志中结构化的原始日志记录组合,形成结构化数据日志记录;A structured data log record acquisition module, configured to parse the unstructured and semi-structured original log records in the wide-area log into a structured form, and combine them with the structured original log records in the wide-area log, Form structured data log records; 审计报告获取模块,用于基于所述结构化数据日志记录进行审计并获得审计报告,完成基于多元日志数据分析的日志审计。The audit report obtaining module is used for auditing and obtaining an audit report based on the structured data log records, so as to complete log auditing based on multivariate log data analysis. 9.一种计算机设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1至7任一项所述基于多元日志数据分析的日志审计方法的步骤。9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the computer program as claimed in the claims Steps of the log auditing method based on multivariate log data analysis described in any one of 1 to 7. 10.一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至7任一项所述基于多元日志数据分析的日志审计方法的步骤。10. A computer-readable storage medium storing a computer program, characterized in that, when the computer program is executed by a processor, the multivariate log-based system according to any one of claims 1 to 7 is implemented. The steps of the log audit method for data analysis.
CN202111424905.8A 2021-11-26 2021-11-26 Log auditing method, system, equipment and medium based on multivariate log data analysis Active CN114020726B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111424905.8A CN114020726B (en) 2021-11-26 2021-11-26 Log auditing method, system, equipment and medium based on multivariate log data analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111424905.8A CN114020726B (en) 2021-11-26 2021-11-26 Log auditing method, system, equipment and medium based on multivariate log data analysis

Publications (2)

Publication Number Publication Date
CN114020726A true CN114020726A (en) 2022-02-08
CN114020726B CN114020726B (en) 2024-09-10

Family

ID=80066774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111424905.8A Active CN114020726B (en) 2021-11-26 2021-11-26 Log auditing method, system, equipment and medium based on multivariate log data analysis

Country Status (1)

Country Link
CN (1) CN114020726B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112181672A (en) * 2019-07-04 2021-01-05 北京新唐思创教育科技有限公司 Blockchain data processing method, blockchain system and computer storage medium
CN114581013A (en) * 2022-03-08 2022-06-03 郑州大学 Physical trusted traceability warehouse management device based on unstructured blockchain features
CN115277180A (en) * 2022-07-26 2022-11-01 电子科技大学 Block chain log anomaly detection and tracing system
CN115760449A (en) * 2022-11-03 2023-03-07 王春梦 Comprehensive analysis management system based on big data
CN118473726A (en) * 2024-05-06 2024-08-09 中关村科学城城市大脑股份有限公司 Security audit method, device, electronic equipment and computer readable medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109190410A (en) * 2018-09-26 2019-01-11 华中科技大学 A kind of log behavior auditing method based on block chain under cloud storage environment
WO2019106186A1 (en) * 2017-11-30 2019-06-06 Worldline Secure data tracking platform
CN111368330A (en) * 2020-03-03 2020-07-03 泰华智慧产业集团股份有限公司 Ethernet intelligent contract auditing system and method based on block chain
CN112417496A (en) * 2020-10-28 2021-02-26 北京八分量信息科技有限公司 Method for realizing white list based on intelligent contract based on deep learning
CN112448946A (en) * 2020-11-09 2021-03-05 北京工业大学 Log auditing method and device based on block chain
WO2021068488A1 (en) * 2019-10-12 2021-04-15 深圳壹账通智能科技有限公司 Blockchain-based log processing method and apparatus, computer device, and storage medium
CN112671774A (en) * 2020-12-24 2021-04-16 陈建英 Cloud computing and block chain based big data analysis method and digital financial system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019106186A1 (en) * 2017-11-30 2019-06-06 Worldline Secure data tracking platform
CN109190410A (en) * 2018-09-26 2019-01-11 华中科技大学 A kind of log behavior auditing method based on block chain under cloud storage environment
WO2021068488A1 (en) * 2019-10-12 2021-04-15 深圳壹账通智能科技有限公司 Blockchain-based log processing method and apparatus, computer device, and storage medium
CN111368330A (en) * 2020-03-03 2020-07-03 泰华智慧产业集团股份有限公司 Ethernet intelligent contract auditing system and method based on block chain
CN112417496A (en) * 2020-10-28 2021-02-26 北京八分量信息科技有限公司 Method for realizing white list based on intelligent contract based on deep learning
CN112448946A (en) * 2020-11-09 2021-03-05 北京工业大学 Log auditing method and device based on block chain
CN112671774A (en) * 2020-12-24 2021-04-16 陈建英 Cloud computing and block chain based big data analysis method and digital financial system

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
吕建富;赖英旭;刘静;: "基于链上链下相结合的日志安全存储与检索", 计算机科学, no. 03, 31 December 2020 (2020-12-31) *
张国英;毛燕琴;: "一种基于区块链的去中心化数据溯源方法", 南京邮电大学学报(自然科学版), no. 02, 15 April 2019 (2019-04-15) *
王芳;赵洪;: "数据溯源研究与实践进展", 情报学进展, no. 00, 31 July 2020 (2020-07-31) *
郭子贤;晋宏博;左敏;张青川;: "基于联盟区块链的放射源溯源数据存储优化", 计算机仿真, no. 06, 15 June 2020 (2020-06-15) *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112181672A (en) * 2019-07-04 2021-01-05 北京新唐思创教育科技有限公司 Blockchain data processing method, blockchain system and computer storage medium
CN112181672B (en) * 2019-07-04 2022-06-21 北京新唐思创教育科技有限公司 Block chain data processing method, block chain system and computer storage medium
CN114581013A (en) * 2022-03-08 2022-06-03 郑州大学 Physical trusted traceability warehouse management device based on unstructured blockchain features
CN115277180A (en) * 2022-07-26 2022-11-01 电子科技大学 Block chain log anomaly detection and tracing system
CN115277180B (en) * 2022-07-26 2023-04-28 电子科技大学 A blockchain log anomaly detection and traceability system
CN115760449A (en) * 2022-11-03 2023-03-07 王春梦 Comprehensive analysis management system based on big data
CN118473726A (en) * 2024-05-06 2024-08-09 中关村科学城城市大脑股份有限公司 Security audit method, device, electronic equipment and computer readable medium

Also Published As

Publication number Publication date
CN114020726B (en) 2024-09-10

Similar Documents

Publication Publication Date Title
CN114020726A (en) Log audit method, system, device and medium based on multivariate log data analysis
Lone et al. Forensic-chain: Blockchain based digital forensics chain of custody with PoC in Hyperledger Composer
Li et al. Analysis framework of network security situational awareness and comparison of implementation methods
Blanco et al. A systematic review and comparison of security ontologies
Peng et al. A review on blockchain smart contracts in the agri-food industry: Current state, application challenges and future trends
CN111209269A (en) Big data management system of wisdom city
Li et al. Security attack analysis using attack patterns
CN117521969A (en) Intelligent park operation index calculation system based on digital twinning
Applebaum et al. Playbook oriented cyber response
CN113706101A (en) Power grid project management intelligent system architecture and method
Tippenhauer et al. Automatic generation of security argument graphs
Zhang et al. An approach for repairing process models based on logic Petri nets
Liu et al. Cross‐Organization Emergency Response Process Mining: An Approach Based on Petri Nets
CN116049159A (en) Data-element-oriented power basic data structuring processing method and equipment
Xu et al. Repairing process models with logical concurrent and casual relations via logical Petri nets
Wang Optimization of network security in university laboratories based on anomaly intrusion detection in public cloud networks
Alrimawi et al. Incidents are meant for learning, not repeating: sharing knowledge about security incidents in cyber-physical systems
Hachicha et al. Modelling, specifying and verifying self-adaptive systems instantiating MAPE patterns
Tao et al. Comparative study on data sovereignty guarantee technology
CN118368091A (en) Unknown attack tracing method based on distributed knowledge graph, main node and sub node
Zhang et al. Research on Consistency Tracing Technology of Dispatching Control Model Data Based on Blockchain
Hartanto et al. Linked warning criterion on ontology-based key performance indicators
Rieke et al. Security Compliance Tracking of Processes in Networked Cooperating Systems.
Gandhi et al. ATAG: AI-Agent Application Threat Assessment with Attack Graphs
Oster et al. Decomposing the service composition problem

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant