CN114020726A

CN114020726A - Log auditing method, system, equipment and medium based on multivariate log data analysis

Info

Publication number: CN114020726A
Application number: CN202111424905.8A
Authority: CN
Inventors: 刘�东; 杨清波; 张周杰; 宋磊; 狄方春; 何明; 冯琼; 路轶; 武书舟; 温丽丽; 张媛一; 叶瑞丽; 刘蒙; 谢琳; 曹良晶; 李立新; 杨小磊; 崔灿; 范曦露; 宫玲琳
Original assignee: China Electric Power Research Institute Co Ltd CEPRI; State Grid Jibei Electric Power Co Ltd; State Grid Sichuan Electric Power Co Ltd; Electric Power Research Institute of State Grid Sichuan Electric Power Co Ltd
Current assignee: China Electric Power Research Institute Co Ltd CEPRI; State Grid Jibei Electric Power Co Ltd; State Grid Sichuan Electric Power Co Ltd; Electric Power Research Institute of State Grid Sichuan Electric Power Co Ltd
Priority date: 2021-11-26
Filing date: 2021-11-26
Publication date: 2022-02-08
Anticipated expiration: 2041-11-26
Also published as: CN114020726B

Abstract

The invention discloses a log auditing method, system, equipment and medium based on multivariate log data analysis, wherein the method comprises the following steps: acquiring a log data analysis target; based on the log data analysis target, performing multi-element log data source positioning on the associated services distributed in the country and the province and the region by using a log evidence storing and tracing method based on a block chain to obtain a wide-area log; analyzing unstructured and semi-structured original log records in the wide area log into a structured form, and combining the unstructured and semi-structured original log records in the wide area log to form a structured data log record; auditing is carried out based on the structured data log record, an audit report is obtained, and log auditing based on multivariate log data analysis is completed. The log auditing method provided by the invention adopts a wide area data interaction log tracing technology based on the block chain, can avoid manual intervention, and has higher reliability and authority.

Description

Log auditing method, system, equipment and medium based on multivariate log data analysis

Technical Field

The invention belongs to the technical field of log auditing, and particularly relates to a log auditing method, system, equipment and medium based on multivariate log data analysis.

Background

Along with the development and the deepening of the regulation cloud construction, the interaction among the regulation cloud leading node, the cooperative node and the source data end is tighter; in wide-area data interaction, data ontology security and data manipulation security are the key factors in determining data quality. The application service access log data has the characteristics of full service range, full time type and full time dimension, key information for regulating and controlling the operation of the cloud system is contained, version backtracking and problem positioning can be performed to a great extent by recording the log of wide area data interaction, and the application service access log data plays a vital guiding role in the activities of system maintenance, equipment state monitoring and the like of operation and maintenance personnel in actual production work; wherein, the data source tracing technology is involved in the version backtracking and problem location.

At present, the research on data tracing technology at home and abroad mainly focuses on academic circles, and with the maturity of the technology of big data, data sharing becomes an important way for mining data value, and the research on data tracing is also known to the public. Illustratively, Bower S et al points out technical problems faced in the current data security tracing aspect, and proposes that secure and trusted tracing needs to provide integrity, confidentiality and availability guarantees for tracing records; on the research of a data traceability model, Sudha et al propose a w7 model; then, in 2006, an International Provenance and Annotation organization (IPAW) is established, and research on data traceability related technologies and standardization thereof is dedicated; in 2008, Sahoo et al propose a Provenir data tracing model, which mainly aims at database data tracing and forms a complete system covering data storage to upper-layer services; in 2012, the fourth IPAW conference proposes a PROV data model (PROV-DM), which is a relatively common data source tracing model at present; the paper of Yogesh considers data tracing as metadata for tracking a data evolution process, and provides a classification standard of data tracing according to the metadata, so that the data tracing is divided into four classes, and the importance of the data tracing is emphasized. However, the traditional data tracing adopts a centralized tracing system at present, and the unreliability of a single-point system exists; in addition, on the data traceability model, the current traceability model related to data lacks a uniform standard, and difficulty is added to information integration analysis between data platforms. Based on the defects of the existing tracing technology, the existing method for auditing the cloud wide area data interaction log based on the existing tracing technology also has the defects of poor reliability and low authority.

In conclusion, the field of power dispatching automation is actively building an open shared data ecology so as to further promote the landing application of big data and artificial intelligence; in the dispatching automation production system, the data importance and privacy degree is high, data operation logs are very necessary to be recorded in a data sharing service of cross-region and cross-department except that data needs to be encrypted and transmitted, the existing method for auditing the cloud wide area data interaction logs cannot meet the reliability requirement, and a new log auditing method and a system based on multivariate log data analysis are urgently needed.

Disclosure of Invention

The invention aims to provide a log auditing method, a log auditing system, log auditing equipment and a log auditing medium based on multivariate log data analysis, so as to solve one or more technical problems. The log auditing method provided by the invention adopts a wide area data interaction log tracing technology based on the block chain, can avoid manual intervention, and has higher reliability and authority.

In order to achieve the purpose, the invention adopts the following technical scheme:

the log auditing method based on multivariate log data analysis provided by the first aspect of the invention comprises the following steps:

acquiring a log data analysis target;

based on the log data analysis target, performing multi-element log data source positioning on the associated services distributed in the country and the province and the region by using a log evidence storing and tracing method based on a block chain to obtain a wide-area log;

analyzing unstructured and semi-structured original log records in the wide area log into a structured form, and combining the unstructured and semi-structured original log records in the wide area log to form a structured data log record;

auditing is carried out based on the structured data log record, an audit report is obtained, and log auditing based on multivariate log data analysis is completed.

A further improvement of the present invention is that the step of obtaining the log data analysis target specifically includes: and obtaining a log data analysis target based on preset service requirements and regulation cloud service types.

The invention is further improved in that, in the log evidence storing and tracing method based on the block chain:

the block chain is a alliance chain;

the block chain stores pre-constructed regulation and control model data traceability model information suitable for the block chain; the pre-constructed regulation and control model data traceability model suitable for the block chain is established based on PROV, and comprises the following steps: entities, activities, and agents;

the object of the entity description is data interactive operation, and the data interactive operation formalized description is that the data interactive operation is (data abstract, interactive ID, initiating terminal, operation name, extension field); in the formula, the data abstract is the data abstract of the data operated by the data interaction operation, and the interaction ID is used as the unique identifier of the interaction initiator;

the activity formalization description is that activity ═ (activity type, activity proxy, extension field); wherein the activity type is used to specify the data operation type, the activity agent field is used for the agent associated with the activity, and the extension field is used for the function extension;

the proxy formalization is described as proxy ═ (proxy type, proxy ID, extension field);

in the log storage process, chaining is realized based on a preset operation log tracing contract;

in the log tracing process, query is realized based on a preset operation tracing verification contract.

In the log certification storing process, the step of implementing uplink based on the preset operation log source-tracing contract specifically includes:

when a client initiates wide area data interaction, the wide area data interaction middleware triggers an operation log tracing contract to develop uplink records of the operation log to form an operation log tracing chain;

the operation log source-tracing contract is encapsulated with Put, Delete, Update and Query operations and is used for calling under different conditions of data adding, deleting, modifying and checking; put operation means remote data interactive operation as new data, Delete operation means remote data interactive operation as Delete data, Update operation means remote data interactive operation as change, Query operation means remote data interactive operation as Query;

the chain structure of the operation log tracing chain consists of nodes; each node comprises a node head and a node body, wherein the node head stores a Hash value of interactive operation data content, and the node body comprises an interactive ID, an activity, an agent, a source end and a forward pointer; the source field is used for storing the Chinese name of the operation user, and the forward pointer is used for storing the head Hash of the previous node.

In the log tracing process, the query implementation step based on the preset operation tracing verification contract specifically includes:

and taking the Hash value of the specified data content as a parameter, and inputting the Hash value from an interface preset by the operation tracing verification contract to realize the historical version query of the operation log tracing chain.

The invention is further improved in that the blockchain is realized by adopting a Fabric alliance chain platform under the super ledger project.

The invention has the further improvement that the step of auditing and obtaining an audit report based on the structured data log record and finishing log auditing based on multivariate log data analysis specifically comprises the following steps:

inputting the structured data log record into a pre-constructed log sequence anomaly detection model based on a self-attention mechanism, outputting a result through the log sequence anomaly detection model to form an audit report, and finishing log audit based on multivariate log data analysis;

the log sequence anomaly detection model models a log template sequence into a natural language sequence, and word embedding based on neural network training is used as input; the log sequence anomaly detection model is provided with a stacking LSTM layer and is used for extracting an implicit mode of a log sequence, and the log sequence anomaly detection model is provided with a self-attention layer and is used for representing the dependency relationship of logs in a sequence by calculating the similarity between the logs.

The log auditing system based on multivariate log data analysis provided by the second aspect of the invention comprises:

the analysis target acquisition module is used for acquiring a log data analysis target;

the wide-area log obtaining module is used for carrying out multi-element log data source positioning on the associated services distributed in the country and the province and the region by utilizing a log evidence storing and tracing method based on the block chain based on the log data analysis target to obtain a wide-area log;

the structured data log record acquisition module is used for analyzing unstructured and semi-structured original log records in the wide area log into a structured form and combining the unstructured and semi-structured original log records with the structured original log records in the wide area log to form structured data log records;

and the audit report acquisition module is used for auditing based on the structured data log record, acquiring an audit report and finishing log audit based on multivariate log data analysis.

A third aspect of the present invention provides a computer device, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the log auditing method based on multivariate log data analysis according to any one of the above aspects of the present invention.

A fourth aspect of the present invention provides a computer-readable storage medium, which stores a computer program, and the computer program, when executed by a processor, implements the steps of the log auditing method based on multivariate log data analysis according to any one of the above aspects of the present invention.

Compared with the prior art, the invention has the following beneficial effects:

the log auditing method provided by the invention adopts a wide area data interaction log tracing technology based on the block chain, can avoid manual intervention, and has higher reliability and authority.

In the invention, firstly, a wide area data interaction model is modeled (exemplarily, the model is established on the basis of a PROV standard model); secondly, the data tracing model is realized by using a block chain bottom layer distributed account book and programmability thereof, and the record of a data interaction action log is realized; and finally, automatically triggering uplink of the log by using a block chain intelligent contract technology. The principle is explained, the non-tamper property of the block chain can ensure the non-repudiation of the data interaction log, and the reliability is improved; the automatic triggering and chaining of the log are realized by using a block chain intelligent contract technology, so that manual intervention can be avoided, and the authority of log interaction is improved.

In the invention, the log sequence anomaly detection model can detect the unknown execution workflow sequence anomaly by inputting a normal log sequence mode into the model for training; the exemplary experimental results show that the overall accuracy of the detection model for log sequence anomaly detection is better than that of the existing method, and the time overhead is lower.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art are briefly introduced below; it is obvious that the drawings in the following description are some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.

FIG. 1 is a schematic flow chart of a log auditing method based on multivariate log data analysis according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a regulatory cloud architecture according to an embodiment of the present invention;

FIG. 3 is a schematic diagram illustrating a regulation cloud data system partition according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart of a log auditing method based on multivariate log data analysis according to another embodiment of the present invention;

FIG. 5 is a schematic diagram of a regulation model data tracing model applied to a blockchain according to an embodiment of the present invention;

FIG. 6 is a block chain-based data tracing architecture in an embodiment of the present invention;

FIG. 7 is a schematic diagram of a data tracing singly-linked list according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of a collaborative flow of an operation log tracing contract according to an embodiment of the present invention;

FIG. 9 is a schematic diagram of a basic structure of an oplog traceback chain in an embodiment of the present invention;

FIG. 10 is a schematic diagram of a log auditing system based on multivariate log data analysis according to an embodiment of the present invention.

Detailed Description

In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

The invention is described in further detail below with reference to the accompanying drawings:

example 1

Referring to fig. 1, a log auditing method based on multivariate log data analysis according to an embodiment of the present invention includes the following steps:

acquiring a log data analysis target;

According to the log auditing method provided by the embodiment of the invention, the wide area data interaction log tracing technology based on the block chain is adopted, so that manual intervention can be avoided, and the log auditing method has higher reliability and authority.

Example 2

At present, with further deepening of the construction of the regulation cloud, the regulation cloud becomes a data collection center of a dispatching automation system, and data interaction among nodes of the regulation cloud deployed in a cross-region mode is increasingly tight; the privacy and accuracy requirements of the data of the dispatching automation system are high, the regulation and control cloud adopts a two-stage deployment mode of national dispatching and provincial dispatching, the data and service interaction between two stages of nodes is essentially required to have high safety and reliability, and data leakage and data tampering in wide area data interaction are required to be avoided. The embodiment of the invention aims to research a data tracing technology suitable for two-stage regulation and control of the cloud wide area data interaction log by utilizing a data tracing and block chain technology, and realize credible recording and tracing of the wide area data interaction log; specifically, the method adopts a wide area data interaction log tracing technology based on a block chain, firstly, a wide area data interaction process is modeled based on a tracing model of a data tracing related research topic, and secondly, the data tracing model is realized through the block chain technology, so that the record of a data interaction action log is realized; and finally, automatically triggering uplink of the log by using a block chain intelligent contract technology, avoiding manual intervention and further improving the authority of the interactive log.

Referring to fig. 2, fig. 2 illustrates a regulation cloud overall architecture; specifically, the regulation cloud is an analysis decision center for power grid dispatching business, and aims to break through data barriers among power grid dispatching professionals, integrate various data such as power grid models, operation and real-time data, realize safe sharing of power grid data, improve power grid cognition, analysis and decision capability, guarantee safe operation of an extra-high voltage alternating current-direct current hybrid large power grid, and support clean energy consumption and market reformation. The overall design of the regulation cloud is a two-stage structure, the regulation cloud is divided into a leading node and a cooperative node, and each node constructs a double-active AB site; the leading node is deployed in national dispatching, and the cooperative nodes are deployed in each provincial dispatching center.

Referring to fig. 3, fig. 3 illustrates regulation cloud data system partitioning; specifically, the regulation and control cloud is constructed with a model data platform, an operation data platform, a real-time data platform and a big data platform for converging various data of the service system; meanwhile, a data exchange platform is established as a central pivot for regulating and controlling data exchange between the cloud and other external systems. Inside the regulation cloud, data of each data platform are not isolated islands, data of the operation data platform are collected by the real-time data platform, and historical data stored by the big data platform and data stored by the operation data platform are also overlapped. Data of each service system is collected into the platform according to service requirements, the data are shared externally through the data exchange platform, and data interaction of two-stage regulation cloud is carried out through the wide area data interaction assembly. Aiming at various operations in the data interaction process, the whole data interaction process is tracked and traced on the premise of regulating and controlling the concept of cloud data sharing, so that the data quality is guaranteed, and key links are controlled.

Referring to fig. 4, in the log auditing method based on multivariate log data analysis according to the embodiment of the present invention, specifically, the log auditing is divided into the following key steps according to the characteristic structure characteristics of the wide area log on the regulation cloud, including:

(1) business analysis, comprising: and determining the target of log data analysis by combining daily work business requirements and specific service types (such as consistency check, metadata and the like) of a regulation cloud.

(2) Log data source location, including: and positioning the associated services distributed in the national and provincial levels by using a log evidence storage and source tracing technology based on the block chain.

Illustratively, the key to data tracing technology is to perform a formal data tracing model description around the data body, and the model specifically defines the functional boundaries of data tracing, i.e., which information of data is to be traced, which operations of data are to be traced, and in which form these "metadata" are stored. The data usage modes in different business scenarios are different, so modeling needs to be performed on the regulation model data and the related specific business to meet the actual data tracing requirements. Referring to fig. 5, a regulation and control cloud architecture provides a requirement for wide area data interaction, in the wide area data interaction, data ontology security and data operation security are key factors for determining data quality, and version backtracking and problem location can be performed to a great extent by recording logs of the wide area data interaction. The embodiment of the invention is based on the PROV standard of data tracing, faces to a two-stage regulation cloud system, and provides an operation log data tracing model based on a block chain (alliance chain); meanwhile, an operation log traceability model is actually constructed based on a block chain intelligent contract, and two intelligent contracts working cooperatively are designed to complete chain recording and operation log verification of the operation log. The invention also prevents the possibility of tampering the data by malicious users/malicious contracts by utilizing the characteristics of the blockchain in the aspects of member management, distributed consensus and the like, and ensures the reliability of the operation log source tracing history.

The block chain of the embodiment of the invention stores pre-constructed regulation and control model data traceability model information suitable for the block chain; the pre-constructed regulation and control model data traceability model suitable for the block chain is established based on PROV, and comprises the following steps: entities, activities, and agents. The embodiment of the invention mainly aims at the tracing of the wide area data interaction action, and the object described by the data entity is the operation of 'data interaction'; wherein, abstract the 'data interaction operation' as an object as follows: data interactive operation ═ data digest, interactive ID, initiator, operation name, extension field; the data abstract is a data abstract of data operated by the data interactive operation and is used for quickly positioning data in the process of analyzing the operation log in the later period; the unique identifier of the interaction ID interaction initiator, the Source marks the Chinese name of the data interaction initiator, manual identification is facilitated, and the Ext field is used for future function extension. The Activity (Activity) at the time of wide area data interaction can be described in the same way as the following structure: activity ═ (activity type, activity proxy, extension field); wherein, the activity type designates which operation this operation belongs to, including: data addition, deletion, modification, and retrieval, active agent fields for agents associated with the activity, and extension fields for future function extensions. The modeling of the agent is simpler, and the main body which generally initiates the wide area data interaction mainly comprises 2 types, namely a production system and a business system; the production system mainly operates data by 'adding', the operation of the business system on the data mainly comprises 'deleting, modifying and searching', and the business system also adds own business data; there may also be a process of human intervention data, such as the operation and maintenance personnel manually maintaining the data, so the agent modeling mainly considers the agent type and the agent identification, and the formalization is described as follows: agent ═ (agent type, agent ID, extension field); after the entity performs a certain activity, the state changes, and different agents continuously initiate the activity to form a single linked list, as shown in fig. 5, the state of a certain node entity can be used to trace back the complete change process of the entity. In an exemplary embodiment of the present invention, the information of entities, activities, agents, and the like in the data tracing model is stored by using a block chain. Data stored in the block chain distributed account book are globally consistent and can not be tampered, so that the safety and the credibility of data traceability evidences are guaranteed; meanwhile, the automatic execution of the data tracing process is realized by using an intelligent contract technology.

Referring to fig. 6, based on the data tracing model, in the embodiment of the present invention, two intelligent contracts for operation log tracing and operation tracing verification are designed to cooperatively complete work, and the work of log tracing metadata chaining and query in the tracing process are respectively completed. The oplog tracing contract interacts directly with the user program, and when the client (which may be manual or program) initiates the wide-area data interaction, the middleware of the wide-area interaction triggers the oplog tracing contract to develop the ul record of the oplog. The alliance chain intelligent contract only provides basic Put and Get operations, friendly data read-write interfaces are further provided, Put, Delete, Update and Query operations are packaged by an operation log traceability contract according to a common mode of service data and are used for calling under different conditions of data adding, deleting, modifying and checking, and a wide area data interaction middleware transmits data abstracts, application IDs, operation names and the like of the operation data to the intelligent contract in a JSON mode. After the intelligent contract is triggered to start execution, firstly, identity verification is carried out, and after the identity verification is passed, a homonymous interface function in the intelligent contract is called to complete operation and is returned to an operation initiator; four interfaces of Put, Delete, Update and Query are designed in the operation log traceability contract, and the construction of an operation log traceability chain is completed through the operations, and the traceability chain structure is shown in fig. 7.

For four operations of the operation log tracing chain, the functions are explained as follows: put operation represents that the remote data interactive operation is newly added data, and a new operation log traceability chain, namely an initialization head node, is synchronously initialized; delete operation means that remote data interaction operation is data deletion, and for the operation log traceability chain, the traceability chain is not increased after data deletion; the Update operation represents that the remote data interaction operation is changed, and for the operation log traceability chain, the Update operation can prolong the traceability chain; and fourthly, the Query operation represents that the remote data interaction operation is Query, and for the operation log traceability chain, the Query operation can prolong the traceability chain.

Referring to fig. 7, the chain structure of oplog tracing consists of nodes, each of which includes a node Header (Header) and a node Body (Body). The node head stores the Hash value of the interactive operation data content, and can quickly index actual data; the node body comprises five contents of application ID, action, proxy, source end and forward pointer. Wherein the application ID is a unique identifier of the application or person initiating the operation; the action represents the operation executed on the data at this time; the agent represents a user name for initiating an action, and the source end field stores the Chinese name of the user who operates the time; and the forward pointer stores the head Hash of the last node and is used for history tracing when the data is traced to the source.

For example, the blockchain can be classified into three categories according to the open form of the blockchain network: public, federation, and private chains; among them, the public chain appeared first and is continuously developed as a basic technology of the digital currency bitcoin. The network of the public chain is open to all users, is 'completely decentralized', and clients complying with a given network protocol can freely join or quit the network; the operation management authority of the private chain is completely subordinate to the owner, and is completely centralized in the business mode, and the difference between the private chain and the public chain can be analogized to the difference between the Internet and an Intranet; the openness degree of the alliance chain is between a public chain and a private chain, the alliance chain is 'multicentralized', the operation management authority of the alliance chain belongs to a plurality of organizations in an alliance, a management user and a common user are distinguished in the structure, and the admission control can be performed on nodes which are added into a network. The alliance chain has a consensus mechanism and a trust model of the block chain, has the characteristics of controllable authority and excellent performance, is suitable for use in cross-department or cross-enterprise inside an enterprise, and is an important reason for realizing the invention by selecting the alliance chain as a prototype. The power grid regulation belongs to a service which needs to be integrated and overall, the regulation data are various in source and scattered in scheduling mechanisms and departments at all levels, the requirements of data sharing and authority control are provided at the same time, the accuracy and the reliability of the data are guaranteed by using a trust model of a block chain, and the alliance chain technology is developed to meet the requirements.

The term "smart contract" (smart contract) was proposed by the cross-domain legal chemist in 1995 by nicak sabo (Nick Szabo). He defines an intelligent contract as a "set of numerically defined commitments (promises) including agreements on which the contract participants can execute the commitments". Beginning in 2009, intelligent contract concepts were increasingly practiced in the technical frameworks where etherhouses, hyperlegger, etc. represent blockchains 2.0. The intelligent contract is a program running on a blockchain system, and the blockchain ensures that the content of the intelligent contract and the execution result of the intelligent contract are not falsifiable. The advent of smart contracts has given the programmable nature of blockchains, making the trust model offered by blockchains more versatile and not limited to digital currency. In the embodiment of the invention, a wide area data interaction log traceability model based on a block chain is designed, and meanwhile, a group of intelligent contract programs capable of being automatically triggered are designed and realized by utilizing a block chain intelligent contract, so that the manual intervention in the interaction log recording process is reduced. The data interaction log tracing technology based on the block chain firstly completes the design of a data tracing model, secondly designs an intelligent contract group according to the data tracing model and deploys the intelligent contract group to the block chain for execution, and a wide area interaction application program needs to call an intelligent contract interface for operation log recording during data interaction. The intelligent contract technology of the alliance chain ensures that each step of operation of the data is authorized; and ensuring that any interactive operation triggers the execution of the log record contract once being completed, and writing the log record contract into a block chain account book.

Referring to fig. 8 and 9, in the embodiment of the present invention, implemented by using a Fabric alliance link platform under the super book project, when a user performs wide area data interaction, the user triggers an operation log initialization program to start performing operation log recording on a blockchain. In the embodiment of the present invention, the step of writing the operation log record into the block chain includes: firstly, access control is completed based on a unique identity authentication and authority control mechanism of a alliance chain, a Public Key Infrastructure (PKI) system is adopted by Fabric to generate a digital certificate for a member so as to identify the identity of the user, and a modular member Management Service (MSP) component is adopted to perform identity authentication and authority control; secondly, data interaction is completed in an intelligent contract layer after the identity of the user is verified, the intelligent contract layer designs two contracts for tracing the source of the operation log and verifying the tracing of the operation log to complete the work cooperatively, wherein the contract for tracing the source of the operation log is called when the wide area interactive program sends data and completes the writing of the operation log, and the contract for verifying the tracing of the operation log is used for tracing and verifying the data operation record of the user with the ID as an index; the writing process and multipoint storage of the distributed ledger ensure that the operation records are reliable.

The operation traceability verification contract is in butt joint with an application layer visualization tool or other related applications, an interface is provided for inquiring an operation log traceability chain, the functions mainly comprise current version inquiry and history backtracking, a Hash value of data content can be designated as a parameter, the current version inquiry function returns the latest operation information of data, the history backtracking function returns the version of the data for N times, the history of data change is returned, and N is used as a parameter and is transmitted into a calling interface. By utilizing the authority control mechanism of the alliance chain, the operation traceability verification contract can be opened to the user as required, before the intelligent contract is executed, identity authentication is carried out, and only when the authentication is passed, actual interface calling can be carried out to obtain required data.

(3) The log analysis comprises the following steps: each unstructured and semi-structured original log record is parsed into a structured form by a log template extraction method.

(4) The log abnormity detection and diagnosis mainly comprises establishing an abnormity detection model and analyzing reasons of abnormity, and provides important reference for system and application service management of research and development personnel. Based on the historical abnormal data of the system, adopting artificial intelligence algorithms such as data classification, data analysis, data mining and the like to establish the relation between the historical abnormal condition of the system, the current operating state and the future potential abnormal condition, and realizing the prediction of the abnormal condition of the control cloud system; and judging the local and overall running states of the system according to the access log records of each application service of the system, realizing the monitoring of the current system abnormity, and simultaneously predicting the occurrence of future system faults or application service faults. Finally, on one hand, the formed related audit conclusion provides an auxiliary strategy for regulating and controlling the engineering deficiency and schedule operation and maintenance of cloud research and development personnel, and the safe and stable operation of application service access is guaranteed; on the other hand, a basis is provided for formulating scientific and reasonable maintenance plans and emergency response measures, so that the purposes of reducing the occurrence probability of abnormal events in application service access and shortening the processing time of the abnormal events are achieved, and the effect of predicting data, service or system abnormity in advance is achieved.

Illustratively, the invention provides a log sequence anomaly detection model based on an attention mechanism, which can effectively detect anomalies in a shorter log sequence, and the model models a log template sequence into a natural language sequence and takes word embedding based on neural network training as the input of an anomaly detection model, so that semantic rules of the log template in the current log sequence can be expressed, the purpose of reducing dimension is realized, and the operational efficiency of the whole model is accelerated. The stack LSTM layer in the model effectively extracts the implicit mode of the log sequence, and the self-attention layer can better learn the internal structure of a sequence by calculating the similarity between logs in the sequence to express the dependency relationship. The abnormal detection model can detect the abnormal of the unknown execution workflow sequence by inputting the normal log sequence mode into the model for training. The experimental result shows that the overall accuracy of the detection model for detecting the log sequence abnormality is better than that of the existing method, and the time overhead is lower.

In summary, log audit refers to that various information such as system security events, user access records, system operation logs and system operation states in an information system are collected in a centralized manner, and after processing such as normalization, filtering, merging and alarm analysis, centralized storage and management are performed in a log form with a uniform format, and comprehensive audit of information system logs is realized by combining rich log statistics and summarization and correlation analysis functions. In the invention, multi-element log data are collected from multiple dimensions such as service range, time dimension, network security, operation and maintenance requirements and the like, data-driven correlation modeling is carried out by utilizing the collected service access logs, a log anomaly detection model based on an intelligent algorithm is established, data multi-dimensional analysis and mining are carried out, the influence of the internal relation of multi-parallel application service is tracked, and the analysis of unified management, hidden danger analysis, fault positioning, safety early warning and the like of defect faults and the pre-prevention and post-analysis of the faults are realized. The core invention points of the technical scheme of the invention comprise: (1) the method comprises the steps of firstly modeling a wide area data interaction model, utilizing a distributed account book at the bottom of a block chain and programmability thereof to realize the data traceability model, ensuring non-repudiation of a data interaction log by the non-repugnability of the block chain, preventing a malicious user/a malicious contract from tampering the data, and ensuring reliability of traceability history of an operation log. (2) And the automatic triggering and chaining of the log are realized by utilizing a block chain intelligent contract technology, so that manual intervention is avoided, and the authority of interactive log is further improved. (3) Based on the historical abnormal data of the system, the relation among the historical abnormal condition of the system, the current running state and the future potential abnormal condition is established through log storage and log source tracing by adopting artificial intelligent algorithms such as data classification, data analysis and data mining, and the prediction of the abnormal condition of the control cloud system is realized. (4) The invention provides a block chain (alliance chain) based application service log data traceability model based on a PROV standard of data traceability based on a block chain wide area data interaction log storage and auditing technology, and simultaneously, an application service log traceability model is actually constructed based on a block chain intelligent contract, and two cooperative intelligent contracts are designed to finish application service log chain storage and application service log traceability.

Example 3

The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention; for details of non-careless mistakes in the embodiment of the apparatus, please refer to the embodiment of the method of the present invention.

Referring to fig. 10, a log auditing system based on multivariate log data analysis according to an embodiment of the present invention includes:

Example 4

In yet another embodiment of the present invention, a computer device is provided that includes a processor and a memory for storing a computer program comprising program instructions, the processor for executing the program instructions stored by the computer storage medium. The Processor may be a Central Processing Unit (CPU), or may be other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, etc., which is a computing core and a control core of the terminal, and is specifically adapted to load and execute one or more instructions in a computer storage medium to implement a corresponding method flow or a corresponding function; the processor provided by the embodiment of the invention can be used for the operation of the log auditing method based on multivariate log data analysis.

Example 5

In yet another embodiment of the present invention, a storage medium, in particular a computer-readable storage medium (Memory), is provided, which is a Memory device in a computer device for storing programs and data. It is understood that the computer readable storage medium herein can include both built-in storage media in the computer device and, of course, extended storage media supported by the computer device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also, one or more instructions, which may be one or more computer programs (including program code), are stored in the memory space and are adapted to be loaded and executed by the processor. It should be noted that the computer-readable storage medium may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as at least one disk memory. One or more instructions stored in the computer-readable storage medium may be loaded and executed by a processor to perform the corresponding steps of the log auditing method based on multivariate log data analysis in the above embodiments.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims

1. A log auditing method based on multivariate log data analysis is characterized by comprising the following steps:

acquiring a log data analysis target;

2. The log auditing method based on multivariate log data analysis according to claim 1, characterized in that the step of obtaining a log data analysis target specifically comprises:

and obtaining a log data analysis target based on preset service requirements and regulation cloud service types.

3. The log auditing method based on multivariate log data analysis as claimed in claim 1, wherein in the log storing and tracing method based on block chain:

the block chain is a alliance chain;

4. The log auditing method based on multivariate log data analysis according to claim 3, wherein in the log certification process, the step of implementing uplink based on a preset operation log tracing contract specifically comprises:

5. The log auditing method based on multivariate log data analysis according to claim 3, characterized in that in the log tracing process, the step of implementing query based on a preset operation tracing verification contract specifically comprises:

6. The log auditing method based on multivariate log data analysis according to claim 3, characterized in that the blockchain is implemented by adopting a Fabric alliance chain platform under the super ledger project.

7. The log auditing method based on multivariate log data analysis according to claim 1, wherein the auditing based on the structured data log record and obtaining an audit report, and the step of completing log auditing based on multivariate log data analysis specifically comprises:

8. A log auditing system based on multivariate log data analysis is characterized by comprising:

9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor when executing the computer program implements the steps of the log auditing method based on multivariate log data analysis according to any one of claims 1 to 7.

10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for log auditing based on multivariate log data analysis according to any one of claims 1 to 7.