CN114205146B - Processing method and device for multi-source heterogeneous security log - Google Patents

Abstract

The disclosure provides a processing method and a device for a multi-source heterogeneous security log, wherein the processing method comprises the steps of obtaining a first security log and a second security log; the first security log and the second security log belong to different security devices; if the first security log and the second security log meet the preset conditions, respectively matching preset fields in the information library with all the first fields of the first security log and all the second fields of the second security log to obtain a first matching result and a second matching result; if the first matching result is inconsistent with the second matching result, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log; and carrying out similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value. The method and the device realize reliability association and comparison analysis on the log content of different security devices.

Description

Processing method and device for multi-source heterogeneous security log

Technical Field

The disclosure relates to the technical field of data processing, and in particular relates to a method and a device for processing a multi-source heterogeneous security log.

Background

With the development of internet information technology and the requirements of national network security laws and equity security systems, in order to cope with the requirements of network attacks and national regulation policies, various network security devices such as various network security defenses and security detection are deployed and installed in the network of each enterprise organization, and in order to centrally manage the network security devices and events generated by each asset, the operation situation of the whole network is monitored, and a unified network security management platform is deployed in the network to perform unified acquisition, analysis and display management on security events.

However, the prior art cannot perform correlation analysis on the credibility of log contents of different security devices or the capabilities of different security devices. Thus, there is a need for a method of performing a comparative analysis of logs and capabilities for different security devices.

Disclosure of Invention

In view of the above, an object of an embodiment of the present disclosure is to provide a method and an apparatus for processing a multi-source heterogeneous security log, which are used for solving the problem that the prior art cannot perform correlation comparison analysis on the credibility of log contents of different security devices or the capabilities of different security devices.

In a first aspect, an embodiment of the present disclosure provides a method for processing a multi-source heterogeneous security log, where the method includes:

acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

calculating a first deviation value of the first security log and calculating a second deviation value of the second security log under the condition that the first matching result is inconsistent with the second matching result;

and carrying out similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value.

In one possible implementation manner, the acquiring the first security log and the second security log includes:

Acquiring a third security log generated by the first security device and a fourth security log generated by the second security device;

converting the third security log into a third security log conforming to a standard rule based on a field analysis rule corresponding to the first security device, and converting the fourth security log into a fourth security log conforming to the standard rule based on a field analysis rule corresponding to the second security device;

and structuring the third security log to obtain the first security log, and structuring the fourth security log to obtain the second security log.

In one possible embodiment, the processing method further includes:

comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value;

if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition.

In one possible implementation, the calculating the first deviation value of the first security log and the calculating the second deviation value of the second security log includes:

And calculating a first deviation value of the first security log by using the influence degree of all the first fields, and calculating a second deviation value of the second security log by using the influence degree of all the second fields.

In one possible implementation manner, the calculating the first deviation value of the first security log by using the influence degrees of all the first fields and calculating the second deviation value of the second security log by using the influence degrees of all the second fields includes:

acquiring a first alarm time of the first security log and a second alarm time of the second security log;

calculating an alarm time difference between the first alarm time and the second alarm time;

and calculating the first deviation value by using the influence degree of all the first fields and the alarm time difference value, and calculating the second deviation value by using the influence degree of all the second fields and the alarm time difference value.

In a possible implementation manner, the determining, based on the calculated similarity value, whether the first security log and the second security log are generated for the same security event includes:

And under the condition that the similarity value is smaller than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

In one possible embodiment, the processing method further includes:

and generating a correlation report between the security device to which the first security log belongs and the security device to which the second security log belongs based on whether the first security log and the second security log are generated for the same security event.

In a second aspect, an embodiment of the present disclosure further provides an attribute determining apparatus, including:

an acquisition module configured to acquire a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

the matching module is configured to match preset fields in the information base with all first fields of the first safety log respectively under the condition that the first safety log and the second safety log meet preset conditions to obtain a first matching result, and match the preset fields in the information base with all second fields of the second safety log respectively to obtain a second matching result;

A calculation module configured to calculate a first deviation value of the first security log and calculate a second deviation value of the second security log if the first matching result is inconsistent with the second matching result;

and the first determining module is configured to calculate the similarity of the first deviation value and the second deviation value to obtain a similarity value, and determine whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value.

In a third aspect, the disclosed embodiments also provide a storage medium, wherein the computer readable storage medium has stored thereon a computer program which, when executed by a processor, performs the steps of:

acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

Calculating a first deviation value of the first security log and calculating a second deviation value of the second security log under the condition that the first matching result is inconsistent with the second matching result;

and carrying out similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value.

In a fourth aspect, an embodiment of the present disclosure further provides an electronic device, including: a processor and a memory storing machine-readable instructions executable by the processor, the processor and the memory in communication over a bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the steps of:

acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

Calculating a first deviation value of the first security log and calculating a second deviation value of the second security log under the condition that the first matching result is inconsistent with the second matching result;

and carrying out similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value.

The embodiment of the disclosure calculates the similarity between the first security log and the second security log through the first deviation value of the first security log and the second deviation value of the second security log to determine whether the first security log and the second security log are generated for the same security event, wherein the first deviation value is calculated based on all first fields in the first security log, the second deviation value is calculated based on all second fields in the second security log, the first security log and the second security log belong to different security devices, and accordingly reliability correlation and comparison analysis of log contents of different security devices are achieved.

The foregoing objects, features and advantages of the disclosure will be more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings.

Drawings

In order to more clearly illustrate the technical solutions of the present disclosure or the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.

FIG. 1 illustrates a flow chart of a method of processing a multi-source heterogeneous security log provided by the present disclosure;

FIG. 2 shows a flowchart of acquiring a first security log and a second security log in a method for processing a multi-source heterogeneous security log provided by the present disclosure;

FIG. 3 is a flowchart of calculating a first deviation value and a second deviation value in a method for processing a multi-source heterogeneous security log provided by the present disclosure;

FIG. 4 is a schematic diagram of a processing device for multi-source heterogeneous security log provided by the present disclosure;

fig. 5 shows a schematic structural diagram of an electronic device provided by the present disclosure.

Detailed Description

Various aspects and features of the disclosure are described herein with reference to the drawings.

It should be understood that various modifications may be made to the embodiments of the application herein. Therefore, the above description should not be taken as limiting, but merely as exemplification of the embodiments. Other modifications within the scope and spirit of this disclosure will occur to persons of ordinary skill in the art.

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above and the detailed description of the embodiments given below, serve to explain the principles of the disclosure.

These and other characteristics of the present disclosure will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.

It should also be understood that, although the present disclosure has been described with reference to some specific examples, a person skilled in the art will certainly be able to achieve many other equivalent forms of the present disclosure, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.

The above and other aspects, features and advantages of the present disclosure will become more apparent in light of the following detailed description when taken in conjunction with the accompanying drawings.

Specific embodiments of the present disclosure will be described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure, which may be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the disclosure in unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not intended to be limiting, but merely serve as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.

The specification may use the word "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.

In order to facilitate understanding of the present disclosure, a method for processing a multi-source heterogeneous security log provided in the present disclosure will be described in detail. As shown in fig. 1, a processing method provided in an embodiment of the disclosure includes specific steps S101 to S104.

S101, acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices.

In particular implementations, each security device generates a security log for each security event, and thus, may extract its security log from the running log of each security device. Based on the first security log and the second security log are obtained; the first security log and the second security log belong to different security devices, and in this embodiment of the disclosure, the first security log belongs to the first security device and the second security log belongs to the second security device are taken as examples for subsequent explanation.

The logs of different security devices are docked according to data acquisition protocols such as general UDP, TCP, AVRO, KAFAK, NEWFLOW _v5, SFTP, files and REST, and the interface protocol is used for self-defining and modifying the acquired monitoring ports and enriching the device analysis template types.

Further, fig. 2 shows a flow chart of a method for obtaining a first security log and a second security log, wherein the specific steps comprise S201-S203.

S201, a third security log generated by the first security device and a fourth security log generated by the second security device are obtained.

S202, converting the third security log into a third security log conforming to the standard rule based on the field analysis rule corresponding to the first security device, and converting the fourth security log into a fourth security log conforming to the standard rule based on the field analysis rule corresponding to the second security device.

S203, structuring the third security log to obtain a first security log, and structuring the fourth security log to obtain a second security log.

In the implementation, because certain differences exist in the fields set by manufacturers to which the security devices belong, namely, differences exist in the definitions exist in the field identifications in the security logs generated by different security devices, a field analysis rule is required to be called to analyze and map each field, so that the fields of each security log are uniformly translated into standard meaning fields, and the field identifications in the security logs generated by different security devices are identical. And analyzing and mapping each field by utilizing a field analysis dictionary of a manufacturer to which each security device belongs, wherein the field analysis dictionary is collected in advance.

In practical application, a third security log generated by the first security device and a fourth security log generated by the second security device are obtained, the third security log is converted into a third security log conforming to a standard rule based on a field analysis rule corresponding to the first security device, and the fourth security log is converted into a fourth security log conforming to the standard rule based on a field analysis rule corresponding to the second security device.

Taking a firewall security log of a manufacturer as an example, assume the original log is as follows:

id=tos；time="2013-1-25；17:25:58" fw=TopsecOS；pri=8 type=pf src=124.115.26.12；dst=192.168.73.18；sport=1；dport=135 smac=00:13:85:3D:90:25；dmac=00:11:d8:aa:8c:e2；proto=UDP；indev=eth4 rule=Reject policyid=0 msg="\kkdjfdslkfj"。

after the field analysis rule analysis, the method comprises the following steps: "log type (id)": "tos", "log time (time)"; "2013-1-25:25:58", "acquisition Source (fw)": "TopsecOS", "event level (pri)"; "8", "event type (type)"; "pf", "source IP (src)": "124.115.26.12" ], "Source Port (sport": 1], "destination IP (dst)": [ "192.168.73.18" ], "destination Port (dport)": [135], "Source MAC (smac)": [00:13:85:3D:90:25], "destination MAC (dmac)": [00:11:d8:aa:8c:e2], "protocol (proto)": [ UDP ], "network card (index)": eth4"," hit strategy (rule) ":" Reject "," strategy ID (policid) ": 0", "details (msg)": kkkdjfddslkfj ", }.

Considering that the log file is an unstructured text file, but contains information which can be structured, the unstructured log is converted into the structured log by adapting different acquisition rules for the security log of the security device. The third security log is structured to obtain a first security log, and the fourth security log is structured to obtain a second security log. That is, the first security log and the second security log are the same field identification and structured logs.

After the first security log and the second security log are obtained, replacement and enrichment of the field meaning can also be performed through the field level index. For example: "Source IP (src)": the [ "124.115.26.12" ] is associated and enriched into public network addresses of telecommunication in western security city of Shaanxi province; detailed information (msg) will be described: "kkdjfdstkfj" replaced with detailed record "79IBM Tivoli Management Framework opts information parameter stack buffer overflow vulnerability attack", etc. And then, storing the first security log and the second security log.

S102, under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in the information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result.

In a specific implementation, it is determined that the first security log and the second security log satisfy a preset condition. Specifically, comparing whether the basic data in the first security log and the basic data in the second security log are the same, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value; if the first security log and the second security log are the same, determining that the first security log and the second security log are generated aiming at the same security event; if the first security log and the second security log are different, it is determined that the first security log and the second security log are not generated for the same security event, and at this time, it is determined that the first security log and the second security log meet preset conditions.

Under the condition that the first security log and the second security log meet the preset conditions, respectively matching preset fields in the information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result.

Wherein the preset fields in the intelligence library are determined based on fields in the historical security events. And carrying out information matching on the information such as MD5, samples, parameters, files, processes and the like in the future by calling an information matching engine.

S103, when the first matching result is inconsistent with the second matching result, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log.

If the first matching result is consistent with the second matching result, determining that the first security log and the second security log are generated aiming at the same security event; if the first matching result is consistent with the second matching result, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log to further determine whether the first security log and the second security log are generated for the same security event.

Specifically, the first deviation value of the first security log is calculated by using the influence degrees of all the first fields, and the second deviation value of the second security log is calculated by using the influence degrees of all the second fields.

In one embodiment, the deviation value may be calculated by formula (1), i.e. the first deviation value and the second deviation value are calculated.

（1）

Wherein P represents a deviation value; n represents the number of fields, X _i Indicating that the ith field deviates from cardinality, W _i Indicating the assignment of the ith index in the bias evaluation.

Wherein X is _i Assigning values according to the degree of influence of a field For example, if the source address and the destination address are the same, the offset cardinality is 1; different, the deviation base is 0, etc.; since it cannot be confirmed that each record has information in the field, the W is set to be empty _i A value of 0.5 is assigned, W with field contents not empty _i Assigned a value of 1. It should be noted that, if a preset number of fields are empty, for example, the deviation base of the source address and the target address of the two security logs is 0, the event corresponding to the two security logs is identified to be different, so that the similarity does not need to be calculated, that is, the deviation value does not need to be calculated, where the preset number can be set according to different log styles of devices in the network environment.

Fig. 3 shows a flowchart of a method for calculating a first deviation value of a first security log by using the influence degrees of all the first fields and calculating a second deviation value of a second security log by using the influence degrees of all the second fields, wherein the specific steps include S301-S303.

S301, acquiring a first alarm time of a first security log and a second alarm time of a second security log.

S302, calculating an alarm time difference value between the first alarm time and the second alarm time.

S303, calculating to obtain a first deviation value by using the influence degrees of all the first fields and the alarm time difference value, and calculating to obtain a second deviation value by using the influence degrees of all the second fields and the alarm time difference value.

Further, the accuracy of the first deviation value and the second deviation value can be improved according to the alarm time, namely the generation time, of the two safety logs. Therefore, in the implementation, the first alarm time of the first security log and the second alarm time of the second security log are acquired first, and an alarm time difference between the first alarm time and the second alarm time is calculated.

Then, the first deviation value is calculated by using the influence degrees of all the first fields and the alarm time difference value, and the second deviation value is calculated by using the influence degrees of all the second fields and the alarm time difference value, and specifically, the following formula (2) may be referred to.

（2）

Wherein P represents a deviation value; n represents the number of fields, X _i Indicating that the ith field deviates from cardinality, W _i And (5) representing assignment of the ith index in the deviation degree evaluation, and t represents an alarm time difference value.

S104, similarity calculation is carried out on the first deviation value and the second deviation value to obtain a similarity value, and whether the first security log and the second security log are generated for the same security event or not is determined based on the calculated similarity value.

After obtaining the first deviation value and the second deviation value, similarity calculation is performed on the first deviation value and the second deviation value to obtain a similarity value, optionally, a difference between the first deviation value and the second deviation value is calculated, and the difference is used as the similarity value.

After the similarity value is obtained, comparing the similarity value with a preset threshold value, and determining that the first security log and the second security log are generated for the same security event under the condition that the similarity value is smaller than the preset threshold value, namely, the first security device and the second security device can both detect the security event.

The embodiment of the disclosure calculates the similarity between the first security log and the second security log through the first deviation value of the first security log and the second deviation value of the second security log to determine whether the first security log and the second security log are generated for the same security event, wherein the first deviation value is calculated based on all first fields in the first security log, the second deviation value is calculated based on all second fields in the second security log, the first security log and the second security log belong to different security devices, and accordingly reliability correlation and comparison analysis of log contents of different security devices are achieved.

Further, based on whether the first security log and the second security log are generated for the same security event, an association report between the security device to which the first security log belongs and the security device to which the second security log belongs is generated.

Specifically, the security events are ordered according to different logic sequences and alarm categories of the security devices, and association analysis of the security events is carried out based on algorithms such as security log similarity matching, repeated definition of graduated words, feature boundary definition and the like. Wherein, the sorting of the security events according to different security device logic orders and alarm categories means: the logical location of the security device in a standard network environment determines which type of attack possibility the output alarm is more biased towards, for example: the firewall at the gateway and the alarm of UTM are more biased to the possibility of information collection and network intrusion; intrusion detection and the possibility that the alarm of the WEB firewall is more biased to improve the attack authority and intranet penetration; network audit, alarm of behavior admission are biased, and possibility of trace cleaning is realized by implantation of a back door.

The association analysis of the security event is carried out based on algorithms such as security log similarity matching, graduated word repeated definition, feature boundary definition and the like, and related data such as a source address, a target address, occurrence time, a URL request, a possible result and the like of the alarm are connected in series, so that association analysis is carried out on different alarms according to a standard attack chain model, association relations of related alarms are output, and specifically each association relation can be used for outputting an association report through autonomous modeling analysis.

Of course, statistical analysis, comparison analysis, difference analysis report and association analysis result report of various security events can be generated, the direct time sequence relationship and causal relationship of the security events are richer, more comprehensive and easier to understand through the analysis of the method, and security operation management data support is provided for modeling analysis and AI analysis of an upper layer.

The embodiment of the disclosure provides powerful support for carrying out correlation contrast analysis on the credibility of log contents of different security devices or the capabilities of different security devices based on the field-level homologous merging and the information collision of the full-log field; moreover, based on the homologous merging and the information collision, a log field deviation algorithm is fused, the directional constraint of the traditional analysis is broken through, all fields of the information carrier can participate in statistics classification and difference comparison, the multi-dimensional analysis requirement is ensured, and the comprehensiveness and the accuracy of log content comparison analysis of different safety devices are realized.

Based on the same inventive concept, the second aspect of the present disclosure further provides a processing device corresponding to the processing method, and since the principle of solving the problem by the processing device in the present disclosure is similar to that of the processing method in the present disclosure, the implementation of the processing device may refer to the implementation of the method, and the repetition is omitted.

Fig. 4 shows a schematic diagram of a processing apparatus provided in an embodiment of the disclosure, specifically including:

an acquisition module 401 configured to acquire a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

the matching module 402 is configured to match preset fields in the information base with all the first fields of the first security log respectively to obtain a first matching result, and match preset fields in the information base with all the second fields of the second security log respectively to obtain a second matching result when the first security log and the second security log meet preset conditions;

a calculation module 403 configured to calculate a first deviation value of the first security log and calculate a second deviation value of the second security log if the first matching result is inconsistent with the second matching result;

a first determination module 404 configured to calculate a similarity value from the first deviation value and the second deviation value, and determine whether the first security log and the second security log are generated for the same security event based on the calculated similarity value.

In yet another embodiment, the obtaining module 401 is specifically configured to:

acquiring a third security log generated by the first security device and a fourth security log generated by the second security device;

converting the third security log into a third security log conforming to a standard rule based on a field analysis rule corresponding to the first security device, and converting the fourth security log into a fourth security log conforming to the standard rule based on a field analysis rule corresponding to the second security device;

and structuring the third security log to obtain the first security log, and structuring the fourth security log to obtain the second security log.

In yet another embodiment, the processing device further comprises a second determination module 405 configured to:

comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value;

if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition.

In yet another embodiment, the computing module 403 is specifically configured to:

and calculating a first deviation value of the first security log by using the influence degree of all the first fields, and calculating a second deviation value of the second security log by using the influence degree of all the second fields.

In yet another embodiment, the computing module 403 is further configured to:

acquiring a first alarm time of the first security log and a second alarm time of the second security log;

calculating an alarm time difference between the first alarm time and the second alarm time;

and calculating the first deviation value by using the influence degree of all the first fields and the alarm time difference value, and calculating the second deviation value by using the influence degree of all the second fields and the alarm time difference value.

In yet another embodiment, the first determining module 404 is specifically configured to:

and under the condition that the similarity value is larger than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

In yet another embodiment, the processing device further includes a generation module 406 configured to:

And generating a correlation report between the security device to which the first security log belongs and the security device to which the second security log belongs based on whether the first security log and the second security log are generated for the same security event.

The embodiment of the disclosure calculates the similarity between the first security log and the second security log through the first deviation value of the first security log and the second deviation value of the second security log to determine whether the first security log and the second security log are generated for the same security event, wherein the first deviation value is calculated based on all first fields in the first security log, the second deviation value is calculated based on all second fields in the second security log, the first security log and the second security log belong to different security devices, and accordingly reliability correlation and comparison analysis of log contents of different security devices are achieved. .

The embodiment of the present disclosure provides a storage medium, which is a computer readable medium storing a computer program, the computer program implementing the method provided by any embodiment of the present disclosure when executed by a processor, including steps S11 to S14 as follows:

S11, acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

s12, under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

s13, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log under the condition that the first matching result is inconsistent with the second matching result;

s14, similarity calculation is conducted on the first deviation value and the second deviation value to obtain a similarity value, and whether the first security log and the second security log are generated for the same security event or not is determined based on the calculated similarity value.

When the computer program is executed by the processor to acquire the first security log and the second security log, the processor specifically executes the following steps: acquiring a third security log generated by the first security device and a fourth security log generated by the second security device; converting the third security log into a third security log conforming to a standard rule based on a field analysis rule corresponding to the first security device, and converting the fourth security log into a fourth security log conforming to the standard rule based on a field analysis rule corresponding to the second security device; and structuring the third security log to obtain the first security log, and structuring the fourth security log to obtain the second security log.

The computer program is further executed by the processor when the processing method is executed by the processor, to perform the steps of: comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value; if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition.

The computer program, when executed by the processor, calculates a first deviation value for the first security log and calculates a second deviation value for the second security log, further comprises the processor performing the steps of: and calculating a first deviation value of the first security log by using the influence degree of all the first fields, and calculating a second deviation value of the second security log by using the influence degree of all the second fields.

The computer program is executed by the processor to calculate a first deviation value of the first security log by using the influence degrees of all the first fields, and when calculating a second deviation value of the second security log by using the influence degrees of all the second fields, the computer program is further executed by the processor to perform the following steps: acquiring a first alarm time of the first security log and a second alarm time of the second security log; calculating an alarm time difference between the first alarm time and the second alarm time; and calculating the first deviation value by using the influence degree of all the first fields and the alarm time difference value, and calculating the second deviation value by using the influence degree of all the second fields and the alarm time difference value.

The computer program, when executed by the processor, determines whether the first security log and the second security log are generated for the same security event based on the calculated similarity value, further performs the steps of: and under the condition that the similarity value is larger than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

The computer program is further executed by the processor when the processing method is executed by the processor, to perform the steps of: and generating a correlation report between the security device to which the first security log belongs and the security device to which the second security log belongs based on whether the first security log and the second security log are generated for the same security event.

The embodiment of the disclosure calculates the similarity between the first security log and the second security log through the first deviation value of the first security log and the second deviation value of the second security log to determine whether the first security log and the second security log are generated for the same security event, wherein the first deviation value is calculated based on all first fields in the first security log, the second deviation value is calculated based on all second fields in the second security log, the first security log and the second security log belong to different security devices, and accordingly reliability correlation and comparison analysis of log contents of different security devices are achieved. .

The embodiment of the present disclosure provides an electronic device, which may be shown in fig. 5, and at least includes a memory 501 and a processor 502, where the memory 501 stores a computer program, and the processor 502 implements the method provided by any embodiment of the present disclosure when executing the computer program on the memory 501. Exemplary, the electronic device computer program steps are as follows S21 to S24:

s21, a first security log and a second security log are obtained; wherein the first security log and the second security log belong to different security devices;

s22, under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

s23, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log under the condition that the first matching result is inconsistent with the second matching result;

S24, similarity calculation is conducted on the first deviation value and the second deviation value to obtain a similarity value, and whether the first security log and the second security log are generated for the same security event or not is determined based on the calculated similarity value.

The processor, when executing the first security log and the second security log stored on the memory, further executes the computer program of: acquiring a third security log generated by the first security device and a fourth security log generated by the second security device; converting the third security log into a third security log conforming to a standard rule based on a field analysis rule corresponding to the first security device, and converting the fourth security log into a fourth security log conforming to the standard rule based on a field analysis rule corresponding to the second security device; and structuring the third security log to obtain the first security log, and structuring the fourth security log to obtain the second security log.

The processor, when executing the processing method stored on the memory, also executes the following computer program: comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value; if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition.

The processor, when executing the first deviation value stored on the memory for calculating the first security log and the second deviation value for calculating the second security log, further executes the computer program of: and calculating a first deviation value of the first security log by using the influence degree of all the first fields, and calculating a second deviation value of the second security log by using the influence degree of all the second fields.

The processor further executes the following computer program when executing the first deviation value of the first security log obtained by calculating the influence degree of all the first fields stored in the memory and the second deviation value of the second security log obtained by calculating the influence degree of all the second fields: acquiring a first alarm time of the first security log and a second alarm time of the second security log; calculating an alarm time difference between the first alarm time and the second alarm time; and calculating the first deviation value by using the influence degree of all the first fields and the alarm time difference value, and calculating the second deviation value by using the influence degree of all the second fields and the alarm time difference value.

The processor, when executing the stored computer program stored on the memory to determine whether the first security log and the second security log were generated for the same security event based on the calculated similarity value, further executes the computer program to: and under the condition that the similarity value is larger than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

The processor, when executing the processing method stored on the memory, also executes the following computer program: and generating a correlation report between the security device to which the first security log belongs and the security device to which the second security log belongs based on whether the first security log and the second security log are generated for the same security event.

The embodiment of the disclosure calculates the similarity between the first security log and the second security log through the first deviation value of the first security log and the second deviation value of the second security log to determine whether the first security log and the second security log are generated for the same security event, wherein the first deviation value is calculated based on all first fields in the first security log, the second deviation value is calculated based on all second fields in the second security log, the first security log and the second security log belong to different security devices, and accordingly reliability correlation and comparison analysis of log contents of different security devices are achieved. .

Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes. Optionally, in this embodiment, the processor performs the method steps described in the above embodiment according to the program code stored in the storage medium. Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments and optional implementations, and this embodiment is not described herein. It will be appreciated by those skilled in the art that the modules or steps of the disclosure described above may be implemented in a general purpose computing device, they may be centralized on a single computing device, or distributed across a network of computing devices, or they may alternatively be implemented in program code executable by computing devices, such that they may be stored in a memory device for execution by the computing devices and, in some cases, the steps shown or described may be performed in a different order than what is shown or described, or they may be implemented as individual integrated circuit modules, or as individual integrated circuit modules. As such, the present disclosure is not limited to any specific combination of hardware and software.

Furthermore, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments having equivalent elements, modifications, omissions, combinations (e.g., of the various embodiments across schemes), adaptations or alterations based on the present disclosure. Elements in the claims are to be construed broadly based on language employed in the claims and not limited to examples described in the present specification or during the practice of the present disclosure, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.

The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more aspects thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the above detailed description, various features may be grouped together to streamline the disclosure. This is not to be interpreted as an intention that the disclosed features not being claimed are essential to any claim. Rather, the disclosed subject matter may include less than all of the features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with one another in various combinations or permutations. The scope of the disclosure should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

While various embodiments of the present disclosure have been described in detail, the present disclosure is not limited to these specific embodiments, and various modifications and embodiments can be made by those skilled in the art on the basis of the concepts of the present disclosure, and these modifications and modifications should be within the scope of the present disclosure as claimed.

Claims (8)

1. A method for processing a multi-source heterogeneous security log, comprising:

acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

under the condition that the first matching result is inconsistent with the second matching result, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log, wherein the deviation value represents the deviation degree of fields in the log;

Performing similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value, wherein the similarity value is a difference value between the first deviation value and the second deviation value;

determining that the first security log and the second security log meet a preset condition includes:

comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value;

if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition;

the determining, based on the calculated similarity value, whether the first security log and the second security log are generated for the same security event includes:

and under the condition that the similarity value is smaller than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

2. The processing method according to claim 1, wherein the acquiring the first security log and the second security log includes:

acquiring a third security log generated by the first security device and a fourth security log generated by the second security device;

converting the third security log into a third security log conforming to a standard rule based on a field analysis rule corresponding to the first security device, and converting the fourth security log into a fourth security log conforming to the standard rule based on a field analysis rule corresponding to the second security device;

and structuring the third security log to obtain the first security log, and structuring the fourth security log to obtain the second security log.

3. The processing method according to claim 1, wherein the calculating a first deviation value of the first security log and the calculating a second deviation value of the second security log includes:

and calculating a first deviation value of the first security log by using the influence degree of all the first fields, and calculating a second deviation value of the second security log by using the influence degree of all the second fields.

4. A processing method according to claim 3, wherein said calculating a first deviation value of said first security log using the influence levels of all said first fields and calculating a second deviation value of said second security log using the influence levels of all said second fields comprises:

acquiring a first alarm time of the first security log and a second alarm time of the second security log;

calculating an alarm time difference between the first alarm time and the second alarm time;

and calculating the first deviation value by using the influence degree of all the first fields and the alarm time difference value, and calculating the second deviation value by using the influence degree of all the second fields and the alarm time difference value.

5. The method of processing according to claim 1, further comprising:

and generating a correlation report between the security device to which the first security log belongs and the security device to which the second security log belongs based on whether the first security log and the second security log are generated for the same security event.

6. A processing apparatus for a multi-source heterogeneous security log, comprising:

An acquisition module configured to acquire a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

the matching module is configured to match preset fields in the information base with all first fields of the first safety log respectively under the condition that the first safety log and the second safety log meet preset conditions to obtain a first matching result, and match the preset fields in the information base with all second fields of the second safety log respectively to obtain a second matching result;

a calculation module configured to calculate a first deviation value of the first security log and calculate a second deviation value of the second security log, the deviation values characterizing a degree of identity of fields of both logs, if the first matching result is inconsistent with the second matching result;

a first determining module configured to calculate a similarity between the first deviation value and the second deviation value to obtain a similarity value, and determine whether the first security log and the second security log are generated for the same security event based on the calculated similarity value, where the similarity value is a difference between the first deviation value and the second deviation value;

A second determination module configured to compare whether the base data in the first security log is the same as the base data in the second security log, wherein the base data includes a source address, a destination address, a source port, a destination port, a protocol type, a request uniform resource locator, and a request return value; if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition;

the first determining module is specifically configured to:

and under the condition that the similarity value is smaller than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

7. A storage medium having a computer program stored thereon, which when executed by a processor performs the steps of:

acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

Under the condition that the first matching result is inconsistent with the second matching result, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log, wherein the deviation value represents the deviation degree of fields in the log;

performing similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value, wherein the similarity value is a difference value between the first deviation value and the second deviation value;

determining that the first security log and the second security log meet a preset condition includes:

comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value;

if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition;

the determining, based on the calculated similarity value, whether the first security log and the second security log are generated for the same security event includes:

And under the condition that the similarity value is smaller than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.

8. An electronic device, comprising: a processor and a memory storing machine-readable instructions executable by the processor, the processor and the memory in communication over a bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the steps of:

acquiring a first security log and a second security log; wherein the first security log and the second security log belong to different security devices;

under the condition that the first security log and the second security log meet preset conditions, respectively matching preset fields in an information base with all first fields of the first security log to obtain a first matching result, and respectively matching the preset fields in the information base with all second fields of the second security log to obtain a second matching result;

under the condition that the first matching result is inconsistent with the second matching result, calculating a first deviation value of the first security log and calculating a second deviation value of the second security log, wherein the deviation value represents the deviation degree of fields in the log;

Performing similarity calculation on the first deviation value and the second deviation value to obtain a similarity value, and determining whether the first security log and the second security log are generated for the same security event or not based on the calculated similarity value, wherein the similarity value is a difference value between the first deviation value and the second deviation value;

determining that the first security log and the second security log meet a preset condition includes:

comparing whether the basic data in the first security log and the basic data in the second security log are the same or not, wherein the basic data comprises a source address, a target address, a source port, a target port, a protocol type, a request uniform resource locator and a request return value;

if the first security log and the second security log are different, determining that the first security log and the second security log meet the preset condition;

the determining, based on the calculated similarity value, whether the first security log and the second security log are generated for the same security event includes:

and under the condition that the similarity value is smaller than a preset threshold value, determining that the first security log and the second security log are generated for the same security event.