CN114372262A - Network security audit method, device and storage medium - Google Patents

Network security audit method, device and storage medium Download PDF

Info

Publication number
CN114372262A
CN114372262A CN202111284762.5A CN202111284762A CN114372262A CN 114372262 A CN114372262 A CN 114372262A CN 202111284762 A CN202111284762 A CN 202111284762A CN 114372262 A CN114372262 A CN 114372262A
Authority
CN
China
Prior art keywords
data
audit
syslog
security audit
network security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111284762.5A
Other languages
Chinese (zh)
Inventor
李富鑫
柳勇
林强
蒋鑫
焦颉
郝雁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Gansu Branch
Original Assignee
China Telecom Gansu Branch
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Gansu Branch filed Critical China Telecom Gansu Branch
Priority to CN202111284762.5A priority Critical patent/CN114372262A/en
Publication of CN114372262A publication Critical patent/CN114372262A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • G06F16/353Clustering; Classification into predefined classes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The network security audit method, the device and the storage medium provided by the application are characterized in that data filtration is carried out on syslog data of a service system by acquiring the syslog data of the service system and configuring a regular expression, the filtered syslog data are preprocessed based on the service characteristics of the service system, the preprocessed syslog data are correlated according to time, the correlated syslog data are counted according to the name of the service system, the name of a host, the ip address, a login account and an operation command which are contained in the acquired syslog data, a security audit model is established according to the counting result, one of network security audit, account number and access audit, inquiry and report forms and personalized configuration is carried out on the syslog data through the security audit model, so that the accuracy of the network security audit is improved, required human cost is effectively reduced, and auditing efficiency is improved.

Description

Network security audit method, device and storage medium
Technical Field
The present application relates to the field of internet technologies, and in particular, to a network security audit method, apparatus, and storage medium.
Background
With the development of internet information technology, telecom service operators as providers of information services discover abnormal security events of an operated network in time, and improve the efficiency of network security audit more and more important. At present, the traditional network security auditing means in the industry mainly comprises the steps of logging in equipment by workers, checking network logs and the like, and performing network auditing, but with the implementation of intensive maintenance and the continuous increase of the number of the equipment, the network logs are audited manually, so that an auditing mode influencing network security events is found according to an auditing result, the auditing efficiency is low, the accuracy is poor, the requirements of network operation are more and more difficult to meet, the labor cost is high, and difficulty and pressure are brought to the intensive operation of a telecom operator.
Disclosure of Invention
In view of this, one of the technical problems solved by the embodiments of the present application is a method, an apparatus, and a device for network security audit, which are used for performing automatic network security audit on a network operated by an operator, so as to effectively improve efficiency of the network security audit process and accuracy of the audit, and reduce labor cost.
In a first aspect, an embodiment of the present application provides a network security audit method, including:
collecting syslog log data of a service system;
performing data filtering on the collected syslog log data through a configured regular expression;
preprocessing the syslog log data subjected to the data filtering based on the service characteristics of the service system;
correlating the preprocessed syslog data according to time;
according to the name of the service system, the name of a host, an ip address, a login account and an operation command which are contained in the collected syslog data, counting the related syslog data, and constructing a safety audit model according to the counting result;
and performing network security audit in high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration on the syslog data according to the security audit model.
Optionally, in an embodiment of the present application, the preprocessing the syslog log data subjected to the data filtering based on the service characteristics of the service system includes:
and performing keyword screening, clustering and normalization processing data processing on the syslog data subjected to the data filtering based on the service system characteristics.
Optionally, in an embodiment of the present application, the auditing of syslog log data according to the security audit model includes: monitoring the execution of the operation instruction of the host computer and the editing, modification and execution by using a common account number to generate monitoring data;
and determining the unauthorized behavior of the non-system manager account in the monitoring data for accessing the system file according to the safety audit model so as to perform the high-risk operation audit.
Optionally, in an embodiment of the present application, the auditing account and access to syslog log data according to the security audit model includes:
and according to the safety audit model, performing data audit on login failure, illegal login and illegal use behaviors of an administrator contained in the syslog data by analyzing and capturing corresponding ssh, ftp and sftp protocols in the syslog.
Optionally, in an embodiment of the present application, the querying, reporting, and performing personalized configuration on syslog data according to the security audit model includes:
and setting a user-defined instrument board, a report form and an alarm list, adding a white list and issuing a corresponding safety audit report according to the safety audit model and by combining the service system and the platform attributes.
In a second aspect, based on the network security auditing method of the first aspect of the present application, the present application further provides a network security auditing apparatus, including:
the extraction module is used for collecting syslog log data of the service system;
the filtering module is used for performing data filtering on the collected syslog log data through a configured regular expression;
the preprocessing module is used for preprocessing the syslog data subjected to the data filtering based on the service characteristics of the service system;
the statistical model is used for correlating the preprocessed syslog data according to time, and performing statistics on the correlated syslog data based on the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the correlated collected syslog data;
the construction module is used for constructing a safety audit model according to the statistical result;
and the auditing module is used for performing network security audit of high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration on the syslog data according to the security audit model.
Optionally, in an embodiment of the present application, the audit module is further configured to monitor execution of an operation instruction of the host, and edit, modify, and execute using a common account to generate monitoring data; and determining the unauthorized behavior of the non-system manager account in the monitoring data for accessing the system file according to the safety audit model so as to perform the high-risk operation audit.
Optionally, in an embodiment of the present application, the audit module is further configured to perform data audit on login failure, illegal login, and illegal use behavior of an administrator included in syslog data by analyzing and capturing corresponding ssh, ftp, and sftp protocols in the syslog according to the security audit model.
Optionally, in an embodiment of the present application, the audit module is further configured to set a custom instrument panel, a report, and an alarm list, add a white list, and issue a corresponding security audit report according to the security audit model and by combining attributes of the service system and the platform.
In a third aspect, the present application further provides a storage medium, where the storage medium stores a computer program, and when a processor executes the computer program stored in the storage medium, the network security audit method according to the first aspect of the present application is implemented.
The network security auditing method provided by the application comprises the steps of collecting syslog log data of a service system; performing data filtering on the collected syslog log data according to a configured regular expression, and based on the service characteristics of the service system, preprocessing the syslog log data filtered by the data, associating the preprocessed syslog data according to time, and according to the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the acquired syslog data, counting the related syslog data, constructing a security audit model according to the counting result, and performing network security audit in high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration on the syslog data according to the security audit model, thereby effectively reducing the labor cost of the network security audit, improving the audit efficiency and improving the accuracy of the network security audit.
Drawings
Some specific embodiments of the present application will be described in detail hereinafter by way of illustration and not limitation with reference to the accompanying drawings. The same reference numbers in the drawings identify the same or similar elements or components. Those skilled in the art will appreciate that the drawings are not necessarily drawn to scale. In the drawings:
FIG. 1 is a flowchart of a network security audit method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a network security audit apparatus according to an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described clearly and completely below with reference to the drawings in the embodiments of the present application, and the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application shall fall within the scope of the embodiments in the present application.
The first embodiment,
An embodiment of the present application provides a network security auditing method, as shown in fig. 1, where fig. 1 is a flowchart of the network security auditing method provided in the embodiment of the present application, and the network security auditing method includes:
the embodiment provides a network security auditing method, which comprises the following steps:
s101, collecting syslog data of the service system.
Syslog log data, also known as system logs or system records, is a standard used to deliver record messages over the internet protocol (TCP/IP) network, often referred to as the actual Syslog protocol, or the application or database that submits the Syslog messages. In an implementation manner of this embodiment, the collecting syslog data of the business system includes: the method is characterized in that system logs and event information of a service system host, network equipment and safety equipment are collected based on protocols such as Syslog and Snmp, granularity and data coverage range of collected service data are improved, and comprehensiveness of network safety audit is guaranteed.
Optionally, in an implementation manner of this embodiment, in order to improve comprehensiveness and timeliness of the collected log data, the syslog log data may be forwarded and collected by the real-time index host business system.
S102, data filtering is carried out on collected syslog log data through the configured regular expressions.
In the implementation manner of this embodiment, because the collected syslog log data includes multiple types of data and a large amount of data, and the efficiency is low when analyzing and processing the data, in order to improve the efficiency of data processing, in this embodiment, a Regular Expression is configured, data filtering (logical filtering) is performed on the collected log data through the Regular Expression (english: regex, or RE, which is often abbreviated in code), redundant, repeated, and irrelevant log data is removed from the collected log data, and only specific part of data required by network security audit is obtained, so that the data amount required to be processed is reduced while the data accuracy is ensured, and the data processing efficiency is improved.
S103, preprocessing the syslog data subjected to data filtering based on the service characteristics of the service system.
Optionally, in an implementation manner of this embodiment, the preprocessing the data-filtered syslog data based on the service characteristics of the service system includes: and based on the characteristics of the service system, carrying out keyword screening, clustering and normalization processing on the syslog data subjected to data filtering.
In this embodiment, log data analysis is an important core link of network security audit, and as the data volume contained in the collected syslog data is often very large and the types and formats are different, in order to further improve the efficiency of network security audit, unstructured data contained in the syslog data can be preprocessed, for example, the syslog data subjected to data filtering is classified, summarized and other processing operations through keyword screening, clustering, normalization and other modes, so that the syslog data needing to be subjected to security audit has good data accuracy, and meanwhile, data analysis is more convenient, and thus the data processing efficiency is further improved.
And S104, correlating the preprocessed syslog data according to time, and counting the correlated syslog data based on the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the correlated collected syslog data.
In an implementation manner of this embodiment, since the collected syslog log data includes service data of different devices, when a network security problem occurs, corresponding data records are generated in the log data of different devices in most cases, and if a single network security audit is performed on the basis of log data of a single device, an audit error or an audit is not comprehensive enough may be caused.
And S105, constructing a safety audit model according to the statistical result.
In this embodiment, after the syslog log data are associated, statistics is performed based on the name of the business system, the name of the host, the IP address, the name of the login account, and the corresponding operation command corresponding to each japanese-style data, and a security audit model is constructed according to the statistics and analysis results, without performing warehousing processing on data, so that it is avoided that a traditional database is difficult to warehouse unstructured data and difficult to mine and analyze acquired data, and thus, the constructed security audit model has a relatively strong security design function, so that the capability and processing efficiency of the constructed security audit model for processing the acquired syslog data are improved while auditing various network security occurs, and the comprehensiveness and accuracy of network security audit are better ensured.
And S106, performing network security audit of high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration according to the security audit model.
In this embodiment, after the syslog log data are associated, statistics is performed based on the name of the business system, the name of the host, the IP address, the name of the login account, and the corresponding operation command corresponding to each japanese-style data, and a security audit model is constructed according to the statistics and analysis results, without performing warehousing processing on data, so that it is avoided that a traditional database is difficult to warehouse unstructured data and difficult to mine and analyze acquired data, and thus, the constructed security audit model has a relatively strong security design function, so that the capability and processing efficiency of the constructed security audit model for processing the acquired syslog data are improved while auditing various network security occurs, and the comprehensiveness and accuracy of network security audit are better ensured.
Optionally, in an embodiment of the present application, the performing high-risk operation audit according to the security audit model includes: and monitoring the execution of the operation instruction of the host computer and the editing, modification and execution by using a common account number to generate monitoring data, and determining the unauthorized behavior of a non-system manager account in the monitoring data for accessing a system file according to the safety audit model so as to perform the high-risk operation audit.
Optionally, in an embodiment of the present application, the auditing account and access to syslog log data according to the security audit model includes:
and according to the safety audit model, performing data audit on login failure, illegal login and illegal use behaviors of an administrator contained in the syslog data by analyzing and capturing corresponding ssh, ftp and sftp protocols in the syslog.
Optionally, in an embodiment of the present application, the querying, reporting, and performing personalized configuration on syslog data according to the security audit model includes:
and setting a user-defined instrument board, a report form and an alarm list, adding a white list and issuing a corresponding safety audit report according to the safety audit model and by combining the service system and the platform attributes.
The network security auditing method provided by the application comprises the steps of collecting syslog log data of a service system; performing data filtering on the collected syslog log data according to a configured regular expression, and based on the service characteristics of the service system, preprocessing the syslog log data filtered by the data, associating the preprocessed syslog data according to time, and according to the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the acquired syslog data, counting the related syslog data, constructing a security audit model according to the counting result, and performing network security audit in high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration on the syslog data according to the security audit model, thereby effectively reducing the labor cost required by the network security audit, improving the audit efficiency and improving the accuracy of the network security audit.
Example II,
Based on the first network security auditing method in the embodiment of the present application, the embodiment of the present application further provides a network security auditing apparatus, as shown in fig. 2, fig. 2 is a schematic structural diagram of a network security auditing apparatus 20 provided in the embodiment of the present application, and the method includes:
the extraction module 201 is used for collecting syslog data of a service system;
the filtering module 202 is configured to perform data filtering on the collected syslog data through a configured regular expression;
the preprocessing module 203 is configured to preprocess the syslog data subjected to the data filtering based on the service characteristics of the service system;
a statistic module 204, configured to correlate the preprocessed syslog data according to time, and perform statistics on the correlated syslog data based on a name of the service system, a name of a host, an ip address, a login account, and an operation command included in the correlated collected syslog data;
a building module 205, configured to build a security audit model according to the statistical result;
and the auditing module 206 is used for performing network security audit of high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration on the syslog data according to the security audit model.
Optionally, in an embodiment of the present application, the auditing module 206 is further configured to monitor execution of the operation instruction of the host and editing, modifying, and executing using a common account number, generate monitoring data, and determine, according to the security audit model, an unauthorized behavior of a non-system administrator account in the monitoring data to access a system file, so as to perform the high-risk operation audit.
Optionally, in an embodiment of the present application, the audit module 206 is further configured to perform data audit on login failure, illegal login, and illegal use behavior of an administrator included in syslog data by analyzing and capturing corresponding ssh, ftp, and sftp protocols in the syslog according to the security audit model.
Optionally, in an embodiment of the present application, the audit module 206 is further configured to set a custom dashboard, a report, and an alarm list, add a white list, and issue a corresponding security audit report according to the security audit model and by combining attributes of the service system and the platform.
The network security audit device provided by the embodiment collects syslog log data of a service system by setting an extraction module; a filtering module is arranged to perform data filtering on the collected syslog log data through a configured regular expression; a preprocessing module is arranged to preprocess the syslog data filtered by the data based on the service characteristics of the service system; and finally, the auditing module is used for carrying out network security auditing on the syslog data according to the security auditing model, one of dangerous operation auditing, account number and access auditing, inquiry and report forms and personalized configuration, so that the comprehensiveness and the accuracy of network security time auditing are effectively realized, and the efficiency of the security auditing and the automatic operation and maintenance capability are improved.
Example III,
Based on the image processing method provided by the above embodiment, an embodiment of the present application provides a storage medium, where a computer program is stored on the storage medium, and when a processor executes the computer program stored on the storage medium, the network security audit method according to the first aspect of the present application is implemented, including but not limited to:
collecting syslog log data of a service system;
performing data filtering on the collected syslog log data through a configured regular expression;
preprocessing the syslog log data subjected to the data filtering based on the service characteristics of the service system;
correlating the preprocessed syslog data according to time, and counting the correlated syslog data based on the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the correlated collected syslog data;
constructing a safety audit model according to the statistical result;
and performing network security audit in high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration on the syslog data according to the security audit model.
Thus, particular embodiments of the present subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular transactions or implement particular abstract data types. The application may also be practiced in distributed computing environments where transactions are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A network security audit method is characterized by comprising the following steps:
collecting syslog log data of a service system;
performing data filtering on the collected syslog log data through a configured regular expression;
preprocessing the syslog log data subjected to the data filtering based on the service characteristics of the service system;
associating the preprocessed syslog data according to time, and counting the associated syslog data based on the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the associated syslog data;
constructing a safety audit model according to the statistical result;
and performing network security audit in one of high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration according to the security audit model.
2. The network security audit method according to claim 1, wherein the preprocessing the data-filtered syslog data based on the service characteristics of the service system includes:
and based on the service system characteristics, carrying out keyword screening, clustering and normalization processing on the syslog data subjected to data filtering.
3. The network security audit method of claim 1, wherein the auditing of high-risk operations according to the security audit model comprises: generating monitoring data according to the execution of the operation instruction of the monitoring host and the editing, modification and execution conditions of the common account;
and performing network security audit on the monitoring data according to the security audit model so as to perform the high-risk operation audit.
4. The network security audit method of claim 1 wherein the auditing of account and access according to the security audit model includes:
and analyzing and capturing ssh, ftp and sftp protocols corresponding to the syslog according to the security audit model, and performing network security audit on login failure, illegal login and illegal use behaviors of an administrator contained in the syslog data.
5. The network security audit method according to claim 1, wherein the querying, reporting and personalized configuration according to the security audit model comprises:
and setting a user-defined instrument board, a report form and an alarm list, adding a white list and issuing a corresponding safety audit report according to the safety audit model and by combining the service system and the platform attributes.
6. A network security audit device, comprising:
the extraction module is used for collecting syslog log data of the service system;
the filtering module is used for performing data filtering on the collected syslog log data through a configured regular expression;
the preprocessing module is used for preprocessing the syslog data subjected to the data filtering based on the service characteristics of the service system;
the statistical module is used for correlating the preprocessed syslog data according to time, and performing statistics on the correlated syslog data based on the name of the service system, the name of the host, the ip address, the login account and the operation command which are contained in the correlated syslog data;
the construction module is used for constructing a safety audit model according to the statistical result;
and the auditing module is used for performing network security audit of high-risk operation audit, account number and access audit, inquiry and report forms and personalized configuration according to the security audit model.
7. The network security audit device according to claim 6, wherein the audit module is further configured to generate monitoring data according to execution of an operation instruction of the monitoring host and editing, modifying and executing conditions using a common account, and perform network security audit on the monitoring data according to the security audit model to perform audit of high-risk operations.
8. The network security audit device according to claim 6, wherein the audit module is further configured to capture corresponding ssh, ftp and sftp protocols in syslog data according to the security audit model analysis, and perform account and access audit on login failure, illegal login and illegal use behavior of an administrator included in the syslog data.
9. The network security audit device of claim 6 wherein, the audit module is further configured to perform operations of setting a custom dashboard, a report form and an alarm list, adding a white list network security, and issuing a corresponding security audit report according to the security audit model and in combination with the attributes of the service system and the platform, so as to perform the query, report form and personalized configuration.
10. A storage medium having a computer program stored thereon, wherein a processor, when executing the computer program stored on the storage medium, implements the network security audit method of any of claims 1-5.
CN202111284762.5A 2021-11-01 2021-11-01 Network security audit method, device and storage medium Pending CN114372262A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111284762.5A CN114372262A (en) 2021-11-01 2021-11-01 Network security audit method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111284762.5A CN114372262A (en) 2021-11-01 2021-11-01 Network security audit method, device and storage medium

Publications (1)

Publication Number Publication Date
CN114372262A true CN114372262A (en) 2022-04-19

Family

ID=81138482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111284762.5A Pending CN114372262A (en) 2021-11-01 2021-11-01 Network security audit method, device and storage medium

Country Status (1)

Country Link
CN (1) CN114372262A (en)

Similar Documents

Publication Publication Date Title
US20200201699A1 (en) Unified error monitoring, alerting, and debugging of distributed systems
CN110716910B (en) Log management method, device, equipment and storage medium
US9106682B2 (en) Method for directing audited data traffic to specific repositories
US7559053B2 (en) Program and system performance data correlation
CN110928718A (en) Exception handling method, system, terminal and medium based on correlation analysis
EP2400443A1 (en) System and method for analytic process design
CN109284251A (en) Blog management method, device, computer equipment and storage medium
US9588869B2 (en) Computer implemented system and method of instrumentation for software applications
US7681085B2 (en) Software reliability analysis using alerts, asserts and user interface controls
US20050223282A1 (en) Unified logging service with a log viewer
CN111581054A (en) ELK-based log point-burying service analysis and alarm system and method
CN112306700A (en) Abnormal RPC request diagnosis method and device
CN110647472A (en) Breakdown information statistical method and device, computer equipment and storage medium
CN110865866A (en) Virtual machine safety detection method based on introspection technology
US9990273B2 (en) Methods and systems for anomaly detection
CN114372262A (en) Network security audit method, device and storage medium
CN111581057A (en) General log analysis method, terminal device and storage medium
US11816210B2 (en) Risk-based alerting for computer security
CN115310011A (en) Page display method and system and readable storage medium
RU2815595C1 (en) System and method for predicting signs of information security incidents in automated control systems
CN115190002B (en) Alarm processing method, device, terminal equipment and storage medium
KR20150016420A (en) Apparatus and method for analyzing data using mapreduce based on nosql
CN114154160B (en) Container cluster monitoring method and device, electronic equipment and storage medium
CN114745150B (en) Redundancy consistency detection and arbitration method and system for Web application
CN107526842A (en) A kind of batch monitors multiple Website page method and devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination