CN115964702A - A security log analysis system and method - Google Patents

A security log analysis system and method Download PDF

Info

Publication number
CN115964702A
CN115964702A CN202211732123.5A CN202211732123A CN115964702A CN 115964702 A CN115964702 A CN 115964702A CN 202211732123 A CN202211732123 A CN 202211732123A CN 115964702 A CN115964702 A CN 115964702A
Authority
CN
China
Prior art keywords
security
threshold
log
logs
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211732123.5A
Other languages
Chinese (zh)
Other versions
CN115964702B (en
Inventor
方少林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Xinruida Technology Co ltd
Original Assignee
Chongqing Xinruida Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Xinruida Technology Co ltd filed Critical Chongqing Xinruida Technology Co ltd
Priority to CN202211732123.5A priority Critical patent/CN115964702B/en
Publication of CN115964702A publication Critical patent/CN115964702A/en
Application granted granted Critical
Publication of CN115964702B publication Critical patent/CN115964702B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

本发明涉及计算机技术领域,具体公开了一种安全日志分析系统及方法,其中,系统包括:行为记录模块,用于生成安全日志;用户分析模块,用于确定用户的分类;用户的分类包括低风险用户、中风险用户和高风险用户;日志监控模块,用于判断当前未上传的安全日志数量是否大于第一阈值,如果大于第一阈值,将未上传的安全日志上传;如果未大于第一阈值,判断未上传的安全日志数量是否大于第二阈值,如果大于第二阈值,判断用户的分类是否为高风险用户,如果是高风险用户,将未上传的安全日志上传,其中,第二阈值小于第一阈值。采用本发明的技术方案能够自动确定安全日志上传时机,提高防护效果。

Figure 202211732123

The present invention relates to the field of computer technology, and specifically discloses a security log analysis system and method, wherein the system includes: a behavior recording module for generating security logs; a user analysis module for determining user classification; user classification includes low Risk users, medium-risk users and high-risk users; log monitoring module, used to judge whether the number of security logs not currently uploaded is greater than the first threshold, if greater than the first threshold, upload the security logs not uploaded; if not greater than the first threshold Threshold, to determine whether the number of unuploaded security logs is greater than the second threshold, if greater than the second threshold, determine whether the classification of the user is a high-risk user, if it is a high-risk user, upload the unuploaded security logs, where the second threshold less than the first threshold. Adopting the technical solution of the invention can automatically determine the uploading time of the security log and improve the protection effect.

Figure 202211732123

Description

一种安全日志分析系统及方法A security log analysis system and method

技术领域technical field

本发明涉及计算机技术领域,特别涉及一种安全日志分析系统及方法。The invention relates to the field of computer technology, in particular to a security log analysis system and method.

背景技术Background technique

随着互联网的飞速发展,计算机上会安装许多安全应用来防范网络攻击,例如杀毒软件和网络安全防火墙等。这些安全应用可以对大部分的网络安全威胁进行告警处理,能够监控网络的运行情况并一定程度上遏制攻击行为。With the rapid development of the Internet, many security applications, such as antivirus software and network security firewalls, will be installed on computers to prevent network attacks. These security applications can alarm and process most network security threats, monitor the operation of the network and contain attacks to a certain extent.

在安全应用检测到病毒、成功阻止异常行为时会生成安全日志,通过对安全日志进行分析,可以了解计算机当前的风险,发现深层次的攻击意图和攻击行为,提高安全防护效果。When the security application detects a virus and successfully prevents abnormal behavior, it will generate a security log. By analyzing the security log, you can understand the current risks of the computer, discover deep-seated attack intentions and behaviors, and improve the security protection effect.

目前的安全日志分析通常是在安全日志积累一定数量后或定期再上传进行统一的分析,但是,安全日志的产生主要源自于安全应用识别到了风险,对于成功绕过安全应用的攻击行为,往往无法在安全日志上充分体现,存在一定的“幸存者偏差”。因此,仅仅靠安全日志积累一定数量或定期再上传,容易错过最佳防护时间。The current security log analysis is usually after a certain amount of security logs have been accumulated or uploaded periodically for unified analysis. However, the generation of security logs is mainly due to the identification of risks by security applications. For attacks that successfully bypass security applications, often It cannot be fully reflected in the security log, and there is a certain "survivor bias". Therefore, it is easy to miss the best protection time only by accumulating a certain amount of security logs or uploading them regularly.

为此,需要一种能够自动确定安全日志上传时机的安全日志分析系统及方法。Therefore, a security log analysis system and method capable of automatically determining the timing of uploading security logs is needed.

发明内容Contents of the invention

本发明的目的之一在于,提供一种安全日志分析系统,能够自动确定安全日志上传时机,提高防护效果。One of the objectives of the present invention is to provide a security log analysis system, which can automatically determine the timing of uploading the security log and improve the protection effect.

为了解决上述技术问题,本申请提供如下技术方案:In order to solve the above technical problems, the application provides the following technical solutions:

一种安全日志分析系统,包括防护模块,用于在检测到病毒或异常行为时,执行预设的防护操作;还包括:A security log analysis system, including a protection module, configured to perform preset protection operations when a virus or abnormal behavior is detected; it also includes:

行为记录模块,用于记录防护模块的防护操作,生成安全日志;The behavior recording module is used to record the protection operation of the protection module and generate a security log;

用户分析模块,用于记录用户的计算机操作行为,根据计算机操作行为分析用户的计算机熟悉程度,基于预设的分类规则和计算机熟悉程度确定用户的分类;用户的分类包括低风险用户、中风险用户和高风险用户;The user analysis module is used to record the user's computer operation behavior, analyze the user's computer familiarity according to the computer operation behavior, and determine the user's classification based on the preset classification rules and computer familiarity; the user's classification includes low-risk users and medium-risk users and high-risk users;

日志监控模块,用于判断当前未上传的安全日志数量是否大于第一阈值,如果大于第一阈值,将未上传的安全日志上传;如果未大于第一阈值,判断未上传的安全日志数量是否大于第二阈值,如果大于第二阈值,判断用户的分类是否为高风险用户,如果是高风险用户,将未上传的安全日志上传,其中,第二阈值小于第一阈值。The log monitoring module is used to judge whether the number of currently unuploaded security logs is greater than a first threshold, and if it is greater than the first threshold, upload the unuploaded security logs; if not greater than the first threshold, determine whether the number of unuploaded security logs is greater than The second threshold, if it is greater than the second threshold, judge whether the classification of the user is a high-risk user, and if it is a high-risk user, upload the unuploaded security log, wherein the second threshold is smaller than the first threshold.

基础方案原理及有益效果如下:The principles and beneficial effects of the basic scheme are as follows:

本方案中,通过记录用户的计算机操作行为,再进行分析,可以得出用户对应计算机的熟悉程度,再结合预设的分类规则可以得出用户的分类。例如,用户对计算机的熟悉程度高,从侧面可以看出用户计算机相关的知识较为丰富,对于风险有一定的防范意识,可以确定为低风险用户,如果用户对计算机的熟悉程度低,其主动甄别风险的意识相对较差,可以确定为高风险用户。当前未上传的安全日志数量未大于第一阈值时,还为高风险用户设立了第二次的判定条件,即判断未上传的安全日志数量是否大于第二阈值,如果大于第二阈值,将未上传的安全日志上传,使高风险的用户的安全日志能够及时得到分析,如果存在风险,能够及时发现。In this solution, by recording and analyzing the user's computer operation behavior, the user's familiarity with the corresponding computer can be obtained, and combined with the preset classification rules, the classification of the user can be obtained. For example, if a user is familiar with computers, it can be seen from the side that the user has rich computer-related knowledge and has a certain awareness of risk prevention, so he can be identified as a low-risk user. If the user has a low familiarity with computers, he will actively identify Risk awareness is relatively poor and can be identified as high-risk users. When the number of unuploaded security logs is not greater than the first threshold, a second judgment condition is set up for high-risk users, that is, to determine whether the number of unuploaded security logs is greater than the second threshold. If it is greater than the second threshold, the The uploaded security logs are uploaded, so that the security logs of high-risk users can be analyzed in time, and if there are risks, they can be discovered in time.

综上,本方案能够根据用户的情况自动确定安全日志上传时机,提高防护效果。In summary, this solution can automatically determine the timing of uploading security logs according to the user's situation, and improve the protection effect.

进一步,还包括日志分析模块,用于对上传的安全日志进行分析,生成分析结果;还用于统计安全日志数量与分析结果有效率的对应关系,筛选出有效率大于第一设定值的分析结果,确定该分析结果对应的安全日志数量,将该安全日志数量作为第一阈值;还用于筛选出有效率大于第二设定值的分析结果,确定该分析结果对应的安全日志数量,将该安全日志数量作为第二阈值,其中第一设定值大于第二设定值。Further, it also includes a log analysis module, which is used to analyze the uploaded security logs and generate analysis results; it is also used to count the corresponding relationship between the number of security logs and the efficiency of the analysis results, and filter out the analysis with an efficiency greater than the first set value As a result, the number of security logs corresponding to the analysis result is determined, and the number of security logs is used as the first threshold; it is also used to filter out the analysis results whose efficiency is greater than the second set value, and the number of security logs corresponding to the analysis result is determined. The number of security logs serves as a second threshold, wherein the first set value is greater than the second set value.

通过本优选方案,能够在保证有效率的前提下,确定最合适的第一设定值,减少无效分析的情况。还能够平衡安全性与计算资源,以确定第二设定值,避免第二设定值的安全日志有效率过低,无端消耗计算资源,同时也避免第二设定值的安全日志有效率过高,需要更多的时间积累安全日志的数量,不能提早发现风险。Through this preferred solution, the most suitable first setting value can be determined on the premise of ensuring efficiency, and the situation of invalid analysis can be reduced. It can also balance security and computing resources to determine the second setting value, avoiding the security log of the second setting value being too inefficient, consuming computing resources for no reason, and avoiding the security log of the second setting value being too efficient High, it takes more time to accumulate the number of security logs, and risks cannot be detected early.

进一步,所述日志分析模块还用于筛选出有效率大于第一设定值的分析结果,确定该分析结果对应的安全日志数量后,将最低的安全日志数量作为第一阈值。Further, the log analysis module is also used to filter out the analysis results whose effectiveness rate is greater than the first set value, and after determining the number of security logs corresponding to the analysis results, take the lowest number of security logs as the first threshold.

将最低的安全日志数量作为第一阈值,能够缩短上传间隔,从而缩短风险的发现时间。Using the lowest number of security logs as the first threshold can shorten the upload interval, thereby reducing the time to discover risks.

进一步,所述日志分析模块还用于每隔预设周期,重新计算第一阈值和第二阈值。Further, the log analysis module is further configured to recalculate the first threshold and the second threshold every preset period.

进一步,所述日志监控模块还用于在判断未上传的安全日志数量未大于第二阈值时,分析高风险用户当前未上传安全日志数量并生成曲线,判断生成曲线是否处于平稳状态,如果处于平稳状态,此时不上传未上传的安全日志。Further, the log monitoring module is also used to analyze the number of unuploaded security logs of high-risk users and generate a curve when judging that the number of unuploaded security logs is not greater than the second threshold, and determine whether the generated curve is in a stable state. status, the unuploaded security logs will not be uploaded at this time.

进一步,所述日志监控模块还用于判断用户单次的计算机使用时间是否超过设定时间,如果超过设定时间,统计每次使用计算机生成的安全日志数量,并拟合为曲线;Further, the log monitoring module is also used to judge whether the user’s single computer use time exceeds the set time, if it exceeds the set time, count the number of security logs generated by using the computer each time, and fit it into a curve;

如果未超过设定时间,统计每一设定时间内,使用计算机生成的安全日志数量,并拟合为曲线。If the set time is not exceeded, count the number of security logs generated by the computer within each set time and fit it into a curve.

根据用户实际使用情况,采用两种方式统计安全日志数量,拟合曲线,使曲线更能准确的反应用户当前面临的风险。According to the actual usage of the user, two methods are used to count the number of security logs and fit the curve, so that the curve can more accurately reflect the current risks faced by the user.

进一步,所述日志监控模块还用于在分析当前未上传安全日志的生成曲线时,判断生成曲线是否处于下降状态,如果处于下降状态,判断计算机操作行为中的设定时间内安全软件的使用次数是否高于预设次数,如果高于预设次数,将未上传的安全日志上传。Further, the log monitoring module is also used to determine whether the generated curve is in a declining state when analyzing the generated curve of the security log that is not currently uploaded, and if it is in a declining state, to judge the number of times the security software is used within the set time in the computer operation behavior Whether it is higher than the preset number of times, if it is higher than the preset number of times, upload the unuploaded security logs.

设定时间内安全软件的使用次数高于预设次数,表明用户频繁使用安全软件,用户感受到计算机出现问题的概率较大,但是曲线处于下降状态,安全软件实际的防护行为较少,与用户的感受不一致,因此,将未上传的安全日志上传,有助于及时发现风险。The number of times the security software is used within the set time is higher than the preset number, indicating that the user frequently uses the security software, and the user is more likely to experience problems with the computer. Therefore, uploading the unuploaded security logs will help to discover risks in time.

进一步,所述日志监控模块还用于在分析当前未上传安全日志的生成曲线时,判断生成曲线是否处于上升状态,如果处于上升状态,判断当前的最大值是否超过历史最大值,如果超过,将未上传的安全日志上传;Further, the log monitoring module is also used to determine whether the generated curve is in the rising state when analyzing the generated curve of the security log that has not been uploaded currently, and if it is in the rising state, judge whether the current maximum value exceeds the historical maximum value, and if so, set Unuploaded security log upload;

其中,历史最大值为历史中,每次使用计算机生成的安全日志数量中的最大值或每一设定时间内,使用计算机生成的安全日志数量的最大值。Wherein, the historical maximum value is the maximum value of the number of security logs generated by using the computer each time in history or the maximum value of the number of security logs generated by the computer within each set time period.

曲线处于上升状态,当前的最大值超过历史最大值,表面当前安全软件防护行为增加,计算机面临的风险增加,将未上传的安全日志上传,有助于及时发现风险。The curve is on the rise, and the current maximum value exceeds the historical maximum value. On the surface, the current security software protection behavior has increased, and the risks faced by the computer have increased. Uploading unuploaded security logs will help to discover risks in time.

进一步,所述日志监控模块还用于在判断曲线处于上升状态时,再判断未上传安全日志的数量是否低于第三阈值,如果低于第三阈值,不上传未上传的安全日志。Further, the log monitoring module is also used to judge whether the number of unuploaded security logs is lower than the third threshold when the judgment curve is in the rising state, and if it is lower than the third threshold, the unuploaded security logs are not uploaded.

例如,第三阈值数量下的安全日志分析结果的有效率极低,不上传低于第三阈值的未上传的安全日志,可以减少对计算资源的浪费。For example, the effectiveness of the security log analysis results under the third threshold is extremely low, and the waste of computing resources can be reduced by not uploading unuploaded security logs below the third threshold.

本发明的目的之二在于,提供一种安全日志分析方法,使用上述系统。The second object of the present invention is to provide a security log analysis method using the above system.

附图说明Description of drawings

图1为实施例一一种安全日志分析系统的逻辑框图。Fig. 1 is a logical block diagram of a security log analysis system in Embodiment 1.

具体实施方式Detailed ways

下面通过具体实施方式进一步详细说明:The following is further described in detail through specific implementation methods:

实施例一Embodiment one

如图1所示,本实施例的一种安全日志分析系统,包括防护模块、行为记录模块、用户分析模块、日志监控模块和日志分析模块。As shown in FIG. 1 , a security log analysis system in this embodiment includes a protection module, a behavior recording module, a user analysis module, a log monitoring module and a log analysis module.

防护模块用于在检测到病毒或异常行为时,执行预设的防护操作;本实施例中,异常行为由安全软件的开发人员进行定义,例如篡改浏览器主页。The protection module is used to execute a preset protection operation when a virus or abnormal behavior is detected; in this embodiment, the abnormal behavior is defined by the developer of the security software, such as tampering with the browser homepage.

行为记录模块用于记录防护模块的防护操作,生成安全日志;本实施例中,安全日志包括时间、类型和概要,其中类型包括病毒防护、系统防护和网络防护等。The behavior recording module is used to record the protection operations of the protection module and generate a security log; in this embodiment, the security log includes time, type and summary, wherein the types include virus protection, system protection and network protection.

用户分析模块用于记录用户的计算机操作行为,根据计算机操作行为分析用户的计算机熟悉程度,基于预设的分类规则和计算机熟悉程度确定用户的分类;用户的分类包括低风险用户和高风险用户。本实施例中,计算机操作行为包括使用安全软件、为计算机更新补丁、官方网站下载软件、安装软件过程中去掉安装附带软件选项、安装软件过程中不进行设置等,为不同的计算机操作行为设置不同的分数,例如安装软件过程中去掉安装附带软件选项+2分,安装软件过程中不进行设置-1分,然后根据总得分反应用户的计算机熟悉程度,得分越高用户的计算机熟悉程度越高。然后为低风险用户和高风险用户划定不同的分数区间,通过上述总得分确定所在的分数区间,找到对应的分类。The user analysis module is used to record the user's computer operation behavior, analyze the user's computer familiarity according to the computer operation behavior, and determine the user's classification based on the preset classification rules and computer familiarity; the user's classification includes low-risk users and high-risk users. In this embodiment, the computer operation behavior includes using security software, updating patches for the computer, downloading software from the official website, removing the option to install the accompanying software during the software installation process, and not setting during the software installation process, etc. Different computer operation behaviors are set differently. For example, +2 points for removing the additional software option during the software installation process, and -1 point for not setting it during the software installation process, and then reflect the user's computer familiarity based on the total score. The higher the score, the higher the user's computer familiarity. Then define different score intervals for low-risk users and high-risk users, determine the score intervals based on the above-mentioned total score, and find the corresponding classification.

日志监控模块用于判断当前未上传的安全日志数量是否大于第一阈值;如果大于第一阈值,将未上传的安全日志上传;如果未大于第一阈值,判断当前未上传的安全日志数量是否大于第二阈值,如果大于第二阈值,判断用户的分类是否为高风险用户,如果是高风险用户,将未上传的安全日志上传,其中,第二阈值小于第一阈值。The log monitoring module is used to judge whether the number of currently unuploaded security logs is greater than the first threshold; if it is greater than the first threshold, upload the unuploaded security logs; if not greater than the first threshold, judge whether the current unuploaded security logs are greater than The second threshold, if it is greater than the second threshold, judge whether the classification of the user is a high-risk user, and if it is a high-risk user, upload the unuploaded security log, wherein the second threshold is smaller than the first threshold.

日志分析模块用于对上传的安全日志进行分析,生成分析结果。本实施例中,分析结果为数据有效或数据无效,其中数据有效中,进一步的结果为不存在安全风险或存在安全风险。The log analysis module is used to analyze the uploaded security logs and generate analysis results. In this embodiment, the analysis result is that the data is valid or the data is invalid, wherein the data is valid, and the further result is that there is no security risk or there is a security risk.

日志分析模块还用于统计安全日志数量与分析结果有效率的对应关系,筛选出有效率大于第一设定值的分析结果,确定该分析结果对应的安全日志数量,将该安全日志数量作为第一阈值;还用于筛选出有效率大于第二设定值的分析结果,确定该分析结果对应的安全日志数量,将该安全日志数量作为第二阈值,其中第一设定值大于第二设定值。The log analysis module is also used to count the corresponding relationship between the number of security logs and the efficiency of the analysis results, filter out the analysis results whose efficiency is greater than the first set value, determine the number of security logs corresponding to the analysis results, and use the number of security logs as the first set value. A threshold; it is also used to filter out the analysis results whose efficiency is greater than the second set value, determine the number of security logs corresponding to the analysis results, and use the number of security logs as the second threshold, wherein the first set value is greater than the second set value Value.

例如,1000位用户各上传100项安全日志,其中,981位用户上传的安全日志分析结果为数据有效,可以得出,100项安全日志的有效率为98.1%,如果第一设定值为98%,100项安全日志的有效率大于第一设定值,符合要求,该分析结果对应的安全日志数量为100项,可以将100作为第一阈值。For example, 1000 users each upload 100 security logs, among them, the analysis result of the security logs uploaded by 981 users is that the data is valid. It can be concluded that the effective rate of 100 security logs is 98.1%. If the first setting value is 98 %, the effective rate of 100 security logs is greater than the first set value, which meets the requirements. The number of security logs corresponding to the analysis result is 100, and 100 can be used as the first threshold.

本实施例中,在筛选出有效率大于第一设定值的分析结果,确定该分析结果对应的安全日志数量后,将最低的安全日志数量作为第一阈值;第二阈值同理。例如,100项安全日志的有效率为98.1%,150项安全日志的有效率为98.7%,100项最低,作为第一阈值。In this embodiment, after filtering out the analysis results with an efficiency greater than the first set value and determining the number of security logs corresponding to the analysis results, the lowest number of security logs is used as the first threshold; the same is true for the second threshold. For example, the effective rate of 100 security logs is 98.1%, the effective rate of 150 security logs is 98.7%, and 100 is the lowest as the first threshold.

日志分析模块还用于每隔预设周期,重新计算第一阈值和第二阈值。预设周期为6-12个月,本实施例中为6个月。The log analysis module is also used to recalculate the first threshold and the second threshold every preset period. The preset period is 6-12 months, which is 6 months in this embodiment.

本实施例还提供一种安全日志分析方法,使用上述系统。This embodiment also provides a security log analysis method using the above system.

实施例二Embodiment two

本实施例和实施例一的区别在于,本实施例中日志监控模块还用于在判断未上传的安全日志数量未大于第二阈值时,分析高风险用户未上传的安全日志数量并生成曲线。The difference between this embodiment and Embodiment 1 is that the log monitoring module in this embodiment is also configured to analyze the number of unuploaded security logs of high-risk users and generate a curve when judging that the number of unuploaded security logs is not greater than the second threshold.

具体的,日志监控模块判断用户单次的计算机使用时间是否超过设定时间,如果超过设定时间,统计每次使用计算机生成的安全日志数量,并拟合为曲线;本实施例中,设定时间为5小时。如果未超过设定时间,统计每一设定时间内,使用计算机生成的安全日志数量,并拟合为曲线。本实施例中,拟合的曲线中,数量为纵坐标,以统计的次数为横坐标。Specifically, the log monitoring module judges whether the user's single computer use time exceeds the set time, if it exceeds the set time, counts the number of security logs generated by using the computer each time, and fits it into a curve; in this embodiment, set The time is 5 hours. If the set time is not exceeded, count the number of security logs generated by the computer within each set time and fit it into a curve. In this embodiment, in the fitted curve, the quantity is represented by the vertical axis, and the number of statistics is represented by the horizontal coordinate.

日志监控模块还用于判断生成曲线是否处于平稳状态,如果处于平稳状态,此时不上传未上传的安全日志。本实施例中,平稳状态指,单次统计的最大值与最小值的差值,与平均值的比值低于5%。The log monitoring module is also used to judge whether the generated curve is in a stable state, and if it is in a stable state, the unuploaded security logs are not uploaded at this time. In this embodiment, the stable state means that the ratio of the difference between the maximum value and the minimum value of a single statistic to the average value is less than 5%.

日志监控模块还用于判断生成曲线是否处于下降状态,如果处于下降状态,判断计算机操作行为中的设定时间内安全软件的使用次数是否高于预设次数,如果高于预设次数,将未上传的安全日志上传。本实施例中,预设次数为5次,在其他实施例中,还可以根据设定时间的长短确定。本实施例中,下降状态指不满足平稳状态的条件,且至少3次统计的安全日志数量连续降低,在其他实施例中,还可以规定两次统计的降低量来确定下降状态。The log monitoring module is also used to judge whether the generated curve is in a declining state. If it is in a declining state, it is judged whether the number of times the security software is used within the set time in the computer operation behavior is higher than the preset number of times. If it is higher than the preset number of times, it will not Upload Security log upload. In this embodiment, the preset number of times is 5, and in other embodiments, it can also be determined according to the length of the set time. In this embodiment, the declining state means that the condition of the steady state is not satisfied, and the number of security logs counted for at least three times has continuously decreased. In other embodiments, the decreasing amount of two counts can also be specified to determine the declining state.

日志监控模块还用于判断生成曲线是否处于上升状态,如果处于上升状态,判断未上传安全日志的数量是否低于第三阈值,如果低于第三阈值,不上传未上传的安全日志,如果高于第三阈值,判断当前的最大值是否超过历史最大值,如果超过,将未上传的安全日志上传;其中,历史最大值为历史中,每次使用计算机生成的安全日志数量中的最大值或每一设定时间内,使用计算机生成的安全日志数量的最大值。本实施例中,第三阈值为日志分析模块确定的,有效率为0的安全日志数量。本实施例中,上升状态指不满足平稳状态的条件,且至少3次统计的安全日志数量连续上升,在其他实施例中,还可以规定两次统计的上升量来确定上升状态。The log monitoring module is also used to judge whether the generated curve is in the rising state. If it is in the rising state, it is judged whether the number of unuploaded security logs is lower than the third threshold. If it is lower than the third threshold, the unuploaded security logs are not uploaded. Based on the third threshold, it is judged whether the current maximum value exceeds the historical maximum value, and if so, the unuploaded security logs are uploaded; wherein, the historical maximum value is the maximum value or Use the maximum number of computer-generated security logs per set time. In this embodiment, the third threshold is the number of security logs with an effective rate of 0 determined by the log analysis module. In this embodiment, the rising state means that the condition of the steady state is not met, and the number of security logs counted for at least three times continues to rise. In other embodiments, the rising amount of two counts can also be specified to determine the rising state.

以上的仅是本发明的实施例,该发明不限于此实施案例涉及的领域,方案中公知的具体结构及特性等常识在此未作过多描述,所属领域普通技术人员知晓申请日或者优先权日之前发明所属技术领域所有的普通技术知识,能够获知该领域中所有的现有技术,并且具有应用该日期之前常规实验手段的能力,所属领域普通技术人员可以在本申请给出的启示下,结合自身能力完善并实施本方案,一些典型的公知结构或者公知方法不应当成为所属领域普通技术人员实施本申请的障碍。应当指出,对于本领域的技术人员来说,在不脱离本发明结构的前提下,还可以作出若干变形和改进,这些也应该视为本发明的保护范围,这些都不会影响本发明实施的效果和专利的实用性。本申请要求的保护范围应当以其权利要求的内容为准,说明书中的具体实施方式等记载可以用于解释权利要求的内容。The above is only an embodiment of the present invention, and the invention is not limited to the field involved in this implementation case. The common knowledge such as the specific structure and characteristics known in the scheme is not described here, and those of ordinary skill in the art know the filing date or priority All ordinary technical knowledge in the technical field to which the invention belongs before the date, can know all the prior art in this field, and have the ability to apply the conventional experimental methods before the date, those of ordinary skill in the art can, under the inspiration given by this application, To perfect and implement this solution in combination with one's own ability, some typical known structures or known methods should not become obstacles for those of ordinary skill in the art to implement this application. It should be pointed out that for those skilled in the art, under the premise of not departing from the structure of the present invention, several modifications and improvements can also be made, and these should also be regarded as the protection scope of the present invention, and these will not affect the implementation of the present invention. Effects and utility of patents. The scope of protection required by this application shall be based on the content of the claims, and the specific implementation methods and other records in the specification may be used to interpret the content of the claims.

Claims (10)

1.一种安全日志分析系统,包括防护模块,用于在检测到病毒或异常行为时,执行预设的防护操作;其特征在于,还包括:1. A security log analysis system, comprising a protection module, configured to perform preset protection operations when a virus or abnormal behavior is detected; it is characterized in that it also includes: 行为记录模块,用于记录防护模块的防护操作,生成安全日志;The behavior recording module is used to record the protection operation of the protection module and generate a security log; 用户分析模块,用于记录用户的计算机操作行为,根据计算机操作行为分析用户的计算机熟悉程度,基于预设的分类规则和计算机熟悉程度确定用户的分类;用户的分类包括低风险用户、中风险用户和高风险用户;The user analysis module is used to record the user's computer operation behavior, analyze the user's computer familiarity according to the computer operation behavior, and determine the user's classification based on the preset classification rules and computer familiarity; the user's classification includes low-risk users and medium-risk users and high-risk users; 日志监控模块,用于判断当前未上传的安全日志数量是否大于第一阈值,如果大于第一阈值,将未上传的安全日志上传;如果未大于第一阈值,判断未上传的安全日志数量是否大于第二阈值,如果大于第二阈值,判断用户的分类是否为高风险用户,如果是高风险用户,将未上传的安全日志上传,其中,第二阈值小于第一阈值。The log monitoring module is used to judge whether the number of currently unuploaded security logs is greater than a first threshold, and if it is greater than the first threshold, upload the unuploaded security logs; if not greater than the first threshold, determine whether the number of unuploaded security logs is greater than The second threshold, if it is greater than the second threshold, judge whether the classification of the user is a high-risk user, and if it is a high-risk user, upload the unuploaded security log, wherein the second threshold is smaller than the first threshold. 2.根据权利要求1所述的安全日志分析系统,其特征在于:还包括日志分析模块,用于对上传的安全日志进行分析,生成分析结果;还用于统计安全日志数量与分析结果有效率的对应关系,筛选出有效率大于第一设定值的分析结果,确定该分析结果对应的安全日志数量,将该安全日志数量作为第一阈值;还用于筛选出有效率大于第二设定值的分析结果,确定该分析结果对应的安全日志数量,将该安全日志数量作为第二阈值,其中第一设定值大于第二设定值。2. The security log analysis system according to claim 1, characterized in that: it also includes a log analysis module, which is used to analyze the uploaded security logs and generate analysis results; it is also used to count the number of security logs and the efficiency of the analysis results Corresponding relationship, filter out the analysis results whose efficiency is greater than the first set value, determine the number of security logs corresponding to the analysis result, and use the number of security logs as the first threshold; it is also used to filter out the effective rate greater than the second setting value, determine the number of security logs corresponding to the analysis result, and use the number of security logs as a second threshold, wherein the first set value is greater than the second set value. 3.根据权利要求2所述的安全日志分析系统,其特征在于:所述日志分析模块还用于筛选出有效率大于第一设定值的分析结果,确定该分析结果对应的安全日志数量后,将最低的安全日志数量作为第一阈值。3. The security log analysis system according to claim 2, characterized in that: the log analysis module is also used to filter out the analysis results whose effective rate is greater than the first set value, after determining the number of security logs corresponding to the analysis results , taking the lowest number of security logs as the first threshold. 4.根据权利要求2所述的安全日志分析系统,其特征在于:所述日志分析模块还用于每隔预设周期,重新计算第一阈值和第二阈值。4. The security log analysis system according to claim 2, wherein the log analysis module is further configured to recalculate the first threshold and the second threshold every preset period. 5.根据权利要求2所述的安全日志分析系统,其特征在于:所述日志监控模块还用于在判断未上传的安全日志数量未大于第二阈值时,分析高风险用户当前未上传安全日志数量并生成曲线,判断生成曲线是否处于平稳状态,如果处于平稳状态,此时不上传未上传的安全日志。5. The security log analysis system according to claim 2, characterized in that: the log monitoring module is also used to analyze that high-risk users have not uploaded security logs currently when judging that the number of unuploaded security logs is not greater than the second threshold Quantify and generate a curve to determine whether the generated curve is in a stable state. If it is in a stable state, do not upload unuploaded security logs at this time. 6.根据权利要求5所述的安全日志分析系统,其特征在于:所述日志监控模块还用于判断用户单次的计算机使用时间是否超过设定时间,如果超过设定时间,统计每次使用计算机生成的安全日志数量,并拟合为曲线;6. The security log analysis system according to claim 5, characterized in that: the log monitoring module is also used to judge whether the user's single computer use time exceeds the set time, and if it exceeds the set time, count each use Amount of computer-generated security logs, fitted to a curve; 如果未超过设定时间,统计每一设定时间内,使用计算机生成的安全日志数量,并拟合为曲线。If the set time is not exceeded, count the number of security logs generated by the computer within each set time and fit it into a curve. 7.根据权利要求6所述的安全日志分析系统,其特征在于:所述日志监控模块还用于在分析当前未上传安全日志的生成曲线时,判断生成曲线是否处于下降状态,如果处于下降状态,判断计算机操作行为中的设定时间内安全软件的使用次数是否高于预设次数,如果高于预设次数,将未上传的安全日志上传。7. The security log analysis system according to claim 6, characterized in that: the log monitoring module is also used to determine whether the generation curve is in a descending state when analyzing the generation curve of the security log that is not currently uploaded, and if it is in a descending state , judging whether the number of times the security software is used within the set time in the computer operation behavior is higher than the preset number, and if it is higher than the preset number, upload the unuploaded security log. 8.根据权利要求7所述的安全日志分析系统,其特征在于:所述日志监控模块还用于在分析当前未上传安全日志的生成曲线时,判断生成曲线是否处于上升状态,如果处于上升状态,判断当前的最大值是否超过历史最大值,如果超过,将未上传的安全日志上传;8. The security log analysis system according to claim 7, characterized in that: the log monitoring module is also used to determine whether the generation curve is in a rising state when analyzing the generation curve of the security log that has not been uploaded at present, and if it is in the rising state , to determine whether the current maximum value exceeds the historical maximum value, and if so, upload the unuploaded security log; 其中,历史最大值为历史中,每次使用计算机生成的安全日志数量中的最大值或每一设定时间内,使用计算机生成的安全日志数量的最大值。Wherein, the historical maximum value is the maximum value of the number of security logs generated by using the computer each time in history or the maximum value of the number of security logs generated by the computer within each set time period. 9.根据权利要求8所述的安全日志分析系统,其特征在于:所述日志监控模块还用于在判断曲线处于上升状态时,再判断未上传安全日志的数量是否低于第三阈值,如果低于第三阈值,不上传未上传的安全日志。9. The security log analysis system according to claim 8, characterized in that: the log monitoring module is also used to judge whether the quantity of unuploaded security logs is lower than the third threshold when the judgment curve is in a rising state, if If it is lower than the third threshold, unuploaded security logs are not uploaded. 10.一种安全日志分析方法,其特征在于,使用权利要求1-9任一项所述的系统。10. A security log analysis method, characterized in that the system according to any one of claims 1-9 is used.
CN202211732123.5A 2022-12-30 2022-12-30 A security log analysis system and method Active CN115964702B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211732123.5A CN115964702B (en) 2022-12-30 2022-12-30 A security log analysis system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211732123.5A CN115964702B (en) 2022-12-30 2022-12-30 A security log analysis system and method

Publications (2)

Publication Number Publication Date
CN115964702A true CN115964702A (en) 2023-04-14
CN115964702B CN115964702B (en) 2024-12-06

Family

ID=87357613

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211732123.5A Active CN115964702B (en) 2022-12-30 2022-12-30 A security log analysis system and method

Country Status (1)

Country Link
CN (1) CN115964702B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488939A (en) * 2023-06-16 2023-07-25 江西科技学院 Computer information security monitoring method, system and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105577445A (en) * 2015-12-30 2016-05-11 北京京东尚科信息技术有限公司 Method and device for collecting and reporting logs
CN105574096A (en) * 2015-12-10 2016-05-11 惠州Tcl移动通信有限公司 Method and system for obtaining, uploading and analyzing log information
CN107810504A (en) * 2015-06-15 2018-03-16 赛门铁克公司 The system and method that malicious downloading risk is determined based on user behavior
CN109617737A (en) * 2018-12-27 2019-04-12 携程计算机技术(上海)有限公司 The monitoring method and system of the log platform of internet
CN111064745A (en) * 2019-12-30 2020-04-24 厦门市美亚柏科信息股份有限公司 Self-adaptive back-climbing method and system based on abnormal behavior detection
CN113687974A (en) * 2021-10-22 2021-11-23 飞狐信息技术(天津)有限公司 Client log processing method and device and computer equipment
CN115514562A (en) * 2022-09-22 2022-12-23 国网山东省电力公司 Data security early warning method and system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107810504A (en) * 2015-06-15 2018-03-16 赛门铁克公司 The system and method that malicious downloading risk is determined based on user behavior
CN105574096A (en) * 2015-12-10 2016-05-11 惠州Tcl移动通信有限公司 Method and system for obtaining, uploading and analyzing log information
CN105577445A (en) * 2015-12-30 2016-05-11 北京京东尚科信息技术有限公司 Method and device for collecting and reporting logs
CN109617737A (en) * 2018-12-27 2019-04-12 携程计算机技术(上海)有限公司 The monitoring method and system of the log platform of internet
CN111064745A (en) * 2019-12-30 2020-04-24 厦门市美亚柏科信息股份有限公司 Self-adaptive back-climbing method and system based on abnormal behavior detection
CN113687974A (en) * 2021-10-22 2021-11-23 飞狐信息技术(天津)有限公司 Client log processing method and device and computer equipment
CN115514562A (en) * 2022-09-22 2022-12-23 国网山东省电力公司 Data security early warning method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张清江 等: "基于计算机操作痕迹的安全威胁研究", 《信息产业》, 31 August 2013 (2013-08-31), pages 150 *
林敏军: "基于大数据技术的高校计算机安全问题与对策", 《网络安全技术与应用》, 31 May 2020 (2020-05-31), pages 93 - 94 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488939A (en) * 2023-06-16 2023-07-25 江西科技学院 Computer information security monitoring method, system and storage medium
CN116488939B (en) * 2023-06-16 2023-08-25 江西科技学院 Computer information security monitoring method, system and storage medium

Also Published As

Publication number Publication date
CN115964702B (en) 2024-12-06

Similar Documents

Publication Publication Date Title
CN109831465B (en) Website intrusion detection method based on big data log analysis
CN114760103B (en) An industrial control system anomaly detection system, method, equipment and storage medium
CN110351280B (en) A method, system, device and readable storage medium for extracting threat intelligence
US10185824B2 (en) System and method for uncovering covert timing channels
CN103701795B (en) The recognition methods of the attack source of Denial of Service attack and device
CN109933984B (en) Optimal clustering result screening method and device and electronic equipment
CN115514562B (en) A method and system for early warning of data security
US20190205545A1 (en) Device monitoring policy
CN107800671A (en) The generation method and device of a kind of firewall rule
CN115964702A (en) A security log analysis system and method
CN116938600B (en) Threat event analysis method, electronic device and storage medium
CN110866831A (en) Asset activity level determination method and device and server
CN113691498A (en) Electric power internet of things terminal safety state evaluation method and device and storage medium
TWI610196B (en) Network attack pattern determination apparatus, determination method, and computer program product thereof
CN115426154A (en) A mining behavior monitoring method, device, equipment and storage medium
CN112532625B (en) Network situation awareness evaluation data updating method and device and readable storage medium
CN119071049A (en) A method for monitoring secure access to Internet of Things servers
CN118194318A (en) Data processing strategy adjustment method, device and equipment
CN117692250A (en) Network traffic abnormality detection method based on machine learning
CN117768200A (en) Threat risk index analysis method and device, electronic equipment and storage medium
CN104144077B (en) Method for managing security and safety management platform with green energy conservation function
CN111191234B (en) Virus information detection method and device
CN113992378A (en) Safety monitoring method and device, electronic equipment and storage medium
CN108243142A (en) Identification method and device, and anti-spam content system
CN118972103A (en) Web mining detection method and system based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant