CN115964702A - Security log analysis system and method - Google Patents
Security log analysis system and method Download PDFInfo
- Publication number
- CN115964702A CN115964702A CN202211732123.5A CN202211732123A CN115964702A CN 115964702 A CN115964702 A CN 115964702A CN 202211732123 A CN202211732123 A CN 202211732123A CN 115964702 A CN115964702 A CN 115964702A
- Authority
- CN
- China
- Prior art keywords
- safety
- logs
- log
- uploaded
- threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of computers, and particularly discloses a security log analysis system and a method, wherein the system comprises: the behavior recording module is used for generating a safety log; a user analysis module for determining a classification of a user; the classification of users includes low risk users, medium risk users, and high risk users; the log monitoring module is used for judging whether the number of the security logs which are not uploaded currently is larger than a first threshold value or not, and if so, uploading the security logs which are not uploaded; if the number of the security logs which are not uploaded is not larger than the first threshold, judging whether the number of the security logs which are not uploaded is larger than a second threshold, if so, judging whether the classification of the user is a high-risk user, if so, uploading the security logs which are not uploaded, wherein the second threshold is smaller than the first threshold. By adopting the technical scheme of the invention, the uploading time of the safety log can be automatically determined, and the protection effect is improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a system and a method for analyzing a security log.
Background
With the rapid development of the internet, many security applications, such as antivirus software and network security firewall, are installed on a computer to prevent network attacks. The security applications can perform alarm processing on most network security threats, and can monitor the operation condition of the network and suppress attack behaviors to a certain extent.
When the security application detects a virus and successfully stops an abnormal behavior, a security log can be generated, the current risk of the computer can be known by analyzing the security log, a deep attack intention and an attack behavior can be found, and the security protection effect is improved.
The existing security log analysis is generally to perform unified analysis after a certain amount of security logs are accumulated or periodically uploaded, but the generation of the security logs mainly originates from the identification of risks by security applications, and often cannot be fully reflected on the security logs for the attack behavior successfully bypassing the security applications, and a certain survivor deviation exists. Therefore, the optimal protection time is easily missed only by accumulating a certain amount of safety logs or uploading the safety logs again regularly.
Therefore, a system and a method for analyzing a security log capable of automatically determining an uploading time of the security log are needed.
Disclosure of Invention
One of the objectives of the present invention is to provide a security log analysis system, which can automatically determine the uploading time of a security log and improve the protection effect.
In order to solve the technical problem, the present application provides the following technical solutions:
a safety log analysis system comprises a protection module, a safety log analysis module and a safety log analysis module, wherein the protection module is used for executing preset protection operation when viruses or abnormal behaviors are detected; further comprising:
the behavior recording module is used for recording the protection operation of the protection module and generating a safety log;
the user analysis module is used for recording the computer operation behaviors of the user, analyzing the computer familiarity of the user according to the computer operation behaviors and determining the classification of the user based on preset classification rules and the computer familiarity; the classification of users includes low-risk users, medium-risk users, and high-risk users;
the log monitoring module is used for judging whether the number of the currently-uploaded safety logs is larger than a first threshold value or not, and if so, uploading the safety logs which are not uploaded; if the number of the security logs which are not uploaded is not larger than the first threshold, judging whether the number of the security logs which are not uploaded is larger than a second threshold, if so, judging whether the classification of the user is a high-risk user, if so, uploading the security logs which are not uploaded, wherein the second threshold is smaller than the first threshold.
The basic scheme principle and the beneficial effects are as follows:
according to the scheme, the familiarity of the user corresponding to the computer can be obtained by recording the computer operation behaviors of the user and analyzing, and the classification of the user can be obtained by combining with the preset classification rule. For example, the familiarity of the user with the computer is high, it can be seen from the side that the knowledge related to the computer of the user is rich, and the user can be determined as a low-risk user because the user has a certain precaution consciousness on the risk, and the user can be determined as a high-risk user because the consciousness of actively screening the risk is relatively poor if the familiarity of the user with the computer is low. When the number of the currently-uploaded safety logs is not greater than the first threshold value, a second judgment condition is set for the high-risk user, namely whether the number of the currently-uploaded safety logs is greater than a second threshold value or not is judged, if so, the non-uploaded safety logs are uploaded, so that the safety logs of the high-risk user can be analyzed in time, and if the risk exists, the non-uploaded safety logs can be found in time.
In conclusion, according to the scheme, the uploading time of the safety logs can be automatically determined according to the condition of the user, and the protection effect is improved.
The system further comprises a log analysis module, a log analysis module and a log analysis module, wherein the log analysis module is used for analyzing the uploaded security logs and generating analysis results; the system is also used for counting the corresponding relation between the number of the safety logs and the analysis result efficiency, screening out the analysis result with the effective rate larger than a first set value, determining the number of the safety logs corresponding to the analysis result, and taking the number of the safety logs as a first threshold value; the method is also used for screening out an analysis result with the effective rate larger than a second set value, determining the number of the safety logs corresponding to the analysis result, and taking the number of the safety logs as a second threshold value, wherein the first set value is larger than the second set value.
Through the optimal scheme, the most appropriate first set value can be determined on the premise of ensuring the efficiency, and the condition of invalid analysis is reduced. The safety and the computing resources can be balanced to determine the second set value, the situation that the effective rate of the safety log of the second set value is too low and the computing resources are consumed without end is avoided, and the situation that the effective rate of the safety log of the second set value is too high, more time is needed for accumulating the number of the safety logs, and risks cannot be found out in advance is also avoided.
Further, the log analysis module is further configured to screen out an analysis result with an effective rate greater than a first set value, and after determining the number of the safety logs corresponding to the analysis result, use the lowest number of the safety logs as a first threshold.
The lowest number of the security logs is used as a first threshold value, so that the uploading interval can be shortened, and the risk discovery time is shortened.
Further, the log analysis module is further configured to recalculate the first threshold and the second threshold every preset period.
Further, the log monitoring module is further configured to, when it is determined that the number of the security logs which are not uploaded is not greater than the second threshold, analyze the number of the security logs which are not currently uploaded by the high-risk user and generate a curve, determine whether the generated curve is in a steady state, and if the generated curve is in the steady state, not upload the security logs which are not uploaded at this time.
Further, the log monitoring module is also used for judging whether the single computer use time of the user exceeds the set time, counting the number of safety logs generated by using the computer each time if the single computer use time of the user exceeds the set time, and fitting the safety logs into a curve;
if the set time is not exceeded, counting the number of the safety logs generated by the computer in each set time, and fitting the safety logs into a curve.
According to the actual use condition of the user, the number of the safety logs is counted in two ways, and a curve is fitted, so that the curve can reflect the current risk of the user more accurately.
Further, the log monitoring module is further configured to, when analyzing a generated curve of a security log that is not currently uploaded, determine whether the generated curve is in a descending state, if the generated curve is in the descending state, determine whether the number of times of use of the security software within a set time in the operation behavior of the computer is higher than a preset number of times, and if the number of times of use is higher than the preset number of times, upload the security log that is not uploaded.
The use times of the safety software in the set time are higher than the preset times, which shows that the user frequently uses the safety software, the probability that the user feels that the computer has problems is higher, but the curve is in a descending state, the actual protection behavior of the safety software is less and is inconsistent with the feeling of the user, and therefore the non-uploaded safety logs are uploaded, and the risk can be found timely.
Further, the log monitoring module is further configured to, when analyzing a generated curve of a security log that is not currently uploaded, determine whether the generated curve is in an ascending state, if so, determine whether a current maximum value exceeds a historical maximum value, and if so, upload the security log that is not currently uploaded;
the maximum value of the history is the maximum value of the number of the safety logs generated by the computer in the history and used each time or the maximum value of the number of the safety logs generated by the computer in each set time.
The curve is in a rising state, the current maximum value exceeds the historical maximum value, the current safety software protection behaviors are increased on the surface, the risks faced by the computer are increased, the non-uploaded safety logs are uploaded, and the risk can be found timely.
Further, the log monitoring module is further configured to determine whether the number of the non-uploaded security logs is lower than a third threshold value when the curve is determined to be in the rising state, and if the number of the non-uploaded security logs is lower than the third threshold value, not upload the non-uploaded security logs.
For example, the effective rate of the analysis results of the security logs under the third threshold number is very low, and the non-uploaded security logs lower than the third threshold are not uploaded, so that the waste of computing resources can be reduced.
It is another object of the present invention to provide a security log analysis method using the above system.
Drawings
Fig. 1 is a logic block diagram of a security log analysis system according to an embodiment.
Detailed Description
The following is further detailed by way of specific embodiments:
example one
As shown in fig. 1, the security log analysis system of this embodiment includes a protection module, a behavior recording module, a user analysis module, a log monitoring module, and a log analysis module.
The protection module is used for executing preset protection operation when detecting virus or abnormal behavior; in this embodiment, the abnormal behavior is defined by a developer of the security software, for example, tampering with the browser homepage.
The behavior recording module is used for recording the protection operation of the protection module and generating a safety log; in this embodiment, the security log includes time, type, and summary, where the type includes virus protection, system protection, network protection, and the like.
The user analysis module is used for recording the computer operation behaviors of the user, analyzing the computer familiarity of the user according to the computer operation behaviors and determining the classification of the user based on preset classification rules and the computer familiarity; the classification of users includes low-risk users and high-risk users. In this embodiment, the computer operation behaviors include using security software, updating patches for the computer, downloading software from an official website, removing an option of installing additional software in the process of installing software, not setting in the process of installing software, and the like, and different scores are set for different computer operation behaviors, for example, removing the option of installing additional software +2 in the process of installing software, not setting-1 in the process of installing software, and then reflecting the computer familiarity of the user according to the total score, wherein the higher the score is, the higher the computer familiarity of the user is. Then, different score intervals are defined for the low-risk users and the high-risk users, the score interval where the low-risk users and the high-risk users are located is determined according to the total score, and corresponding classification is found.
The log monitoring module is used for judging whether the number of the currently-un-uploaded safety logs is larger than a first threshold value; if the safety log is larger than the first threshold value, uploading the non-uploaded safety log; if the number of the currently-uploaded safety logs is not larger than the first threshold, judging whether the number of the currently-uploaded safety logs is larger than a second threshold, if so, judging whether the classification of the user is a high-risk user, and if so, uploading the non-uploaded safety logs, wherein the second threshold is smaller than the first threshold.
And the log analysis module is used for analyzing the uploaded safety logs and generating analysis results. In this embodiment, the analysis result is data valid or data invalid, wherein in the data valid, the further result is that no security risk exists or a security risk exists.
The log analysis module is also used for counting the corresponding relation between the number of the safety logs and the efficiency of the analysis result, screening out the analysis result with the efficiency greater than a first set value, determining the number of the safety logs corresponding to the analysis result, and taking the number of the safety logs as a first threshold value; and the safety log screening module is also used for screening out an analysis result of which the effective rate is greater than a second set value, determining the quantity of safety logs corresponding to the analysis result, and taking the quantity of safety logs as a second threshold value, wherein the first set value is greater than the second set value.
For example, 100 security logs are uploaded by 1000 users, wherein the analysis result of the security logs uploaded by 981 users is data valid, it can be obtained that the effective rate of the 100 security logs is 98.1%, if the first set value is 98%, the effective rate of the 100 security logs is greater than the first set value, which meets the requirement, the number of the security logs corresponding to the analysis result is 100, and 100 may be used as the first threshold.
In this embodiment, after screening out an analysis result whose effective rate is greater than a first set value and determining the number of security logs corresponding to the analysis result, the lowest number of security logs is used as a first threshold; the second threshold is the same. For example, the effective rate of 100 security logs is 98.1%, the effective rate of 150 security logs is 98.7%, and the 100 logs is the lowest, as the first threshold.
The log analysis module is further used for recalculating the first threshold value and the second threshold value every preset period. The predetermined period is 6-12 months, in this example 6 months.
The embodiment also provides a security log analysis method which uses the system.
Example two
The difference between this embodiment and the first embodiment is that, in this embodiment, the log monitoring module is further configured to analyze the number of the security logs that are not uploaded by the high-risk user and generate a curve when it is determined that the number of the security logs that are not uploaded is not greater than the second threshold.
Specifically, the log monitoring module judges whether the single computer use time of the user exceeds the set time, if so, the number of the safety logs generated by using the computer each time is counted and fitted into a curve; in this example, the set time was 5 hours. And if the set time is not exceeded, counting the number of the safety logs generated by the computer in each set time, and fitting the safety logs into a curve. In this embodiment, the number of fitted curves is the ordinate, and the number of times of statistics is the abscissa.
The log monitoring module is also used for judging whether the generated curve is in a stable state, and if the generated curve is in the stable state, the non-uploaded safety log is not uploaded. In this embodiment, the steady state means that the ratio of the difference between the maximum value and the minimum value of the single statistics to the average value is less than 5%.
The log monitoring module is also used for judging whether the generated curve is in a descending state, if so, judging whether the use times of the safety software in the set time in the computer operation behavior are higher than the preset times, and if so, uploading the non-uploaded safety logs. In this embodiment, the preset number of times is 5, and in other embodiments, the preset number of times may also be determined according to the length of the set time. In this embodiment, the descending state refers to that the condition of the steady state is not satisfied, and the number of the safety logs counted at least 3 times is continuously reduced, and in other embodiments, the descending state may be determined by specifying the reduction amount counted twice.
The log monitoring module is also used for judging whether the generated curve is in an ascending state, if so, judging whether the number of the non-uploaded safety logs is lower than a third threshold value, if so, not uploading the non-uploaded safety logs, if so, judging whether the current maximum value exceeds the historical maximum value, and if so, uploading the non-uploaded safety logs; the maximum value of the history is the maximum value of the number of the safety logs generated by the computer in the history and used each time or the maximum value of the number of the safety logs generated by the computer in each set time. In this embodiment, the third threshold is the number of security logs whose effective rate is 0, which is determined by the log analysis module. In this embodiment, the rising state refers to that the condition of the steady state is not satisfied, and the number of the security logs counted at least 3 times continuously rises, and in other embodiments, the rising amount counted at two times may be further specified to determine the rising state.
The above are merely examples of the present invention, and the present invention is not limited to the field related to this embodiment, and the common general knowledge of the known specific structures and characteristics in the schemes is not described herein too much, and those skilled in the art can know all the common technical knowledge in the technical field before the application date or the priority date, can know all the prior art in this field, and have the ability to apply the conventional experimental means before this date, and those skilled in the art can combine their own ability to perfect and implement the scheme, and some typical known structures or known methods should not become barriers to the implementation of the present invention by those skilled in the art in light of the teaching provided in the present application. It should be noted that, for those skilled in the art, without departing from the structure of the present invention, several variations and modifications can be made, which should also be considered as the protection scope of the present invention, and these will not affect the effect of the implementation of the present invention and the utility of the patent. The scope of the claims of the present application shall be defined by the claims, and the description of the embodiments and the like in the specification shall be used to explain the contents of the claims.
Claims (10)
1. A safety log analysis system comprises a protection module, a safety log analysis module and a safety log analysis module, wherein the protection module is used for executing preset protection operation when a virus or abnormal behavior is detected; it is characterized by also comprising:
the behavior recording module is used for recording the protection operation of the protection module and generating a safety log;
the user analysis module is used for recording the computer operation behaviors of the user, analyzing the computer familiarity of the user according to the computer operation behaviors and determining the classification of the user based on preset classification rules and the computer familiarity; the classification of users includes low risk users, medium risk users, and high risk users;
the log monitoring module is used for judging whether the number of the security logs which are not uploaded currently is larger than a first threshold value or not, and if so, uploading the security logs which are not uploaded; if the number of the security logs which are not uploaded is not larger than the first threshold, judging whether the number of the security logs which are not uploaded is larger than a second threshold, if so, judging whether the classification of the user is a high-risk user, if so, uploading the security logs which are not uploaded, wherein the second threshold is smaller than the first threshold.
2. The secure log analytics system of claim 1, wherein: the log analysis module is used for analyzing the uploaded safety logs and generating analysis results; the system is also used for counting the corresponding relation between the number of the safety logs and the analysis result efficiency, screening out the analysis result with the effective rate larger than a first set value, determining the number of the safety logs corresponding to the analysis result, and taking the number of the safety logs as a first threshold value; and the safety log screening module is also used for screening out an analysis result of which the effective rate is greater than a second set value, determining the quantity of safety logs corresponding to the analysis result, and taking the quantity of safety logs as a second threshold value, wherein the first set value is greater than the second set value.
3. The secure log analytics system of claim 2, wherein: the log analysis module is further configured to screen out an analysis result with an effective rate greater than a first set value, and after determining the number of the safety logs corresponding to the analysis result, use the lowest number of the safety logs as a first threshold.
4. The secure log analytics system of claim 2, wherein: the log analysis module is further configured to recalculate the first threshold and the second threshold every preset period.
5. The secure log analytics system of claim 2, wherein: the log monitoring module is further used for analyzing the number of the currently-uploaded safety logs of the high-risk user and generating a curve when the number of the safety logs which are not uploaded is judged to be not larger than the second threshold value, judging whether the generated curve is in a stable state or not, and if the generated curve is in the stable state, not uploading the safety logs which are not uploaded at the moment.
6. The secure log analytics system of claim 5, wherein: the log monitoring module is also used for judging whether the single computer use time of the user exceeds the set time, counting the number of the safety logs generated by using the computer each time if the single computer use time of the user exceeds the set time, and fitting the safety logs into a curve;
and if the set time is not exceeded, counting the number of the safety logs generated by the computer in each set time, and fitting the safety logs into a curve.
7. The secure log analytics system of claim 6, wherein: the log monitoring module is further used for judging whether the generated curve is in a descending state or not when analyzing the generated curve of the currently-uploaded safety log, judging whether the use times of the safety software within the set time in the operation behavior of the computer are higher than the preset times or not if the generated curve is in the descending state, and uploading the non-uploaded safety log if the use times are higher than the preset times.
8. The secure log analytics system of claim 7, wherein: the log monitoring module is also used for judging whether the generated curve is in an ascending state or not when analyzing the generated curve of the currently-uploaded safety log, judging whether the current maximum value exceeds the historical maximum value or not if the generated curve is in the ascending state, and uploading the non-uploaded safety log if the generated curve is in the ascending state;
the maximum value of the history is the maximum value of the number of the safety logs generated by the computer in the history and used each time or the maximum value of the number of the safety logs generated by the computer in each set time.
9. The secure log analysis system of claim 8, wherein: and the log monitoring module is also used for judging whether the number of the non-uploaded safety logs is lower than a third threshold value when the curve is judged to be in the ascending state, and if the number of the non-uploaded safety logs is lower than the third threshold value, the non-uploaded safety logs are not uploaded.
10. A method of security log analysis, characterized by using the system of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732123.5A CN115964702A (en) | 2022-12-30 | 2022-12-30 | Security log analysis system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732123.5A CN115964702A (en) | 2022-12-30 | 2022-12-30 | Security log analysis system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115964702A true CN115964702A (en) | 2023-04-14 |
Family
ID=87357613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211732123.5A Pending CN115964702A (en) | 2022-12-30 | 2022-12-30 | Security log analysis system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115964702A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488939A (en) * | 2023-06-16 | 2023-07-25 | 江西科技学院 | Computer information security monitoring method, system and storage medium |
-
2022
- 2022-12-30 CN CN202211732123.5A patent/CN115964702A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116488939A (en) * | 2023-06-16 | 2023-07-25 | 江西科技学院 | Computer information security monitoring method, system and storage medium |
| CN116488939B (en) * | 2023-06-16 | 2023-08-25 | 江西科技学院 | Computer information security monitoring method, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3356985B1 (en) | Detection of security incidents with low confidence security events | |
| CN109831465B (en) | Website intrusion detection method based on big data log analysis | |
| EP3291120B1 (en) | Graph database analysis for network anomaly detection systems | |
| US8090727B2 (en) | Methods for automatically generating natural-language news items from log files and status traces | |
| US8312536B2 (en) | Hygiene-based computer security | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| US8667583B2 (en) | Collecting and analyzing malware data | |
| US8533842B1 (en) | Method and apparatus for evaluating internet resources using a computer health metric | |
| US10432650B2 (en) | System and method to protect a webserver against application exploits and attacks | |
| US8726391B1 (en) | Scheduling malware signature updates in relation to threat awareness and environmental safety | |
| US8595282B2 (en) | Simplified communication of a reputation score for an entity | |
| Stolfo et al. | A comparative evaluation of two algorithms for windows registry anomaly detection | |
| US9894094B2 (en) | Method, server, and system for automatically rating reputation of a web site | |
| CN102647421B (en) | The web back door detection method of Behavior-based control feature and device | |
| EP2515252A2 (en) | System and method for reducing security risk in computer network | |
| CN107239707A (en) | A kind of threat data processing method for information system | |
| US20200210894A1 (en) | Analysis apparatus, analysis method, and analysis program | |
| CN112738107B (en) | Network security evaluation method, device, equipment and storage medium | |
| CN115964702A (en) | Security log analysis system and method | |
| EP2977928B1 (en) | Malicious code detection | |
| US7818630B2 (en) | Framework for automatically analyzing I/O performance problems using multi-level analysis | |
| CN112784268A (en) | Method, device, equipment and storage medium for analyzing host behavior data | |
| EP3660716A1 (en) | Service infrastructure and methods of predicting and detecting potential anomalies at the service infrastructure | |
| CN115373834A (en) | Intrusion detection method based on process call chain | |
| RU2800739C1 (en) | System and method for determining the level of danger of information security events |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |