CN115987530A - Log detection method, system, equipment and computer readable storage medium - Google Patents
Log detection method, system, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN115987530A CN115987530A CN202111187718.2A CN202111187718A CN115987530A CN 115987530 A CN115987530 A CN 115987530A CN 202111187718 A CN202111187718 A CN 202111187718A CN 115987530 A CN115987530 A CN 115987530A
- Authority
- CN
- China
- Prior art keywords
- log
- matching
- target
- type
- target log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application discloses a log detection method, a system, equipment and a computer readable storage medium, which are used for acquiring a target log to be detected; analyzing the log type of the target log; extracting a matching object from the target log based on the log type; and matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log. According to the method and the device, after the target log is obtained, the matching object can be quickly extracted from the target log based on the log type only by analyzing the log type of the target log, and then whether the target log is an attack behavior log can be determined only by matching the matching object with the rule matching library. The log detection system, the log detection equipment and the computer readable storage medium solve the corresponding technical problems.
Description
Technical Field
The present application relates to the field of information processing technologies, and in particular, to a log detection method, system, device, and computer readable storage medium.
Background
With the development of internet and informatization, the network security of a user terminal is increasingly important, in order to facilitate a user to sense an attack behavior occurring on the terminal, a log detection engine and the like can be installed on the terminal to identify an attack behavior log, but when whether the log is really the attack behavior log needs to be detected, the log needs to be manually detected, so that the efficiency is low, and the log processing process is influenced.
In summary, how to improve the detection efficiency of the log is an urgent problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a log detection method which can solve the technical problem of how to improve the log detection efficiency to a certain extent. The application also provides a log detection system, a log detection device and a computer readable storage medium.
In order to achieve the above object, in a first aspect, the present application provides a log detection method, including:
acquiring a target log to be detected;
analyzing the log type of the target log;
extracting a matching object from the target log based on the log type;
and matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
Preferably, the obtaining the target log includes:
acquiring the target log processed by a log classification engine, wherein the log classification engine is used for classifying whether the log is an attack behavior log;
after the detection result that the target log is characterized as the attack behavior log is generated, the method further comprises the following steps:
obtaining a classification result of the target log by the log classification engine;
and evaluating the classification accuracy of the log classification engine based on the classification result and the detection result.
Preferably, after the target log to be detected is obtained, before the matching object is extracted from the target log based on the log type, the method further includes:
and if the format of the target log is an ETL format, converting the format of the target log into a behavior log format.
Preferably, the acquiring the target log to be detected includes:
acquiring an initial log to be detected;
and filtering known attack behavior logs in the initial log to obtain the target log.
Preferably, the extracting a matching object in the target log based on the log type includes:
if the log type is a process creation type log, extracting command information in the target log as the matching object;
and/or if the log type is a file audit type log, extracting path information in the target log as the matching object;
and/or if the log type is a network connection type log, extracting source IP information and target port information in the target log as the matching object;
and/or if the log type is a log type, extracting the log state information in the target log as the matching object.
Preferably, before the matching object with a preset rule matching library, the method further includes:
acquiring a configuration file for attacking a terminal;
analyzing the configuration file and determining object information representing the attack behavior;
and constructing the rule matching library based on the object information.
Preferably, before the matching object with a preset rule matching library, the method further includes:
acquiring a known historical attack behavior log;
analyzing the historical attack behavior log, and determining object information representing attack behaviors;
and constructing the rule matching library based on the object information.
In a second aspect, the present application provides a log detection system, including:
the acquisition module is used for acquiring a target log to be detected;
the analysis module is used for analyzing the log type of the target log;
the extraction module is used for extracting a matching object from the target log based on the log type;
and the matching module is used for matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the log detection method as described in any one of the above when the computer program is executed.
In a fourth aspect, the present application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the log detection method as described in any one of the above.
The log detection method provided by the application comprises the steps of obtaining a target log to be detected; analyzing the log type of the target log; extracting a matching object from the target log based on the log type; and matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log. According to the method and the device, after the target log is obtained, the matching object can be quickly extracted from the target log based on the log type only by analyzing the log type of the target log, and then whether the target log is an attack behavior log can be determined only by matching the matching object with the rule matching library. The log detection system, the log detection equipment and the computer readable storage medium solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a first flowchart of a log detection method according to an embodiment of the present application;
fig. 2 is a second flowchart of a log detection method according to an embodiment of the present application;
fig. 3 is a third flowchart of a log detection method according to an embodiment of the present application;
fig. 4 is a fourth flowchart of a log detection method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a log detection system according to an embodiment of the present application;
fig. 6 is a schematic diagram of a hardware composition structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a first flowchart of a log detection method according to an embodiment of the present disclosure.
The log detection method provided by the embodiment of the application can comprise the following steps:
step S101: and acquiring a target log to be detected.
In practical application, the target log to be detected may be obtained first, and the obtaining manner, the obtaining number, and the like of the target log may be determined according to actual needs, for example, the log generated by the user terminal within a period of time may be collected as the target log, the period of time may be a period of time before and after the time when the attack behavior log is generated, and the like, and certainly, the log identified as the normal behavior log may also be used as the target log, and the like, which is not specifically limited herein. In addition, the application does not limit the log type of the target log, and the target log can be flexibly selected according to a specific application scene.
Step S102: analyzing the log type of the target log.
Step S103: and extracting a matching object in the target log based on the log type.
In practical application, because the information for characterizing the attack behavior is different in the logs of different types, but the information for characterizing the attack behavior is similar in the logs of the same type, in order to quickly detect the target log, after the target log to be detected is obtained, the log type of the target log may be analyzed first, and then the matching object is extracted from the target log based on the log type, so as to determine whether the target log is the attack behavior log according to the matching object in the following process, that is, the matching object in the present application is used to determine whether the target log is the attack behavior log.
It should be noted that, in the process of extracting the matching object from the target log based on the log type, because the data structures of the logs of different types may be different, but the storage positions of the information representing the attack behavior in the logs of the same type may be the same, the position for storing the information representing the attack behavior may be determined in the log in advance, and then the position for storing the information representing the attack behavior in the target log may be determined based on the log type, and the information at the position in the target log may be extracted as the matching object, etc., so as to extract the matching object quickly; of course, when the type of the information characterizing the attack behavior in the log is known, the corresponding type of information in the target log may be directly extracted as a matching object, and the like, which is not specifically limited herein.
Step S104: and matching the matched object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
In practical application, after a matching object is extracted from a target log based on a log type, the matching object can be matched with a preset rule matching library so as to judge whether the target log is an attack behavior log or not by means of the matching object and the rule matching library and generate a corresponding detection result.
It should be noted that the number of the rule matching libraries in the present application may be determined according to actual needs, for example, the rule matching library may be one rule matching library, and at this time, the rule matching library stores object information representing attack behavior logs in all logs; of course, only object information and the like for representing the attack behavior log in one type of log can be stored in one rule matching library, and at this time, before the matching object is matched with the preset rule matching library, a corresponding rule matching library and the like are determined based on the log type; the present application is not specifically limited herein.
The log detection method provided by the application comprises the steps of obtaining a target log to be detected; analyzing the log type of the target log; extracting a matching object from the target log based on the log type; and matching the matched object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log. According to the method and the device, after the target log is obtained, the matched object can be quickly extracted from the target log based on the log type only by analyzing the log type of the target log, and whether the target log is an attack behavior log can be determined only by matching the matched object with the rule matching library.
Referring to fig. 2, fig. 2 is a second flowchart of a log detection method according to an embodiment of the present application.
The log detection method provided by the embodiment of the application can comprise the following steps:
step S201: and acquiring a target log processed by a log classification engine, wherein the log classification engine is used for classifying whether the log is an attack behavior log.
In practical application, considering that a log classification engine capable of classifying logs into attack behavior logs and normal behavior logs exists, but the classification result of the log classification engine may be inaccurate, in order to verify the classification result of the log classification engine, a target log processed by the log classification engine can be obtained, and the target log is detected according to the method of the application.
Step S202: analyzing the log type of the target log.
Step S203: and extracting a matching object in the target log based on the log type.
Step S204: and matching the matched object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
Step S205: and acquiring a classification result of the target log by the log classification engine.
Step S206: and evaluating the classification accuracy of the log classification engine based on the classification result and the detection result.
In practical application, after the target log is detected according to the method of the application to obtain a corresponding detection result, the classification result of the log classification engine on the target log can be obtained; and then, based on the classification result and the detection result, the classification accuracy of the log classification engine is evaluated, and the process can be determined according to a specific application scenario, for example, for the same log, if the classification result is inconsistent with the detection result, it is indicated that the log classification engine has a classification error, at this time, the number of target logs with inconsistent classification results and detection results can be counted, and then the ratio of the number to the total number of the target logs is used as the classification accuracy of the log classification engine, and the like, which is not specifically limited herein.
In the log detection method provided in the embodiment of the present application, after a target log to be detected is obtained, before a matching object is extracted from the target log based on a log type, it is considered that an existing log may be in an ETL (extract-Transformation-Loading) format, the log in the format is not convenient for extracting the matching object, and the log in a behavior log format is convenient for extracting the matching object, so that in order to ensure Extraction efficiency of the matching object, in this embodiment, a format of the target log may be converted, that is, if the format of the target log is in the ETL format, the format of the target log is converted into the behavior log format.
In the log detection method provided by the embodiment of the application, in the process of obtaining the target log to be detected, the known attack behavior log possibly exists in the target log, if the detection is carried out according to the method of the application, the operation efficiency of the whole method is undoubtedly reduced, and in order to avoid the situation, the initial log to be detected can be obtained firstly; and filtering the known attack behavior log in the initial log to obtain a target log. The specific filtering method may be determined according to a specific application scenario, and the application is not specifically limited herein.
In the log detection method provided by the embodiment of the application, in the process of extracting the matching object from the target log based on the log type, if the log type is a process creation class log, command information in the target log can be extracted as the matching object, at this time, whether the target log is an attack behavior log is judged according to the command information, and in the process, known command information which can be the log as the attack behavior log is stored in a rule matching library; and/or, if the log type is a file audit type log, extracting path information in the target log as a matching object, namely judging whether the target log is an attack behavior log according to the path information, wherein in the process, known path information which can be the attack behavior log is stored in the rule matching library; and/or, if the log type is a network connection type log, extracting source IP information and target port information in the target log as a matching object, and at this time, equivalently judging whether the target log is an attack behavior log according to the source IP information and the target port information, wherein in the process, known source IP information and target port information which can be the attack behavior log are stored in the rule matching library; and/or, if the log type is a log of log type, the log state information in the target log may be extracted as a matching object, at this time, it is equivalent to determine whether the target log is an attack behavior log according to the log state information, for example, the target log may be determined as the attack behavior log or the like under the condition that the log state information represents a log failure, and in this process, the object information reflecting that the log state information is a failure may be stored in the rule matching library.
Referring to fig. 3, fig. 3 is a third flowchart of a log detection method according to an embodiment of the present application.
The log detection method provided by the embodiment of the application can comprise the following steps:
step S301: and acquiring a target log to be detected.
Step S302: and analyzing the log type of the target log.
Step S303: and extracting a matching object in the target log based on the log type.
Step S304: and acquiring a configuration file for attacking the terminal.
Step S305: and analyzing the configuration file, and determining object information representing the attack behavior.
Step S306: and constructing a rule matching library based on the object information.
In practical application, considering that an attacker attacks a terminal through a configuration file, the configuration file can reflect that a log is information of an attack behavior log, and therefore the configuration file for attacking the terminal can be obtained before a matching object is matched with a preset rule matching library; analyzing the configuration file, and determining object information representing the attack behavior; and then, a rule matching library is constructed based on the object information, so that the rule matching library is constructed quickly.
It should be noted that the configuration file in this embodiment may be a configuration file sent by an unknown attacker to the terminal, or may also be a simulated configuration file that attacks the terminal, and the like, and this application is not specifically limited herein.
Step S307: and matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
Referring to fig. 4, fig. 4 is a fourth flowchart of a log detection method according to an embodiment of the present disclosure.
The log detection method provided by the embodiment of the application can comprise the following steps:
step S401: and acquiring a target log to be detected.
Step S402: analyzing the log type of the target log.
Step S403: and extracting a matching object in the target log based on the log type.
Step S404: and acquiring a known historical attack behavior log.
Step S405: and analyzing the historical attack behavior log, and determining object information representing the attack behavior.
Step S406: and constructing a rule matching library based on the object information.
In practical application, before a matching object is matched with a preset rule matching library, in the process of constructing the rule matching library, the configuration file for attacking the terminal is difficult to identify and obtain, and corresponding information in a known attack behavior log can be used as object information for detecting the attack behavior log, so that the rule matching library can be constructed quickly directly based on the known attack behavior log, namely the known historical attack behavior log can be obtained; analyzing the historical attack behavior log, and determining object information representing attack behaviors; and constructing a rule matching library based on the object information.
Step S407: and matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a log detection system according to an embodiment of the present disclosure.
The log detection system provided by the embodiment of the application can comprise:
the acquisition module 101 is used for acquiring a target log to be detected;
the analysis module 102 is used for analyzing the log type of the target log;
the extraction module 103 is configured to extract a matching object from the target log based on the log type;
and the matching module 104 is configured to match the matching object with a preset rule matching library, and if the matching is successful, generate a detection result indicating that the target log is an attack behavior log.
In an embodiment of the present application, an obtaining module of a log detection system may include:
the device comprises a first acquisition unit, a log classification engine and a second acquisition unit, wherein the first acquisition unit is used for acquiring a target log processed by the log classification engine, and the log classification engine is used for classifying whether the log is an attack behavior log;
the method can also comprise the following steps:
the second acquisition unit is used for acquiring the classification result of the target log by the log classification engine after the matching module generates the detection result representing that the target log is the attack behavior log;
and the evaluation unit is used for evaluating the classification accuracy of the log classification engine based on the classification result and the detection result.
The log detection system provided by the embodiment of the application can further include:
and the conversion module is used for converting the format of the target log into the format of the behavior log if the format of the target log is an ETL format before the extraction module extracts the matching object in the target log based on the log type after the acquisition module acquires the target log to be detected.
In an embodiment of the present application, an obtaining module of a log detection system may include:
the third acquisition unit is used for acquiring an initial log to be detected;
and the filtering unit is used for filtering known attack behavior logs in the initial logs to obtain target logs.
In the log detection system provided in the embodiment of the present application, the extraction module may be specifically configured to: if the log type is a process creation type log, extracting command information in a target log as a matching object; and/or if the log type is a file audit type log, extracting path information in the target log as a matching object; and/or if the log type is a network connection type log, extracting source IP information and target port information in a target log as matching objects; and/or if the log type is a log of a login type, extracting login state information in the target log as a matching object.
The log detection system provided by the embodiment of the application can further include:
the second acquisition module is used for acquiring a configuration file for attacking the terminal before the matching module matches the matching object with a preset rule matching library;
the first analysis module is used for analyzing the configuration file and determining object information representing the attack behavior;
and the first construction module is used for constructing a rule matching library based on the object information.
The log detection system provided by the embodiment of the application may further include:
the third acquisition module is used for acquiring a known historical attack behavior log before the matching module matches the matching object with a preset rule matching library;
the second analysis module is used for analyzing the historical attack behavior log and determining object information representing the attack behavior;
and the second construction module is used for constructing a rule matching library based on the object information.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present invention, an embodiment of the present invention further provides an electronic device, fig. 6 is a schematic diagram of a hardware composition structure of the electronic device according to the embodiment of the present invention, and as shown in fig. 6, the electronic device includes:
a communication interface 1 capable of performing information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the log detection method provided by one or more technical schemes when running a computer program. And the computer program stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for the sake of clarity the various buses are labeled as bus system 4 in figure 6.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, double Data Synchronous Random Access Memory), enhanced Synchronous Dynamic Random Access Memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link Dynamic Random Access Memory (SLDRAM, synchronous Dynamic Random Access Memory), direct Memory (DRmb Random Access Memory). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed by the above embodiment of the present invention can be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present invention are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program, which is executable by a processor 2 to perform the steps of the aforementioned method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above-described device embodiments are only illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media capable of storing program code.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
For descriptions of relevant parts in the log detection system, the log detection device, and the computer readable storage medium provided in the embodiments of the present application, reference is made to detailed descriptions of corresponding parts in the log detection method provided in the embodiments of the present application, and details are not repeated here. In addition, parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of corresponding technical solutions in the prior art, are not described in detail so as to avoid redundant description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A log detection method, comprising:
acquiring a target log to be detected;
analyzing the log type of the target log;
extracting a matching object in the target log based on the log type;
and matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
2. The method of claim 1, wherein obtaining the target log comprises:
obtaining the target log processed by a log classification engine, wherein the log classification engine is used for classifying whether the log is an attack behavior log or not;
after the detection result representing that the target log is the attack behavior log is generated, the method further comprises the following steps:
obtaining a classification result of the target log by the log classification engine;
and evaluating the classification accuracy of the log classification engine based on the classification result and the detection result.
3. The method according to claim 1, wherein after the target log to be detected is obtained and before the matching object is extracted from the target log based on the log type, the method further comprises:
and if the format of the target log is an ETL format, converting the format of the target log into a behavior log format.
4. The method according to claim 1, wherein the obtaining the target log to be detected comprises:
acquiring an initial log to be detected;
and filtering known attack behavior logs in the initial log to obtain the target log.
5. The method according to any one of claims 1 to 4, wherein the extracting the matching object in the target log based on the log type includes:
if the log type is a process creation type log, extracting command information in the target log as the matching object;
and/or if the log type is a file audit type log, extracting path information in the target log as the matching object;
and/or if the log type is a network connection type log, extracting source IP information and target port information in the target log as the matching object;
and/or if the log type is a log of a login type, extracting login state information in the target log as the matching object.
6. The method according to claim 5, wherein before matching the matching object with a preset rule matching library, the method further comprises:
acquiring a configuration file for attacking a terminal;
analyzing the configuration file and determining object information representing the attack behavior;
and constructing the rule matching library based on the object information.
7. The method according to claim 5, wherein before matching the matching object with a preset rule matching library, the method further comprises:
acquiring a known historical attack behavior log;
analyzing the historical attack behavior log, and determining object information representing attack behaviors;
and constructing the rule matching library based on the object information.
8. A log detection system, comprising:
the acquisition module is used for acquiring a target log to be detected;
the analysis module is used for analyzing the log type of the target log;
the extraction module is used for extracting a matching object from the target log based on the log type;
and the matching module is used for matching the matching object with a preset rule matching library, and if the matching is successful, generating a detection result representing that the target log is an attack behavior log.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the log detection method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the log detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111187718.2A CN115987530A (en) | 2021-10-12 | 2021-10-12 | Log detection method, system, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111187718.2A CN115987530A (en) | 2021-10-12 | 2021-10-12 | Log detection method, system, equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987530A true CN115987530A (en) | 2023-04-18 |
Family
ID=85964736
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111187718.2A Pending CN115987530A (en) | 2021-10-12 | 2021-10-12 | Log detection method, system, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115987530A (en) |
-
2021
- 2021-10-12 CN CN202111187718.2A patent/CN115987530A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110992992B (en) | Hard disk test method, device and storage medium | |
| US20100169973A1 (en) | System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions | |
| CN111277606B (en) | Detection model training method, detection method and device, and storage medium | |
| CN112818307B (en) | User operation processing method, system, equipment and computer readable storage medium | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN111008405A (en) | Website fingerprint identification method based on file Hash | |
| CN111984488B (en) | Memory fault detection method and device, electronic equipment and readable storage medium | |
| CN109815697B (en) | Method and device for processing false alarm behavior | |
| CN112738094A (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
| CN110287700B (en) | iOS application security analysis method and device | |
| CN115225385A (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN115987530A (en) | Log detection method, system, equipment and computer readable storage medium | |
| CN108563578B (en) | SDK compatibility detection method, device, equipment and readable storage medium | |
| CN115391224A (en) | Flow playback method and device, computer equipment and readable storage medium | |
| CN111917802B (en) | Intrusion detection rule test platform and test method | |
| CN114422175A (en) | Network security supervision and inspection behavior auditing method and device | |
| CN115795475A (en) | Method and device for determining software system risk and electronic equipment | |
| CN114363060A (en) | Domain name detection method, system, equipment and computer readable storage medium | |
| JP5679347B2 (en) | Failure detection device, failure detection method, and program | |
| CN112887328A (en) | Sample detection method, device, equipment and computer readable storage medium | |
| CN113032785A (en) | Document detection method, device, equipment and storage medium | |
| JP7302223B2 (en) | Script detection device, method and program | |
| CN110109809B (en) | Method and equipment for testing log auditing function according to syslog | |
| CN115134164B (en) | Uploading behavior detection method, system, equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |