CN116318969B - Multi-element equipment log access method - Google Patents
Multi-element equipment log access method Download PDFInfo
- Publication number
- CN116318969B CN116318969B CN202310250613.XA CN202310250613A CN116318969B CN 116318969 B CN116318969 B CN 116318969B CN 202310250613 A CN202310250613 A CN 202310250613A CN 116318969 B CN116318969 B CN 116318969B
- Authority
- CN
- China
- Prior art keywords
- data
- log data
- log
- target
- format
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000010606 normalization Methods 0.000 claims abstract description 11
- 238000012545 processing Methods 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims abstract description 9
- 238000012544 monitoring process Methods 0.000 claims abstract description 9
- 238000004458 analytical method Methods 0.000 claims description 75
- 238000007405 data analysis Methods 0.000 claims description 21
- 239000011159 matrix material Substances 0.000 claims description 14
- 230000014509 gene expression Effects 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 244000035744 Hura crepitans Species 0.000 claims description 3
- 241000700605 Viruses Species 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims description 3
- 238000011156 evaluation Methods 0.000 claims description 3
- 238000012360 testing method Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012806 monitoring device Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
- H04L41/065—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving logical or physical relationship, e.g. grouping and hierarchies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security, in particular to a log access method of multi-element equipment. Comprising the following steps: collecting log data of multi-element equipment; carrying out normalization processing on the log data and defining an access format of the log data; the method comprises the steps of selecting a configuration acquisition mode of a monitoring port, an acquisition process identifier, a data source type and a character coding type through a transmission layer protocol, and accessing log data; constructing a normalized data set; comparing the collected target log data with the log data in the normalized data set through the data nodes, identifying the multi-element equipment corresponding to the target log data, and carrying out real-time warning when the target log data is not matched with the log data of the multi-element equipment corresponding to the normalized data set. The invention can effectively realize unified access of the multi-element logs and unified management of the multi-element equipment logs.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a log access method of multi-element equipment.
Background
The network security device includes an IP protocol crypto engine, a security router, a line crypto engine, a firewall, etc., and in addition, the network information security device in a broad sense also includes a crypto chip, an encryption card, an identification card, a telephone crypto engine, a facsimile crypto engine, an asynchronous data crypto engine, a security server, a security encryption suite, a financial crypto engine/card, a security middleware, a Public Key Infrastructure (PKI) system, an authorization certificate system, a security operating system, an antivirus software, a network/system scanning system, an intrusion detection system, a network security pre-warning and auditing system, etc., so the network security device is also a multi-component device.
However, in the prior art, because the network security devices are numerous, various network devices related to the network security device have diversification, log data of various devices do not have a uniform format in the process of accessing, so that uniform access cannot be performed, and various multi-element logs of the accessed multi-element devices cannot be uniformly managed, so how to provide a multi-element device log access method is a technical problem which needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide a log access method of multi-element equipment, which realizes unified log management of the multi-element equipment by acquiring log data of the multi-element equipment, covering various security equipment, application, data security monitoring equipment and the like in a network space by an acquisition object, and defining a log access format.
The invention improves the prior art that the log data of various devices cannot be accessed uniformly because various network devices related to the network security devices have diversification and the log data of the various devices do not have uniform format in the process of accessing, and the invention normalizes the log data and defines the access format of the log data, wherein the normalization process analyzes different log data in a targeted way through an analysis algorithm, so that the various log data are integrated uniformly, and the uniform access of the log data is effectively realized.
The invention improves the prior art, because the network security equipment comprises an IP protocol cipher machine, a security router, a line cipher machine, a firewall and the like, the network security equipment is also used as a multi-element equipment, but the prior art can not uniformly manage various multi-element logs of the accessed multi-element equipment.
In order to achieve the above object, the present invention provides the following technical solutions:
a multi-element equipment log access method comprises the following steps:
collecting log data of multi-element equipment, wherein the log data comprises a data name, an equipment type, a data format, a coding format and data content;
normalizing the log data and defining an access format of the log data;
the log data is accessed by a configuration acquisition mode of a transmission layer protocol selecting monitoring port, an acquisition process identifier, a data source type and a character coding type;
collecting target log data of target multi-component equipment, and target log data of firewall supporting the transport layer protocol, WAF and IDS safety equipment;
establishing a mapping relation between the data format of the log data of each multi-element device and the access format of the log data after normalization processing;
according to the mapping relation, mapping the generated data content analysis result to an access format of the log data after normalization processing, and obtaining a normalized data set;
comparing the collected target log data with the log data in the normalized data set through a data node, identifying the multi-element device corresponding to the target log data, judging that the data node is in an abnormal state when the target log data is not matched with the log data of the multi-element device corresponding to the normalized data set, and alarming the target multi-element device corresponding to the target log data in real time.
In some embodiments of the present application, the normalizing the log data includes:
according to each multi-element device, carrying out data analysis on the corresponding log data through an analysis algorithm; wherein,
the analysis algorithm comprises a coding analysis method, a regular analysis method and a symbol analysis method, wherein the coding analysis method is used for route calculation and packet forwarding, the regular analysis method is used for testing character strings and replacing texts, and the symbol analysis method is used for analyzing the character strings containing separators.
In some embodiments of the present application, further comprising:
acquiring historical log data of the multi-element equipment, wherein the historical log data comprises a data name, a data format and a coding format;
reading the coding format of the history log data, and determining the analysis algorithm according to the coding format of the history log data; wherein,
when the coding analysis method of the coding format corresponding to the historical log data exists, analyzing the data content in the historical log data through the coding analysis method to obtain a historical data analysis result corresponding to the coding analysis method, and taking the historical data analysis result corresponding to the coding analysis method as an analysis result of the log data.
In some embodiments of the present application, further comprising:
reading the data format of the history log data, and determining whether the data format contains expressions and symbols; wherein,
when the data format contains the expression, analyzing the data content in the historical log data by the regular analysis method to obtain a historical data analysis result corresponding to the regular analysis method, and taking the historical data analysis result corresponding to the regular analysis method as an analysis result of the log data;
when the data format contains the symbol, analyzing the data content in the historical log data by the symbol analysis method to obtain a historical data analysis result corresponding to the symbol analysis method, and taking the historical data analysis result corresponding to the symbol analysis method as an analysis result of the log data;
when the expression and the symbol are contained in the data format at the same time, the data content in the history log data is analyzed preferentially through the regular analysis method.
In some embodiments of the present application, a preset mismatch coefficient matrix T0 and a preset alert level matrix a are preset, for which a (A1, A2, A3, A4) is set, wherein the alert levels are divided into four levels from low to high, A1 is a first preset alert level, A2 is a second preset alert level, A3 is a third preset alert level, A4 is a fourth preset alert level, and A1 < A2 < A3 < A4;
setting T0 (T01, T02, T03 and T04) for the preset mismatch coefficient matrix T0, wherein T01 is a first preset mismatch coefficient, T02 is a second preset mismatch coefficient, T03 is a third preset mismatch coefficient, T04 is a fourth preset mismatch coefficient, and T01 is more than 0.2 and less than T02 and less than T03 and less than 1;
selecting a corresponding alarm level as a level of real-time alarm of the target multi-element equipment corresponding to the target log data according to the relation between the mismatch degree K of the target log data and the log data of the multi-element equipment corresponding to the normalized data set and the preset mismatch degree coefficient matrix T0, wherein the mismatch degree is data which are not overlapped in the target log data and the log data of the multi-element equipment corresponding to the normalized data set;
when K is smaller than T01, selecting the first preset alarm level A1 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node;
when T01 is less than or equal to K and less than T02, selecting the second preset alarm level A2 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node;
when T02 is less than or equal to K and less than T03, selecting the third preset alarm level A3 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node;
and when T03 is less than or equal to K and less than T04, selecting the fourth preset alarm level A4 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node.
In some embodiments of the present application, further comprising:
and collecting target log data stored in a relational database and Flow data sent by a switch and a router.
In some embodiments of the present application, further comprising:
and monitoring the acquisition performance of the data node in real time to ensure that the acquisition performance of the data node is matched with the data quantity and prevent data loss.
In some embodiments of the present application, the multi-component device includes a network security guard device, an application and data security monitoring device, a network sandbox, a security detection evaluation device, a virus intrusion detection device, and a terminal security protection system; wherein each of the plurality of devices uniquely corresponds to a device type.
In some embodiments of the present application, the access format includes a source ip address, a destination ip address, a source port, a destination port, and a protocol.
In some embodiments of the present application, the transport layer protocol includes tcp protocol, udp protocol, syslog protocol, webservice protocol, and jdbc protocol.
The invention provides a multi-element equipment log access method, which has the beneficial effects that compared with the prior art:
according to the method, the log data of the multi-element equipment are collected, the log data are normalized, the access format of the log data is defined, the log data are accessed through the transmission layer protocol, the collected target log data are compared with the log data in the normalized data set through establishing the normalized data set and combining the data nodes, the multi-element equipment corresponding to the target log data is identified, real-time alarming is carried out according to the abnormal state, and unified access and management of different log data of the multi-element equipment are effectively achieved.
Drawings
Fig. 1 is a flowchart of a method for log access of a multi-component device in an embodiment of the present invention.
Detailed Description
The following describes in further detail the embodiments of the present invention with reference to the drawings and examples. The following examples are illustrative of the invention and are not intended to limit the scope of the invention.
In the description of the present application, it should be understood that the terms "center," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like indicate orientations or positional relationships based on the orientation or positional relationships shown in the drawings, merely to facilitate description of the present application and simplify the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present application.
The terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
In the description of the present application, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be the communication between the inner sides of the two elements. The specific meaning of the terms in this application will be understood by those of ordinary skill in the art in a specific context.
In the prior art, as a plurality of network security devices are involved, various network devices have diversification, log data of various devices do not have a uniform format in the process of access, so that uniform access cannot be performed, and the problems that various multi-element logs of the accessed multi-element devices cannot be uniformly managed are included.
Therefore, the invention provides a log access method of multi-element equipment, which realizes unified management of the logs of the multi-element equipment by acquiring the log data of the multi-element equipment, covering various security equipment, application, data security monitoring equipment and the like in a network space by an acquisition object, and defining a log access format.
Referring to fig. 1, a disclosed embodiment of the present invention provides a multi-element device log access method, including:
collecting log data of multi-element equipment, wherein the log data comprises a data name, an equipment type, a data format, a coding format and data content;
carrying out normalization processing on the log data and defining an access format of the log data;
the method comprises the steps of selecting a configuration acquisition mode of a monitoring port, an acquisition process identifier, a data source type and a character coding type through a transmission layer protocol, and accessing log data;
collecting target log data of target multi-component equipment, and target log data of firewall supporting transport layer protocol, WAF and IDS safety equipment;
establishing a mapping relation between the data format of log data of each multi-element device and the access format of log data after normalization processing;
according to the mapping relation, mapping the generated data content analysis result into an access format of log data after normalization processing, and obtaining a normalized data set;
comparing the collected target log data with the log data in the normalized data set through the data node, identifying the multi-element equipment corresponding to the target log data, judging that the data node is in an abnormal state when the target log data is not matched with the log data of the multi-element equipment corresponding to the normalized data set, and alarming the target multi-element equipment corresponding to the target log data in real time.
It should be noted that, the network device, system, service program, etc. will generate a log event record during operation, and each log record the description of the date, time, user, action, etc. The Windows network operating system is designed with various log files, such as application program log, security log, system log, scheduler service log, FTP log, WWW log, DNS server log, etc., and the present application is not limited in detail herein, because the collection processing is performed according to different log data obtained by different devices. WAF refers to an application level intrusion prevention system, which is the role of an application firewall to provide protection specifically for Web applications by executing a series of security policies for HTTP/HTTPs. An IDS security device refers to an intrusion detection system, which is a network security device that monitors network transmissions in real time, and when suspicious transmissions are found, alerts or takes proactive action.
In a specific embodiment of the present application, normalizing log data includes:
according to the corresponding log data of each multi-element device, carrying out data analysis by an analysis algorithm; wherein,
the analysis algorithm comprises a coding analysis method, a regular analysis method and a symbol analysis method, wherein the coding analysis method is used for route calculation and packet forwarding, the regular analysis method is used for testing character strings and replacing texts, and the symbol analysis method is used for analyzing character strings containing separators.
In a specific embodiment of the present application, further comprising:
acquiring historical log data of multi-element equipment, wherein the historical log data comprises a data name, a data format and a coding format;
reading the coding format of the history log data, and determining an analysis algorithm according to the coding format of the history log data; wherein,
when the coding analysis method corresponding to the historical log data in the coding format exists, the data content in the historical log data is analyzed through the coding analysis method, the historical data analysis result corresponding to the coding analysis method is obtained, and the historical data analysis result corresponding to the coding analysis method is used as the analysis result of the log data.
In a specific embodiment of the present application, further comprising:
reading the data format of the history log data, and determining whether the data format contains expressions and symbols; wherein,
when the data format contains the expression, analyzing the data content in the history log data by a regular analysis method to obtain a history data analysis result corresponding to the regular analysis method, and taking the history data analysis result corresponding to the regular analysis method as the analysis result of the log data;
when the data format contains symbols, analyzing the data content in the historical log data by a symbol analysis method to obtain a historical data analysis result corresponding to the symbol analysis method, and taking the historical data analysis result corresponding to the symbol analysis method as the analysis result of the log data;
when the expression and the symbol are contained in the data format at the same time, the data content in the history log data is analyzed preferentially by a regular analysis method.
In a specific embodiment of the present application, a preset mismatch coefficient matrix T0 and a preset alarm level matrix a are preset, for the preset alarm level matrix a, a (A1, A2, A3, A4) is set, wherein the alarm levels are divided into four levels from low to high, A1 is a first preset alarm level, A2 is a second preset alarm level, A3 is a third preset alarm level, A4 is a fourth preset alarm level, and A1 < A2 < A3 < A4;
for a preset mismatch coefficient matrix T0, setting T0 (T01, T02, T03 and T04), wherein T01 is a first preset mismatch coefficient, T02 is a second preset mismatch coefficient, T03 is a third preset mismatch coefficient, T04 is a fourth preset mismatch coefficient, and T01 is more than 0.2 and less than T02 and T03 is more than 0.04 and less than 1;
according to the relation between the mismatching degree K of the log data of the multi-element equipment corresponding to the target log data and the normalized data set and the preset mismatching degree coefficient matrix T0, selecting a corresponding alarm grade as the grade of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node, wherein the mismatching degree is the data which is not overlapped in the log data of the multi-element equipment corresponding to the target log data and the normalized data set;
when K is smaller than T01, selecting a first preset alarm level A1 as a level of real-time alarm of target multi-element equipment corresponding to target log data by a data node;
when T01 is less than or equal to K and less than T02, selecting a second preset alarm level A2 as a level of real-time alarm of target multi-element equipment corresponding to target log data by a data node;
when T02 is less than or equal to K and less than T03, selecting a third preset alarm level A3 as a level of real-time alarm of target multi-element equipment corresponding to target log data by a data node;
when T03 is less than or equal to K and less than T04, a fourth preset alarm level A4 is selected as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node.
In a specific embodiment of the present application, further comprising:
and collecting target log data stored in a relational database and Flow data sent by a switch and a router.
The Flow data is a data Flow diagram, which graphically expresses the logic functions of the system, the logic Flow direction of the data in the system and the logic conversion process from the standpoint of data transmission and processing.
In a specific embodiment of the present application, further comprising:
the acquisition performance of the data nodes is monitored in real time so as to ensure that the acquisition performance of the data nodes is matched with the data quantity and prevent data loss.
In a specific embodiment of the application, the multi-component device comprises a network security device, an application and data security monitoring device, a network sandbox, a security detection evaluation device, a virus intrusion detection device and a terminal security protection system; wherein each multi-component device uniquely corresponds to a device type.
In a specific embodiment of the present application, the access format includes a source ip address, a destination ip address, a source port, a destination port, and a protocol.
In one particular embodiment of the present application, the transport layer protocols include tcp protocol, udp protocol, syslog protocol, webservice protocol, and jdbc protocol.
According to the first technical conception, the log data is normalized, and the access format of the log data is defined, wherein the normalization process carries out targeted analysis on different log data through an analysis algorithm, so that the various log data are integrated and unified, and unified access of the log data is effectively realized.
According to the second technical conception of the invention, the collected target log data is compared with the log data in the normalized data set through the data nodes, the multi-element equipment corresponding to the target log data is identified, and when abnormality exists, real-time alarm is carried out, so that the management safety is effectively improved, and unified management of various multi-element logs is realized.
In summary, the method and the system perform normalization processing on the log data of the multi-element device by collecting the log data, define the access format of the log data, access the log data through the transmission layer protocol, compare the collected target log data with the log data in the normalized data set by establishing the normalized data set and combining the data nodes, identify the multi-element device corresponding to the target log data, and perform real-time alarm according to the abnormal state, thereby effectively realizing unified access and management of different log data of the multi-element device.
The foregoing is merely an example of the present invention and is not intended to limit the scope of the present invention, and all changes made in the structure according to the present invention should be considered as falling within the scope of the present invention without departing from the gist of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above and the related description may refer to the corresponding process in the foregoing method embodiment, which is not repeated here.
It should be noted that, in the system provided in the foregoing embodiment, only the division of the foregoing functional modules is illustrated, in practical application, the foregoing functional allocation may be performed by different functional modules, that is, the modules or steps in the embodiment of the present invention are further decomposed or combined, for example, the modules in the foregoing embodiment may be combined into one module, or may be further split into multiple sub-modules, so as to complete all or part of the functions described above. The names of the modules and steps related to the embodiments of the present invention are merely for distinguishing the respective modules or steps, and are not to be construed as unduly limiting the present invention.
Those of skill in the art will appreciate that the various illustrative modules, method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the program(s) corresponding to the software modules, method steps, may be embodied in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. To clearly illustrate this interchangeability of electronic hardware and software, various illustrative components and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as electronic hardware or software depends upon the particular application and design constraints imposed on the solution. Those skilled in the art may implement the described functionality using different approaches for each particular application, but such implementation is not intended to be limiting.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus/apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus/apparatus.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will fall within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the present invention.
Claims (9)
1. A multi-component device log access method, comprising:
collecting log data of multi-element equipment, wherein the log data comprises a data name, an equipment type, a data format, a coding format and data content;
normalizing the log data and defining an access format of the log data;
the log data is accessed by a configuration acquisition mode of a transmission layer protocol selecting monitoring port, an acquisition process identifier, a data source type and a character coding type;
collecting target log data of target multi-component equipment, and target log data of firewall supporting the transport layer protocol, WAF and IDS safety equipment;
establishing a mapping relation between the data format of the log data of each multi-element device and the access format of the log data after normalization processing;
according to the mapping relation, mapping the generated data content analysis result to an access format of the log data after normalization processing, and obtaining a normalized data set;
comparing the collected target log data with the log data in the normalized data set through a data node, identifying the multi-element device corresponding to the target log data, judging that the data node is in an abnormal state when the target log data is not matched with the log data of the multi-element device corresponding to the normalized data set, and alarming the target multi-element device corresponding to the target log data in real time;
the real-time alarming is carried out on the target multi-component equipment corresponding to the target log data, which comprises,
presetting a preset mismatch coefficient matrix T0 and a preset alarm level matrix A, and setting A (A1, A2, A3 and A4) for the preset alarm level matrix A, wherein alarm levels are divided into four levels from low to high, A1 is a first preset alarm level, A2 is a second preset alarm level, A3 is a third preset alarm level, A4 is a fourth preset alarm level, and A1 is more than A2 and less than A3 and less than A4;
setting T0 (T01, T02, T03 and T04) for the preset mismatch coefficient matrix T0, wherein T01 is a first preset mismatch coefficient, T02 is a second preset mismatch coefficient, T03 is a third preset mismatch coefficient, T04 is a fourth preset mismatch coefficient, and T01 is more than 0.2 and less than T02 and less than T03 and less than 1;
selecting a corresponding alarm level as a level of real-time alarm of the target multi-element equipment corresponding to the target log data according to the relation between the mismatch coefficient K of the target log data and the log data of the multi-element equipment corresponding to the normalized data set and the preset mismatch coefficient matrix T0, wherein the mismatch is data which are not overlapped in the target log data and the log data of the multi-element equipment corresponding to the normalized data set;
when K is smaller than T01, selecting the first preset alarm level A1 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node;
when T01 is less than or equal to K and less than T02, selecting the second preset alarm level A2 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node;
when T02 is less than or equal to K and less than T03, selecting the third preset alarm level A3 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node;
and when T03 is less than or equal to K and less than T04, selecting the fourth preset alarm level A4 as the level of real-time alarm of the target multi-element equipment corresponding to the target log data by the data node.
2. The method for accessing a log of a multi-component device according to claim 1, wherein the normalizing the log data comprises:
according to each multi-element device, carrying out data analysis on the corresponding log data through an analysis algorithm; wherein,
the analysis algorithm comprises a coding analysis method, a regular analysis method and a symbol analysis method, wherein the coding analysis method is used for route calculation and packet forwarding, the regular analysis method is used for testing character strings and replacing texts, and the symbol analysis method is used for analyzing the character strings containing separators.
3. The multi-component device log access method of claim 2, further comprising:
acquiring historical log data of the multi-element equipment, wherein the historical log data comprises a data name, a data format and a coding format;
reading the coding format of the history log data, and determining the analysis algorithm according to the coding format of the history log data; wherein,
when the coding analysis method of the coding format corresponding to the historical log data exists, analyzing the data content in the historical log data through the coding analysis method to obtain a historical data analysis result corresponding to the coding analysis method, and taking the historical data analysis result corresponding to the coding analysis method as an analysis result of the log data.
4. A multi-component device log access method as defined in claim 3, further comprising:
reading the data format of the history log data, and determining whether the data format contains expressions and symbols; wherein,
when the data format contains the expression, analyzing the data content in the historical log data by the regular analysis method to obtain a historical data analysis result corresponding to the regular analysis method, and taking the historical data analysis result corresponding to the regular analysis method as an analysis result of the log data;
when the data format contains the symbol, analyzing the data content in the historical log data by the symbol analysis method to obtain a historical data analysis result corresponding to the symbol analysis method, and taking the historical data analysis result corresponding to the symbol analysis method as an analysis result of the log data;
when the expression and the symbol are contained in the data format at the same time, the data content in the history log data is analyzed preferentially through the regular analysis method.
5. The multi-component device log access method of claim 1, further comprising:
and collecting target log data stored in a relational database and Flow data sent by a switch and a router.
6. The multi-component device log access method of claim 1, further comprising:
and monitoring the acquisition performance of the data node in real time to ensure that the acquisition performance of the data node is matched with the data quantity and prevent data loss.
7. A multi-component device log access method according to claim 1 wherein,
the multi-element equipment comprises network security equipment, application and data security monitoring equipment, a network sandbox, security detection and evaluation equipment, virus intrusion detection equipment and a terminal security protection system; wherein each of the plurality of devices uniquely corresponds to a device type.
8. A multi-component device log access method according to claim 1 wherein,
the access format comprises a source ip address, a destination ip address, a source port, a destination port and a protocol.
9. A multi-component device log access method according to claim 1 wherein,
the transport layer protocols include tcp protocol, udp protocol, syslog protocol, webservice protocol, and jdbc protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310250613.XA CN116318969B (en) | 2023-03-15 | 2023-03-15 | Multi-element equipment log access method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310250613.XA CN116318969B (en) | 2023-03-15 | 2023-03-15 | Multi-element equipment log access method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116318969A CN116318969A (en) | 2023-06-23 |
| CN116318969B true CN116318969B (en) | 2024-01-26 |
Family
ID=86777501
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310250613.XA Active CN116318969B (en) | 2023-03-15 | 2023-03-15 | Multi-element equipment log access method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116318969B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582195A (en) * | 2009-06-09 | 2009-11-18 | 深圳中兴力维技术有限公司 | Method for generating alarm in dynamic environment monitoring system |
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN105281935A (en) * | 2014-07-03 | 2016-01-27 | 深圳中兴力维技术有限公司 | Alarm linkage realization method for network operation and maintenance and device thereof |
| CN105528280A (en) * | 2015-11-30 | 2016-04-27 | 中电科华云信息技术有限公司 | Method and system capable of determining log alarm grades according to relationship between system logs and health monitoring |
| CN106095575A (en) * | 2016-06-14 | 2016-11-09 | 上海浪潮云计算服务有限公司 | The device of a kind of log audit, system and method |
| CN106161085A (en) * | 2016-06-20 | 2016-11-23 | 深圳前海微众银行股份有限公司 | The monitoring system and method for messaging bus |
| CN110213238A (en) * | 2019-05-06 | 2019-09-06 | 北京奇安信科技有限公司 | Threat detection method and device, storage medium, the computer equipment of data |
| CN110929896A (en) * | 2019-12-04 | 2020-03-27 | 全球能源互联网研究院有限公司 | Security analysis method and device for system equipment |
| CN112416714A (en) * | 2020-11-23 | 2021-02-26 | 平安普惠企业管理有限公司 | Log processing method and device, electronic equipment and readable storage medium |
| CN113810160A (en) * | 2021-09-17 | 2021-12-17 | 北京京航计算通讯研究所 | Intelligent access system of multi-element network equipment |
| CN113850069A (en) * | 2021-09-17 | 2021-12-28 | 北京京航计算通讯研究所 | Network security data normalization processing method based on multi-element network security equipment |
| CN114598506A (en) * | 2022-02-22 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11079731B2 (en) * | 2019-10-07 | 2021-08-03 | Honeywell International Inc. | Multi-site building management system |
-
2023
- 2023-03-15 CN CN202310250613.XA patent/CN116318969B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582195A (en) * | 2009-06-09 | 2009-11-18 | 深圳中兴力维技术有限公司 | Method for generating alarm in dynamic environment monitoring system |
| CN105281935A (en) * | 2014-07-03 | 2016-01-27 | 深圳中兴力维技术有限公司 | Alarm linkage realization method for network operation and maintenance and device thereof |
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN105528280A (en) * | 2015-11-30 | 2016-04-27 | 中电科华云信息技术有限公司 | Method and system capable of determining log alarm grades according to relationship between system logs and health monitoring |
| CN106095575A (en) * | 2016-06-14 | 2016-11-09 | 上海浪潮云计算服务有限公司 | The device of a kind of log audit, system and method |
| CN106161085A (en) * | 2016-06-20 | 2016-11-23 | 深圳前海微众银行股份有限公司 | The monitoring system and method for messaging bus |
| CN110213238A (en) * | 2019-05-06 | 2019-09-06 | 北京奇安信科技有限公司 | Threat detection method and device, storage medium, the computer equipment of data |
| CN110929896A (en) * | 2019-12-04 | 2020-03-27 | 全球能源互联网研究院有限公司 | Security analysis method and device for system equipment |
| CN112416714A (en) * | 2020-11-23 | 2021-02-26 | 平安普惠企业管理有限公司 | Log processing method and device, electronic equipment and readable storage medium |
| CN113810160A (en) * | 2021-09-17 | 2021-12-17 | 北京京航计算通讯研究所 | Intelligent access system of multi-element network equipment |
| CN113850069A (en) * | 2021-09-17 | 2021-12-28 | 北京京航计算通讯研究所 | Network security data normalization processing method based on multi-element network security equipment |
| CN114598506A (en) * | 2022-02-22 | 2022-06-07 | 烽台科技(北京)有限公司 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 多源日志聚合分析方法;顾兆军;王帅卿;张礼哲;;计算机工程与设计(第07期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116318969A (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112651006B (en) | Power grid security situation sensing system | |
| US11463457B2 (en) | Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| CN104115463B (en) | For processing the streaming method and system of network metadata | |
| CN109688105B (en) | Threat alarm information generation method and system | |
| US8561129B2 (en) | Unified network threat management with rule classification | |
| US20160191352A1 (en) | Network asset information management | |
| US20140075557A1 (en) | Streaming Method and System for Processing Network Metadata | |
| Grimaudo et al. | Select: Self-learning classifier for internet traffic | |
| US20050210533A1 (en) | Packet Sampling Flow-Based Detection of Network Intrusions | |
| CN111600863B (en) | Network intrusion detection method, device, system and storage medium | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| Fuentes-García et al. | Present and future of network security monitoring | |
| CN111010409A (en) | Encryption attack network flow detection method | |
| WO2014110293A1 (en) | An improved streaming method and system for processing network metadata | |
| EP4185975B1 (en) | Detection of anomalous count of new entities | |
| Vacas et al. | Detecting network threats using OSINT knowledge-based IDS | |
| KR20140035678A (en) | Learning-based dns analyzer and analysis method | |
| CN113783886A (en) | Intelligent operation and maintenance method and system for power grid based on intelligence and data | |
| CN116318969B (en) | Multi-element equipment log access method | |
| Molina et al. | Operational experiences with anomaly detection in backbone networks | |
| WO2022032065A1 (en) | Systems, methods, and media for distributed network monitoring using local monitoring devices | |
| CN112350864B (en) | Protection method, device, equipment and computer readable storage medium for domain control terminal | |
| Vuppala et al. | Intrusion Detection & Prevention Systems-Sourcefire Snort | |
| Pramudya et al. | Implementation of signature-based intrusion detection system using SNORT to prevent threats in network servers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |