CN116414664A - Log behavior event generation method, device, equipment and storage medium - Google Patents

Abstract

The invention relates to the technical field of data processing, and discloses a method, a device, equipment and a storage medium for generating log behavior events, wherein the method comprises the following steps: when a system login operation instruction is detected, login behavior information is obtained according to the system login operation instruction; extracting features of the login behavior information to obtain a plurality of login feature information; determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy; extracting target login behavior information from the login behavior information according to the log characteristic information; and generating a log behavior event according to the target login behavior information. In the prior art, user login information in a terminal safety response system is required to be counted manually, but the method and the device determine target login behavior information from the login behavior information based on the preset audit strategy, and then generate log behavior events according to the target login behavior information, so that accurate log behavior event acquisition is realized, and further log behavior event generation efficiency is improved.

Description

Log behavior event generation method, device, equipment and storage medium

technical field

The present invention relates to the technical field of data processing, in particular to a log behavior event generation method, device, equipment and storage medium.

Background technique

At present, user login and other related events are very important reported events in the terminal security response system. Engineers can analyze problems in the terminal security response system for user login and other related events. Collecting multiple user login information in the terminal security response system in a short time, and combining multiple user login information manually, but this method will not only lead to inaccurate generated log behavior events, but also reduce the generation efficiency of log behavior events.

The above content is only used to assist in understanding the technical solution of the present invention, and does not mean that the above content is admitted as prior art.

Contents of the invention

The main purpose of the present invention is to provide a log behavior event generation method, device, equipment and storage medium, aiming to solve the technical problem of how to accurately obtain log behavior events while improving the efficiency of log behavior event generation.

To achieve the above object, the present invention provides a log behavior event generation method, the log behavior event generation method includes the following steps:

When the system login operation instruction is detected, the login behavior information is obtained according to the system login operation instruction;

performing feature extraction on the login behavior information to obtain a plurality of login feature information;

Determining log feature information from a plurality of log feature information according to a preset audit policy;

extracting target login behavior information from the login behavior information according to the log feature information;

A log behavior event is generated according to the target login behavior information.

Optionally, the step of performing feature extraction on the login behavior information to obtain multiple login feature information includes:

Obtain the behavior type corresponding to the login behavior information;

determining a corresponding preset extraction strategy according to the behavior type;

Feature extraction is performed on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information.

Optionally, the step of determining a corresponding preset extraction strategy according to the behavior type includes:

determining a behavior field corresponding to the login behavior information according to the behavior type;

A corresponding preset extraction strategy is determined according to the behavior field.

Optionally, the step of determining a corresponding preset extraction strategy according to the behavior field includes:

Generate a login behavior code according to the behavior field;

Matching a corresponding sample extraction strategy from a preset policy mapping relationship table according to the login behavior code, where there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table;

The sample extraction policy is used as a preset extraction policy corresponding to the login behavior information.

Optionally, the step of performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information includes:

performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined;

determining the number of features corresponding to the plurality of login feature information to be determined;

judging whether the number of features is greater than or equal to a preset feature threshold;

When the number of features is greater than or equal to the preset feature threshold, the plurality of login feature information to be determined is used as a plurality of login feature information corresponding to the login behavior information.

Optionally, before the step of generating a log behavior event according to the target login behavior information, it may further include:

Determine the storage capacity corresponding to the target login behavior information;

judging whether the storage capacity satisfies a preset storage condition;

When the storage amount satisfies the preset storage condition, the step of generating a log behavior event according to the target login behavior information is executed.

Optionally, after the step of judging whether the storage amount satisfies a preset storage condition, it further includes:

When the storage amount does not meet the preset storage condition, determine missing login information according to the target login behavior information;

Acquiring login time information corresponding to the missing login information;

Obtaining pending login behavior information corresponding to the missing login information according to the login time information;

determining the login behavior information to be confirmed according to the target login behavior information and the pending login behavior information;

Obtain the behavior type corresponding to the login behavior information to be confirmed.

Optionally, the step of generating a log behavior event according to the target login behavior information includes:

Splitting and processing the target login behavior information to obtain multiple login behavior information to be spliced;

determining a preset splicing strategy according to multiple pieces of login behavior information to be spliced;

Based on the preset splicing strategy, multiple pieces of the login behavior information to be spliced are combined to obtain log behavior events.

Optionally, before the step of splitting the target login behavior information to obtain a plurality of login behavior information to be spliced, further includes:

Acquiring login format information corresponding to the target login behavior information;

judging whether the login format information satisfies a preset format condition;

When the login format information satisfies the preset format condition, the step of splitting the target login behavior information to obtain multiple login behavior information to be spliced is performed.

Optionally, the step of determining a preset splicing strategy according to a plurality of login behavior information to be spliced includes:

Respectively determine the behavior levels corresponding to the login behavior information to be spliced;

sorting the plurality of login behavior information to be spliced according to the behavior level to obtain a corresponding login sorting result;

A preset mosaic strategy is determined according to the login sorting result.

Optionally, the step of determining a preset splicing strategy according to the login sorting result includes:

determining first login behavior information and second login behavior information from a plurality of login behavior information to be spliced according to the login sorting result;

determining a distance score between the first login behavior information and the second login behavior information;

A preset splicing strategy is determined according to the distance score.

In addition, in order to achieve the above object, the present invention also proposes a log behavior event generation device, the log behavior event generation device includes:

An acquisition module, configured to acquire login behavior information according to the system login operation instruction when a system login operation instruction is detected;

An extraction module, configured to perform feature extraction on the login behavior information to obtain multiple login feature information;

A determining module, configured to determine log feature information from a plurality of log feature information according to a preset audit strategy;

The extraction module is further configured to extract target login behavior information from the login behavior information according to the log feature information;

A generating module, configured to generate a log behavior event according to the target login behavior information.

Optionally, the extracting module is also used to obtain the behavior type corresponding to the login behavior information;

The extraction module is further configured to determine a corresponding preset extraction strategy according to the behavior type;

The extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction strategy, so as to obtain a plurality of login feature information.

Optionally, the extraction module is further configured to determine the behavior field corresponding to the login behavior information according to the behavior type;

The extraction module is further configured to determine a corresponding preset extraction strategy according to the behavior field.

Optionally, the extraction module is further configured to generate a login behavior code according to the behavior field;

The extraction module is further configured to match a corresponding sample extraction strategy from a preset policy mapping relationship table according to the login behavior code, and there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table ;

The extraction module is further configured to use the sample extraction policy as a preset extraction policy corresponding to the login behavior information.

Optionally, the extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined;

The extraction module is also used to determine the number of features corresponding to the plurality of login feature information to be determined;

The extraction module is also used to judge whether the number of features is greater than or equal to a preset feature threshold;

The extraction module is further configured to use the plurality of login characteristic information to be determined as the plurality of login characteristic information corresponding to the login behavior information when the characteristic number is greater than or equal to the preset characteristic threshold.

Optionally, the generating module is further configured to split and process the target login behavior information to obtain multiple login behavior information to be spliced;

The generating module is further configured to determine a preset splicing strategy according to a plurality of login behavior information to be spliced;

The generating module is further configured to combine a plurality of login behavior information to be spliced based on the preset splicing strategy to obtain log behavior events.

Optionally, the generating module is further configured to acquire login format information corresponding to the target login behavior information;

The generating module is also used to judge whether the login format information satisfies a preset format condition;

The generating module is further configured to perform the operation of splitting the target login behavior information to obtain multiple login behavior information to be spliced when the login format information satisfies the preset format condition.

In addition, in order to achieve the above object, the present invention also proposes a log behavior event generation device, which includes: a memory, a processor, and a log behavior event generation program stored on the memory and operable on the processor , the log behavior event generation program is configured to implement the steps of the log behavior event generation method as described above.

In addition, in order to achieve the above object, the present invention also proposes a storage medium, on which a log behavior event generation program is stored, and when the log behavior event generation program is executed by a processor, the log behavior event as described above is realized The steps to generate the method.

When the present invention detects a system login operation instruction, it first obtains the login behavior information according to the system login operation instruction, then performs feature extraction on the login behavior information to obtain multiple login feature information, and then selects from multiple login feature information according to the preset audit strategy. The log characteristic information is determined in the information, and finally the target login behavior information is extracted from multiple login behavior information according to the log characteristic information, and a log behavior event is generated according to the target login behavior information. In the prior art, it is necessary to manually count the user login information in the terminal security response system, but in the present invention, the target login behavior information is determined from the login behavior information based on the preset audit strategy, and then log behavior events are generated according to the target login behavior information, so that It realizes accurate acquisition of log behavior events, improves the generation efficiency of log behavior events, and improves user experience.

Description of drawings

Fig. 1 is a schematic structural diagram of a log behavior event generating device of a hardware operating environment involved in the solution of an embodiment of the present invention;

FIG. 2 is a schematic flow chart of the first embodiment of the log behavior event generation method of the present invention;

Fig. 3 is a schematic flow chart of the second embodiment of the log behavior event generation method of the present invention;

FIG. 4 is a schematic flowchart of a third embodiment of the method for generating log behavior events of the present invention;

Fig. 5 is a structural block diagram of the first embodiment of the device for generating log behavior events according to the present invention.

The realization of the purpose of the present invention, functional characteristics and advantages will be further described in conjunction with the embodiments and with reference to the accompanying drawings.

Detailed ways

It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

Referring to FIG. 1 , FIG. 1 is a schematic structural diagram of a device for generating log behavior events in a hardware operating environment according to an embodiment of the present invention.

As shown in FIG. 1 , the device for generating log behavior events may include: a processor 1001 , such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002 , a user interface 1003 , a network interface 1004 , and a memory 1005 . Wherein, the communication bus 1002 is used to realize connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a wireless fidelity (WIreless-FIdelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM) memory, or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .

Those skilled in the art can understand that the structure shown in Figure 1 does not constitute a limitation on the log behavior event generating device, and may include more or less components than those shown in the illustration, or combine some components, or arrange different components .

As shown in FIG. 1 , the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and a program for generating log behavior events.

In the log behavior event generation device shown in Figure 1, the network interface 1004 is mainly used for data communication with the network server; the user interface 1003 is mainly used for data interaction with the user; the processor 1001 in the log behavior event generation device of the present invention . The memory 1005 can be set in the log behavior event generation device, and the log behavior event generation device calls the log behavior event generation program stored in the memory 1005 through the processor 1001, and executes the log behavior event generation method provided by the embodiment of the present invention.

An embodiment of the present invention provides a method for generating a log behavior event. Referring to FIG. 2 , FIG. 2 is a schematic flowchart of a first embodiment of the method for generating a log behavior event according to the present invention.

In this embodiment, the log behavior event generation method includes the following steps:

Step S10: when a system login operation instruction is detected, obtain login behavior information according to the system login operation instruction.

It is easy to understand that the execution subject of this embodiment may be a log behavior event generation device with functions such as data processing, network communication, and program operation, or other computer devices with similar functions, which is not limited in this embodiment.

It can be understood that the system login operation instruction can be understood as the login operation or browsing operation performed by the user when entering the terminal security response system, and then the corresponding system login operation instruction or system browsing operation instruction can be generated respectively according to the login operation or browsing operation wait.

It should also be noted that the system login operation instruction includes the user's login behavior information, and the login behavior information includes login account, login device, login password, login time, login location, etc.; the system browsing operation instruction includes the user's terminal security information. Respond to browsing behavior information in the system, such as browsing web pages, browsing files, browsing time, browsing equipment, browsing location, etc.

In this embodiment, when a system login operation instruction is detected, the user's login behavior information can be obtained through a pluggable authentication module (Pluggable Authentication Modules, PAM), and the login behavior information is sent to the user of the audit module (audit) (user) auditing.

Step S20: Perform feature extraction on the login behavior information to obtain a plurality of login feature information.

It should be understood that the login feature information may be feature information existing in the login behavior information, such as account feature information, device feature information, time feature information, location feature information, and the like.

In a specific implementation, the feature extraction of login behavior information to obtain multiple login feature information can be performed by obtaining the behavior type corresponding to the login behavior information, determining the corresponding preset extraction strategy according to the behavior type, and Feature extraction is performed on the login behavior information to obtain multiple login feature information. The behavior type may be a login type, or a browsing type, etc. The preset extraction strategy can be customized by the user, such as all feature extraction or feature partial extraction.

Further, the processing manner of determining the corresponding preset extraction strategy according to the behavior type may be to determine the behavior field corresponding to the login behavior information according to the behavior type, and then determine the corresponding preset extraction strategy according to the behavior field.

It should be noted that the behavior field can be understood as including information of a topic in the login behavior information, and it should be noted that each field contains information of a certain topic. For example, in the "Contacts" database, "Name" and "Contact Number" are attributes common to all rows in the table. These columns can be called "Name" field and "Contact Number" field, etc.

In order to determine the preset extraction strategy more accurately, the processing method of determining the corresponding preset extraction strategy according to the behavior field can be to generate a login behavior code according to the behavior field, and then match the corresponding default strategy mapping relationship table according to the login behavior code. Sample extraction strategy, there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table, and there is a one-to-one correspondence between login behavior codes and sample extraction strategies, and then the sample extraction strategy is used as the corresponding preset for login behavior information. Set extraction strategy. The login behavior code can exist in the form of numbers or characters.

Assuming that the behavior fields are the name field and the account field respectively, and the login behavior codes corresponding to the name field and the account field are respectively XZ, the corresponding sample extraction strategy can be matched in the default policy mapping relationship table according to the login behavior code XZ, if the sample If the extraction strategy is to extract all features, then the sample extraction strategy is used as the default extraction strategy corresponding to the login behavior information.

In a specific implementation, the feature extraction of the login behavior information based on the preset extraction strategy to obtain multiple login feature information can be based on the preset extraction strategy to perform feature extraction on the login behavior information to obtain multiple login features to be determined information, and then determine the number of features corresponding to the multiple to-be-determined login feature information, judge whether the feature number is greater than or equal to the preset feature threshold, and when the feature number is greater than or equal to the preset feature threshold, use the multiple pending login feature information as the login Multiple login feature information corresponding to behavior information. The preset feature threshold may be a threshold custom-set by the user according to the behavior type corresponding to the login behavior information, and may be 5, or 7, and so on.

Assuming that the user login behavior information is obtained through the PAM module, the user login behavior information is sent to the audit module, and the login behavior information is analyzed through the audit log analysis engine in the audit module. For example, it is determined that the behavior type corresponding to the login behavior information is the login type, and the preset feature threshold corresponding to the login type is 3, then the multiple login feature information to be determined in the login behavior information are respectively device feature information, account feature information, and password feature information , location feature information, it can be seen that the number of features corresponding to the multiple to-be-determined login feature information is 4, and the number of features is greater than the preset feature threshold, and the multiple to-be-determined login feature information can be used as the multiple login feature information corresponding to the login behavior information.

Assuming that the preset feature threshold corresponding to the login type is 3, and the multiple login feature information to be determined in the login behavior information are device feature information and account feature information respectively, it can be seen that the number of features corresponding to the multiple login feature information to be determined is 2, and the feature If the number is less than the preset feature threshold, it is necessary to re-obtain the user's login behavior information through the pluggable authentication module.

Step S30: Determine log characteristic information from a plurality of log characteristic information according to a preset audit policy.

It should be noted that the preset audit policy can be customized by the user, and the user can select the log characteristic information of interest from multiple login characteristic information, and can also use all the multiple login characteristic information as log characteristic information.

In a specific implementation, the audit log analysis engine in the audit module needs to determine the log characteristic information from multiple login characteristic information according to the characteristic information of interest preset by the user.

Step S40: Extract target login behavior information from the login behavior information according to the log characteristic information.

In order to avoid obtaining incomplete target login behavior information, before the step of extracting target login behavior information from multiple login behavior information according to log feature information, it is necessary to determine the storage capacity corresponding to the target login behavior information, and determine whether the storage capacity meets the preset storage Conditions, when the storage capacity meets the preset storage conditions, log behavior events are generated according to the target login behavior information; when the storage capacity does not meet the preset storage conditions, the user’s login behavior information needs to be obtained again through the pluggable authentication module. The preset storage condition can be customized by the user, for example, the storage amount is greater than the preset storage threshold, and the preset storage threshold can be 7KB or 1M.

Assume that the log feature information is device feature information, location feature information, account feature information, and time feature information, and the login behavior information is account 5226461. Use the device AS to log in at intersection B at 11:00 noon, and the target login behavior information is account number: 5226461, Equipment: AS, time: eleven o'clock, location: B intersection.

In this embodiment, when the storage capacity does not meet the preset storage conditions, the missing login information is determined according to the target login behavior information, and then the login time information corresponding to the missing login information is obtained, and the pending processing corresponding to the missing login information is obtained according to the login time information. The login behavior information, and then determine the login behavior information to be confirmed according to the target login behavior information and the login behavior information to be processed, and obtain the behavior type corresponding to the login behavior information to be confirmed.

Assume that the login behavior information is account number 2546, and the storage capacity corresponding to the login behavior information is 1KB. When the storage capacity does not meet the preset storage conditions, the target login behavior information is account number 2546. Feature information, the user needs to obtain device feature information, location feature information, account feature information and time feature information, then the user needs to determine the missing login behavior information according to the login time information corresponding to the login behavior information, the missing login behavior information includes device information, location information and time information, and use the newly acquired device information, location information, time information and account information as the login behavior information to be confirmed, and send the login information to be confirmed to the audit module for analysis.

Step S50: Generate a log behavior event according to the target login behavior information.

In order to facilitate users to clearly understand the connection between the target login behavior information, the processing method of generating log behavior events based on the target login behavior information can be to split and process the target login behavior information to obtain multiple login behavior information to be spliced. The login behavior information to be spliced determines a preset splicing strategy, and multiple login behavior information to be spliced is combined based on the preset splicing strategy to obtain log behavior events. The preset mosaic strategy can be customized by the user. It can be spliced according to the level corresponding to the login behavior information to be spliced, or it can be randomly spliced.

Furthermore, the target login behavior information is split and processed, and before the step of obtaining multiple login behavior information to be spliced, it is necessary to obtain the login format information corresponding to the target login behavior information, and determine whether the login format information meets the preset format conditions. When the format information satisfies the preset format condition, the target login behavior information is split and processed to obtain multiple login behavior information to be spliced. The preset format condition is that the login format information corresponding to the target login behavior information does not have garbled characters, etc.

Assuming that the target login behavior information is account number: 5226461, device: AS, time: 11 o'clock, location: intersection B, then the login format information in the target login behavior information meets the preset format conditions, and the target login behavior information can be split into Account: 5226461; Equipment: AS; Time: 11:00; Location: Crossroad B, of which account number: 5226461; Equipment: AS; Time: 11:00;

In a specific implementation, the processing method of determining the preset splicing strategy according to the multiple login behavior information to be spliced can be to respectively determine the behavior level corresponding to each login behavior information to be spliced, and then sort the multiple login behavior information to be spliced according to the behavior level , to obtain the corresponding login ranking results, and determine the preset splicing strategy according to the login ranking results.

Assuming that the multiple login behavior information to be spliced are respectively login behavior information to be spliced A, login behavior information to be spliced B, and login behavior information to be spliced C, the corresponding level of login behavior information A to be spliced is level ten, and login behavior information to be spliced B The corresponding level is level eight, and the corresponding level of login behavior information C to be spliced is level seven, and level ten is higher than level eight, and level eight is higher than level seven, then the login sorting result is login behavior information to be spliced A—login to be spliced Behavior information B—login behavior information C to be spliced, etc.

In this embodiment, the processing method of determining the preset splicing strategy according to the login sorting result may be to determine the first login behavior information and the second login behavior information from a plurality of login behavior information to be spliced according to the login sorting result, and then determine the first login behavior information. A distance score between the behavior information and the second login behavior information, and a preset splicing strategy is determined according to the distance score.

Assume that the login sorting result is login behavior information to be spliced A—login behavior information to be spliced B—login behavior information to be spliced C. The level corresponding to the login behavior information B is eighth, and the score corresponding to the eighth level is 8. The level corresponding to the login behavior information C to be spliced is seven, and the score corresponding to the seventh level is 7. The login behavior information A is spliced, the second login behavior information is the login behavior information C to be spliced, then the distance score between the first login behavior information and the second login behavior information is 3, and the distance score is less than or equal to the preset distance Threshold, the preset splicing strategy can be random splicing; if the distance score is greater than the preset distance threshold, the preset splicing strategy can be splicing multiple login behavior information to be spliced according to the level. The preset distance threshold can be customized by the user, such as 3 or 5, etc.

In the specific implementation, it is also necessary for the audit module to combine multiple login behaviors to be spliced according to the preset splicing strategy, obtain log behavior events, and send the log behavior events to the person in charge, and the person in charge can perform system login analysis based on the log behavior events , for example, you can get information such as the process chain it starts, and the file information it operates.

In this embodiment, when a system login operation instruction is detected, the login behavior information is first obtained according to the system login operation instruction, and then feature extraction is performed on the login behavior information to obtain multiple login feature information, and then according to the preset audit strategy from Log feature information is determined from multiple log feature information, and finally target login behavior information is extracted from multiple log feature information according to the log feature information, and log behavior events are generated according to the target login behavior information. In the prior art, it is necessary to manually count the user login information in the terminal security response system, but in this embodiment, the target login behavior information is determined from the login behavior information based on the preset audit policy, and then log behavior events are generated according to the target login behavior information, In this way, the accurate acquisition of log behavior events is realized, the generation efficiency of log behavior events is improved, and the user experience is further improved.

Referring to FIG. 3 , FIG. 3 is a schematic flowchart of a second embodiment of a method for generating log behavior events according to the present invention.

Based on the first embodiment above, in this embodiment, the step S20 includes:

Step S201: Obtain the behavior type corresponding to the login behavior information.

It should be noted that the behavior type may be a login type, or a browsing type, etc. For example, if the login behavior information is account number 5226461 and the device AS is used to log in at intersection B at 11:00 noon, then the behavior type corresponding to the login behavior information is the login type; if the login behavior information is the user browsing file A, then the behavior type corresponding to the login behavior information is Browsing type etc.

Step S202: Determine a corresponding preset extraction strategy according to the behavior type.

Further, the processing manner of determining the corresponding preset extraction strategy according to the behavior type may be to determine the behavior field corresponding to the login behavior information according to the behavior type, and then determine the corresponding preset extraction strategy according to the behavior field. The preset extraction strategy can be customized by the user, such as all feature extraction or feature partial extraction.

It should be noted that the behavior field can be understood as including information of a topic in the login behavior information, and it should be noted that each field contains information of a certain topic. For example, in the "Contacts" database, "Name" and "Contact Number" are attributes common to all rows in the table. These columns can be called "Name" field and "Contact Number" field, etc.

In order to determine the preset extraction strategy more accurately, the processing method of determining the corresponding preset extraction strategy according to the behavior field can be to generate a login behavior code according to the behavior field, and then match the corresponding default strategy mapping relationship table according to the login behavior code. Sample extraction strategy, there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table, and there is a one-to-one correspondence between login behavior codes and sample extraction strategies, and then the sample extraction strategy is used as the corresponding preset for login behavior information. Set extraction strategy. The login behavior code can exist in the form of numbers or characters.

Assuming that the behavior fields are the name field and the account field respectively, and the login behavior codes corresponding to the name field and the account field are respectively XZ, the corresponding sample extraction strategy can be matched in the default policy mapping relationship table according to the login behavior code XZ, if the sample If the extraction strategy is to extract all features, then the sample extraction strategy is used as the default extraction strategy corresponding to the login behavior information.

Step S203: Perform feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information.

It should be understood that the login feature information may be feature information existing in the login behavior information, such as account feature information, device feature information, time feature information, location feature information, and the like.

In a specific implementation, the feature extraction of the login behavior information based on the preset extraction strategy to obtain multiple login feature information can be based on the preset extraction strategy to perform feature extraction on the login behavior information to obtain multiple login features to be determined information, and then determine the number of features corresponding to the multiple to-be-determined login feature information, judge whether the feature number is greater than or equal to the preset feature threshold, and when the feature number is greater than or equal to the preset feature threshold, use the multiple pending login feature information as the login Multiple login characteristic information corresponding to behavior information. The preset feature threshold may be a threshold custom-set by the user according to the behavior type corresponding to the login behavior information, and may be 5, or 7, and so on.

Assuming that the preset feature threshold corresponding to the login type is 3, and the multiple login feature information to be determined in the login behavior information are device feature information and account feature information respectively, it can be seen that the number of features corresponding to the multiple login feature information to be determined is 2, and the feature If the number is less than the preset feature threshold, it is necessary to re-obtain the user's login behavior information through the pluggable authentication module.

Assuming that the user login behavior information is obtained through the PAM module, the user login behavior information is sent to the audit module, and the login behavior information is analyzed through the audit log analysis engine in the audit module. For example, it is determined that the behavior type corresponding to the login behavior information is the login type, and the preset feature threshold corresponding to the login type is 3, then the multiple login feature information to be determined in the login behavior information are respectively device feature information, account feature information, and password feature information , location feature information, it can be seen that the number of features corresponding to the multiple to-be-determined login feature information is 4, and the number of features is greater than the preset feature threshold, and the multiple to-be-determined login feature information can be used as the multiple login feature information corresponding to the login behavior information.

In this implementation, first obtain the behavior type corresponding to the login behavior information, then determine the corresponding preset extraction strategy according to the behavior type, and then perform feature extraction on the login behavior information based on the preset extraction strategy to obtain multiple login feature information. Compared with the preset fixed login feature information in the prior art, the log login behavior information corresponding to different types cannot be accurately obtained, but in this embodiment, the corresponding preset extraction strategy is determined according to the behavior type corresponding to the login behavior information , and finally extract a plurality of login feature information from the login behavior information according to a preset extraction strategy, thereby improving the work efficiency of the login behavior information.

Referring to FIG. 4 , FIG. 4 is a schematic flowchart of a third embodiment of a method for generating log behavior events according to the present invention.

Based on the first embodiment above, in this embodiment, the step S50 includes:

Step S501: Splitting the target login behavior information to obtain multiple login behavior information to be spliced.

Furthermore, the target login behavior information is split and processed, and before the step of obtaining multiple login behavior information to be spliced, it is necessary to obtain the login format information corresponding to the target login behavior information, and determine whether the login format information meets the preset format conditions. When the format information satisfies the preset format condition, the target login behavior information is split and processed to obtain multiple login behavior information to be spliced. The preset format condition is that the login format information corresponding to the target login behavior information does not have garbled characters, etc.

Assuming that the target login behavior information is account number: 964, device: D, time: 12:00, location: intersection C, then the target login behavior information is split into multiple login behavior information to be spliced account number: 964; device: D; time : 12 o'clock; location: intersection C, etc.

Step S502: Determine a preset splicing strategy according to a plurality of pieces of login behavior information to be spliced.

In a specific implementation, the processing method of determining the preset splicing strategy according to the multiple login behavior information to be spliced can be to respectively determine the behavior level corresponding to each login behavior information to be spliced, and then sort the multiple login behavior information to be spliced according to the behavior level , to obtain the corresponding login ranking results, and determine the preset splicing strategy according to the login ranking results.

Assuming that the multiple login behavior information to be spliced are respectively login behavior information to be spliced A, login behavior information to be spliced B, and login behavior information to be spliced C, the corresponding level of login behavior information A to be spliced is level ten, and login behavior information to be spliced B The corresponding level is level eight, and the corresponding level of login behavior information C to be spliced is level seven, and level ten is higher than level eight, and level eight is higher than level seven, then the login sorting result is login behavior information to be spliced A—login to be spliced Behavior information B—login behavior information C to be spliced, etc.

In this embodiment, the processing method of determining the preset splicing strategy according to the login sorting result may be to determine the first login behavior information and the second login behavior information from a plurality of login behavior information to be spliced according to the login sorting result, and then determine the first login behavior information. A distance score between the behavior information and the second login behavior information, and a preset splicing strategy is determined according to the distance score.

Assume that the login sorting result is login behavior information to be spliced A—login behavior information to be spliced B—login behavior information to be spliced C. The level corresponding to the login behavior information B is eighth, and the score corresponding to the eighth level is 8. The level corresponding to the login behavior information C to be spliced is seven, and the score corresponding to the seventh level is 7. The login behavior information A is spliced, the second login behavior information is the login behavior information C to be spliced, then the distance score between the first login behavior information and the second login behavior information is 3, and the distance score is less than or equal to the preset distance Threshold, the preset splicing strategy can be random splicing; if the distance score is greater than the preset distance threshold, the preset splicing strategy can be splicing multiple login behavior information to be spliced according to the level. The preset distance threshold can be customized by the user, such as 3 or 5, etc.

Step S503: Based on the preset splicing strategy, combine the multiple login behavior information to be spliced to obtain log behavior events.

In the specific implementation, it is also necessary for the audit module to combine multiple login behaviors to be spliced according to the preset splicing strategy, obtain log behavior events, and send the log behavior events to the person in charge, and the person in charge can perform system login analysis based on the log behavior events , for example, you can get information such as the process chain it starts, and the file information it operates.

Assuming multiple login behavior information accounts to be spliced: 964; device: D; time: 12:00; place: intersection C, and the default splicing strategy is random splicing, then the log behavior event can be device: D, time: 12:00 , Location: Intersection C, account number: 964.

In this embodiment, the target login behavior information is first split and processed to obtain multiple login behavior information to be spliced, and then the preset splicing strategy is determined according to the multiple login behavior information to be spliced, and then multiple The login behavior information to be spliced is combined to obtain log behavior events. Compared with the prior art that directly generates log behavior events based on the login behavior information, in this embodiment, multiple login behavior information to be spliced needs to be determined according to the login behavior information, and then Based on the preset splicing strategy, multiple login behavior information to be spliced is combined to achieve accurate acquisition of log behavior events.

Referring to FIG. 5 , FIG. 5 is a structural block diagram of a first embodiment of an apparatus for generating log behavior events according to the present invention.

As shown in Figure 5, the log behavior event generation device proposed by the embodiment of the present invention includes:

The acquiring module 5001 is configured to acquire login behavior information according to the system login operation instruction when the system login operation instruction is detected.

It can be understood that the system login operation instruction can be understood as the login operation or browsing operation performed by the user when entering the terminal security response system, and then the corresponding system login operation instruction or system browsing operation instruction can be generated respectively according to the login operation or browsing operation wait.

It should also be noted that the system login operation instruction includes the user's login behavior information, and the login behavior information includes login account, login device, login password, login time, login location, etc.; the system browsing operation instruction includes the user's terminal security information. Respond to browsing behavior information in the system, such as browsing web pages, browsing files, browsing time, browsing equipment, browsing location, etc.

In this embodiment, when a system login operation instruction is detected, the user's login behavior information can be obtained through a pluggable authentication module (Pluggable Authentication Modules, PAM), and the login behavior information is sent to the user of the audit module (audit) (user) auditing.

The extraction module 5002 is configured to perform feature extraction on the login behavior information to obtain a plurality of login feature information.

It should be understood that the login feature information may be feature information existing in the login behavior information, such as account feature information, device feature information, time feature information, location feature information, and the like.

In a specific implementation, the feature extraction of login behavior information to obtain multiple login feature information can be performed by obtaining the behavior type corresponding to the login behavior information, determining the corresponding preset extraction strategy according to the behavior type, and Feature extraction is performed on the login behavior information to obtain multiple login feature information. The behavior type may be a login type, or a browsing type, etc. The preset extraction strategy can be customized by the user, such as all feature extraction or feature partial extraction.

Further, the processing manner of determining the corresponding preset extraction strategy according to the behavior type may be to determine the behavior field corresponding to the login behavior information according to the behavior type, and then determine the corresponding preset extraction strategy according to the behavior field.

It should be noted that the behavior field can be understood as including information of a topic in the login behavior information, and it should be noted that each field contains information of a certain topic. For example, in the "Contacts" database, "Name" and "Contact Number" are attributes common to all rows in the table. These columns can be called "Name" field and "Contact Number" field, etc.

In order to determine the preset extraction strategy more accurately, the processing method of determining the corresponding preset extraction strategy according to the behavior field can be to generate a login behavior code according to the behavior field, and then match the corresponding default strategy mapping relationship table according to the login behavior code. Sample extraction strategy, there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table, and there is a one-to-one correspondence between login behavior codes and sample extraction strategies, and then the sample extraction strategy is used as the corresponding preset for login behavior information. Set extraction strategy. The login behavior code can exist in the form of numbers or characters.

Assuming that the behavior fields are the name field and the account field respectively, and the login behavior codes corresponding to the name field and the account field are respectively XZ, the corresponding sample extraction strategy can be matched in the default policy mapping relationship table according to the login behavior code XZ, if the sample If the extraction strategy is to extract all features, then the sample extraction strategy is used as the default extraction strategy corresponding to the login behavior information.

In a specific implementation, the feature extraction of the login behavior information based on the preset extraction strategy to obtain multiple login feature information can be based on the preset extraction strategy to perform feature extraction on the login behavior information to obtain multiple login features to be determined information, and then determine the number of features corresponding to the multiple to-be-determined login feature information, judge whether the feature number is greater than or equal to the preset feature threshold, and when the feature number is greater than or equal to the preset feature threshold, use the multiple pending login feature information as the login Multiple login characteristic information corresponding to behavior information. The preset feature threshold may be a threshold custom-set by the user according to the behavior type corresponding to the login behavior information, and may be 5, or 7, and so on.

Assuming that the user login behavior information is obtained through the PAM module, the user login behavior information is sent to the audit module, and the login behavior information is analyzed through the audit log analysis engine in the audit module. For example, it is determined that the behavior type corresponding to the login behavior information is the login type, and the preset feature threshold corresponding to the login type is 3, then the multiple login feature information to be determined in the login behavior information are respectively device feature information, account feature information, and password feature information , location feature information, it can be seen that the number of features corresponding to the multiple to-be-determined login feature information is 4, and the number of features is greater than the preset feature threshold, and the multiple to-be-determined login feature information can be used as the multiple login feature information corresponding to the login behavior information.

Assuming that the preset feature threshold corresponding to the login type is 3, and the multiple login feature information to be determined in the login behavior information are device feature information and account feature information respectively, it can be seen that the number of features corresponding to the multiple login feature information to be determined is 2, and the feature If the number is less than the preset feature threshold, it is necessary to re-obtain the user's login behavior information through the pluggable authentication module.

A determining module 5003, configured to determine log feature information from a plurality of log feature information according to a preset audit policy.

It should be noted that the preset audit policy can be customized by the user, and the user can select the log characteristic information of interest from multiple login characteristic information, and can also use all the multiple login characteristic information as log characteristic information.

In a specific implementation, the audit log analysis engine in the audit module needs to determine the log characteristic information from multiple login characteristic information according to the characteristic information of interest preset by the user.

The extraction module 5002 is further configured to extract target login behavior information from the login behavior information according to the log feature information.

In order to avoid obtaining incomplete target login behavior information, before the step of extracting target login behavior information from multiple login behavior information according to log feature information, it is necessary to determine the storage capacity corresponding to the target login behavior information, and determine whether the storage capacity meets the preset storage Conditions, when the storage capacity meets the preset storage conditions, log behavior events are generated according to the target login behavior information; when the storage capacity does not meet the preset storage conditions, the user’s login behavior information needs to be obtained again through the pluggable authentication module. The preset storage condition can be customized by the user, for example, the storage amount is greater than the preset storage threshold, and the preset storage threshold can be 7KB or 1M.

Assume that the log feature information is device feature information, location feature information, account feature information, and time feature information, and the login behavior information is account 5226461. Use the device AS to log in at intersection B at 11:00 noon, and the target login behavior information is account number: 5226461, Equipment: AS, time: eleven o'clock, location: B intersection.

In this embodiment, when the storage capacity does not meet the preset storage conditions, the missing login information is determined according to the target login behavior information, and then the login time information corresponding to the missing login information is obtained, and the pending processing corresponding to the missing login information is obtained according to the login time information. The login behavior information, and then determine the login behavior information to be confirmed according to the target login behavior information and the login behavior information to be processed, and obtain the behavior type corresponding to the login behavior information to be confirmed.

Assume that the login behavior information is account number 2546, and the storage capacity corresponding to the login behavior information is 1KB. When the storage capacity does not meet the preset storage conditions, the target login behavior information is account number 2546. Feature information, the user needs to obtain device feature information, location feature information, account feature information and time feature information, then the user needs to determine the missing login behavior information according to the login time information corresponding to the login behavior information, the missing login behavior information includes device information, location information and time information, and use the newly acquired device information, location information, time information and account information as the login behavior information to be confirmed, and send the login information to be confirmed to the audit module for analysis.

A generating module 5004, configured to generate a log behavior event according to the target login behavior information.

In order to facilitate users to clearly understand the connection between the target login behavior information, the processing method of generating log behavior events based on the target login behavior information can be to split and process the target login behavior information to obtain multiple login behavior information to be spliced. The login behavior information to be spliced determines a preset splicing strategy, and multiple login behavior information to be spliced is combined based on the preset splicing strategy to obtain log behavior events. The preset mosaic strategy can be customized by the user. It can be spliced according to the level corresponding to the login behavior information to be spliced, or it can be randomly spliced.

Furthermore, the target login behavior information is split and processed, and before the step of obtaining multiple login behavior information to be spliced, it is necessary to obtain the login format information corresponding to the target login behavior information, and determine whether the login format information meets the preset format conditions. When the format information satisfies the preset format condition, the target login behavior information is split and processed to obtain multiple login behavior information to be spliced. The preset format condition is that the login format information corresponding to the target login behavior information does not have garbled characters, etc.

Assuming that the target login behavior information is account number: 5226461, device: AS, time: 11 o'clock, location: intersection B, then the login format information in the target login behavior information meets the preset format conditions, and the target login behavior information can be split into Account: 5226461; Equipment: AS; Time: 11:00; Location: Crossroad B, of which account number: 5226461; Equipment: AS; Time: 11:00;

In a specific implementation, the processing method of determining the preset splicing strategy according to the multiple login behavior information to be spliced can be to respectively determine the behavior level corresponding to each login behavior information to be spliced, and then sort the multiple login behavior information to be spliced according to the behavior level , to obtain the corresponding login ranking results, and determine the preset splicing strategy according to the login ranking results.

Assuming that the multiple login behavior information to be spliced are respectively login behavior information to be spliced A, login behavior information to be spliced B, and login behavior information to be spliced C, the corresponding level of login behavior information A to be spliced is level ten, and login behavior information to be spliced B The corresponding level is level eight, and the corresponding level of login behavior information C to be spliced is level seven, and level ten is higher than level eight, and level eight is higher than level seven, then the login sorting result is login behavior information to be spliced A—login to be spliced Behavior information B—login behavior information C to be spliced, etc.

In this embodiment, the processing method of determining the preset splicing strategy according to the login sorting result may be to determine the first login behavior information and the second login behavior information from a plurality of login behavior information to be spliced according to the login sorting result, and then determine the first login behavior information. A distance score between the behavior information and the second login behavior information, and a preset splicing strategy is determined according to the distance score.

Assume that the login sorting result is login behavior information to be spliced A—login behavior information to be spliced B—login behavior information to be spliced C. The level corresponding to the login behavior information B is eighth, and the score corresponding to the eighth level is 8. The level corresponding to the login behavior information C to be spliced is seven, and the score corresponding to the seventh level is 7. The login behavior information A is spliced, the second login behavior information is the login behavior information C to be spliced, then the distance score between the first login behavior information and the second login behavior information is 3, and the distance score is less than or equal to the preset distance Threshold, the preset splicing strategy can be random splicing; if the distance score is greater than the preset distance threshold, the preset splicing strategy can be splicing multiple login behavior information to be spliced according to the level. The preset distance threshold can be customized by the user, such as 3 or 5, etc.

In the specific implementation, it is also necessary for the audit module to combine multiple login behaviors to be spliced according to the preset splicing strategy, obtain log behavior events, and send the log behavior events to the person in charge, and the person in charge can perform system login analysis based on the log behavior events , for example, you can get information such as the process chain it starts, and the file information it operates.

In this embodiment, when a system login operation instruction is detected, the login behavior information is first obtained according to the system login operation instruction, and then feature extraction is performed on the login behavior information to obtain multiple login feature information, and then according to the preset audit strategy from Log feature information is determined from multiple log feature information, and finally target login behavior information is extracted from multiple log feature information according to the log feature information, and log behavior events are generated according to the target login behavior information. In the prior art, it is necessary to manually count the user login information in the terminal security response system, but in this embodiment, the target login behavior information is determined from the login behavior information based on the preset audit policy, and then log behavior events are generated according to the target login behavior information, In this way, the accurate acquisition of log behavior events is realized, the generation efficiency of log behavior events is improved, and the user experience is further improved.

For other embodiments or specific implementations of the device for generating log behavior events of the present invention, reference may be made to the above-mentioned method embodiments, which will not be repeated here.

It should be noted that, as used herein, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or system comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or system. Without further limitations, an element defined by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system comprising that element.

The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on this understanding, the technical solution of the present invention can be embodied in the form of software products in essence or in other words, the part that contributes to the prior art, and the computer software products are stored in a storage medium (such as read-only memory/random access memory, magnetic disk, optical disk), including several instructions to make a terminal device (which can be a mobile phone, computer, server, air conditioner, or network equipment, etc.) execute the methods described in various embodiments of the present invention.

The above are only preferred embodiments of the present invention, and are not intended to limit the patent scope of the present invention. Any equivalent structure or equivalent process conversion made by using the description of the present invention and the contents of the accompanying drawings, or directly or indirectly used in other related technical fields , are all included in the scope of patent protection of the present invention in the same way.

The present invention also discloses A1, a log behavior event generation method, the log behavior event generation method comprising the following steps:

When the system login operation instruction is detected, the login behavior information is obtained according to the system login operation instruction;

performing feature extraction on the login behavior information to obtain a plurality of login feature information;

Determining log feature information from a plurality of log feature information according to a preset audit policy;

extracting target login behavior information from the login behavior information according to the log feature information;

A log behavior event is generated according to the target login behavior information.

A2. The method as described in A1, the step of performing feature extraction on the login behavior information to obtain multiple login feature information includes:

Obtain the behavior type corresponding to the login behavior information;

determining a corresponding preset extraction strategy according to the behavior type;

Feature extraction is performed on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information.

A3. The method as described in A2, the step of determining the corresponding preset extraction strategy according to the behavior type includes:

determining a behavior field corresponding to the login behavior information according to the behavior type;

A corresponding preset extraction strategy is determined according to the behavior field.

A4. The method as described in A3, the step of determining the corresponding preset extraction strategy according to the behavior field includes:

Generate a login behavior code according to the behavior field;

Matching a corresponding sample extraction strategy from a preset policy mapping relationship table according to the login behavior code, where there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table;

The sample extraction policy is used as a preset extraction policy corresponding to the login behavior information.

A5. The method as described in A2, the step of performing feature extraction on the login behavior information based on the preset extraction strategy to obtain multiple login feature information includes:

performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined;

determining the number of features corresponding to the plurality of login feature information to be determined;

judging whether the number of features is greater than or equal to a preset feature threshold;

When the number of features is greater than or equal to the preset feature threshold, the plurality of login feature information to be determined is used as a plurality of login feature information corresponding to the login behavior information.

A6. The method according to any one of A1-A5, before the step of generating a log behavior event according to the target login behavior information, it also includes:

Determine the storage capacity corresponding to the target login behavior information;

judging whether the storage capacity satisfies a preset storage condition;

When the storage amount satisfies the preset storage condition, the step of generating a log behavior event according to the target login behavior information is executed.

A7. The method as described in A6, after the step of judging whether the storage capacity satisfies the preset storage condition, further includes:

When the storage amount does not meet the preset storage condition, determine missing login information according to the target login behavior information;

Acquiring login time information corresponding to the missing login information;

Obtaining pending login behavior information corresponding to the missing login information according to the login time information;

determining the login behavior information to be confirmed according to the target login behavior information and the pending login behavior information;

Obtain the behavior type corresponding to the login behavior information to be confirmed.

A8. The method according to any one of A1-A5, the step of generating a log behavior event according to the target login behavior information includes:

Splitting and processing the target login behavior information to obtain multiple login behavior information to be spliced;

determining a preset splicing strategy according to multiple pieces of login behavior information to be spliced;

Based on the preset splicing strategy, multiple pieces of the login behavior information to be spliced are combined to obtain log behavior events.

A9. The method as described in A8, before the step of splitting and processing the target login behavior information to obtain multiple login behavior information to be spliced, it also includes:

Acquiring login format information corresponding to the target login behavior information;

judging whether the login format information satisfies a preset format condition;

When the login format information satisfies the preset format condition, the step of splitting the target login behavior information to obtain multiple login behavior information to be spliced is performed.

A10. The method as described in A9, the step of determining a preset splicing strategy according to a plurality of login behavior information to be spliced includes:

Respectively determine the behavior levels corresponding to the login behavior information to be spliced;

sorting the plurality of login behavior information to be spliced according to the behavior level to obtain a corresponding login sorting result;

A preset mosaic strategy is determined according to the login sorting result.

A11, the method as described in A10, the step of determining a preset splicing strategy according to the login sorting result includes:

determining first login behavior information and second login behavior information from a plurality of login behavior information to be spliced according to the login sorting result;

determining a distance score between the first login behavior information and the second login behavior information;

A preset splicing strategy is determined according to the distance score.

The present invention also discloses B12, a log behavior event generation device, and the log behavior event generation device includes:

An acquisition module, configured to acquire login behavior information according to the system login operation instruction when a system login operation instruction is detected;

An extraction module, configured to perform feature extraction on the login behavior information to obtain multiple login feature information;

A determining module, configured to determine log feature information from a plurality of log feature information according to a preset audit policy;

The extraction module is further configured to extract target login behavior information from the login behavior information according to the log feature information;

A generating module, configured to generate a log behavior event according to the target login behavior information.

B13. The device as described in B12, the extracting module is further configured to obtain the behavior type corresponding to the login behavior information;

The extraction module is further configured to determine a corresponding preset extraction strategy according to the behavior type;

The extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction strategy, so as to obtain a plurality of login feature information.

B14. The device as described in B13, the extracting module is further configured to determine the behavior field corresponding to the login behavior information according to the behavior type;

The extraction module is further configured to determine a corresponding preset extraction strategy according to the behavior field.

B15, the device as described in B14, the extraction module is also used to generate login behavior codes according to the behavior field;

The extraction module is further configured to match a corresponding sample extraction strategy from a preset policy mapping relationship table according to the login behavior code, and there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table ;

The extraction module is further configured to use the sample extraction policy as a preset extraction policy corresponding to the login behavior information.

B16. The device as described in B13, the extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction strategy, and obtain a plurality of login feature information to be determined;

The extraction module is also used to determine the number of features corresponding to the plurality of login feature information to be determined;

The extraction module is also used to judge whether the number of features is greater than or equal to a preset feature threshold;

The extraction module is further configured to use the plurality of login characteristic information to be determined as the plurality of login characteristic information corresponding to the login behavior information when the characteristic number is greater than or equal to the preset characteristic threshold.

B17. The device according to any one of B12-B16, the generating module is also used to split and process the target login behavior information to obtain multiple login behavior information to be spliced;

The generating module is further configured to determine a preset splicing strategy according to a plurality of login behavior information to be spliced;

The generating module is further configured to combine a plurality of login behavior information to be spliced based on the preset splicing strategy to obtain log behavior events.

B18. The device as described in B17, the generating module is further configured to obtain login format information corresponding to the target login behavior information;

The generating module is also used to judge whether the login format information satisfies a preset format condition;

The generating module is further configured to perform the operation of splitting the target login behavior information to obtain multiple login behavior information to be spliced when the login format information satisfies the preset format condition.

The present invention also discloses C19, a log behavior event generation device, the log behavior event generation device includes: a memory, a processor, and a log behavior event generation program stored on the memory and operable on the processor , the log behavior event generation program is configured with the steps of realizing the log behavior event generation method as described above.

The present invention also discloses D20, a storage medium, on which a log behavior event generation program is stored, and when the log behavior event generation program is executed by a processor, the steps of the log behavior event generation method as described above are realized .

Claims (10)

1. A log behavior event generation method is characterized in that, the log behavior event generation method comprises the following steps: When the system login operation instruction is detected, the login behavior information is obtained according to the system login operation instruction; performing feature extraction on the login behavior information to obtain a plurality of login feature information; Determining log feature information from a plurality of log feature information according to a preset audit policy; extracting target login behavior information from the login behavior information according to the log feature information; A log behavior event is generated according to the target login behavior information. 2. The method according to claim 1, wherein the step of performing feature extraction on the login behavior information to obtain multiple login feature information comprises: Obtain the behavior type corresponding to the login behavior information; determining a corresponding preset extraction strategy according to the behavior type; Feature extraction is performed on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information. 3. The method according to claim 2, wherein the step of determining a corresponding preset extraction strategy according to the behavior type includes: determining a behavior field corresponding to the login behavior information according to the behavior type; A corresponding preset extraction strategy is determined according to the behavior field. 4. The method according to claim 3, wherein the step of determining a corresponding preset extraction strategy according to the behavior field comprises: Generate a login behavior code according to the behavior field; Matching a corresponding sample extraction strategy from a preset policy mapping relationship table according to the login behavior code, where there are multiple login behavior codes and multiple sample extraction strategies in the preset policy mapping relationship table; The sample extraction policy is used as a preset extraction policy corresponding to the login behavior information. 5. The method according to claim 2, wherein the step of performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information comprises: performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined; determining the number of features corresponding to the plurality of login feature information to be determined; judging whether the number of features is greater than or equal to a preset feature threshold; When the number of features is greater than or equal to the preset feature threshold, the plurality of login feature information to be determined is used as a plurality of login feature information corresponding to the login behavior information. 6. The method according to any one of claims 1-5, wherein the step of generating a log behavior event according to the target login behavior information comprises: Splitting and processing the target login behavior information to obtain multiple login behavior information to be spliced; determining a preset splicing strategy according to multiple pieces of login behavior information to be spliced; Based on the preset splicing strategy, multiple pieces of the login behavior information to be spliced are combined to obtain log behavior events. 7. The method according to claim 6, characterized in that, before the step of splitting the target login behavior information to obtain multiple login behavior information to be spliced, further comprising: Acquiring login format information corresponding to the target login behavior information; judging whether the login format information satisfies a preset format condition; When the login format information satisfies the preset format condition, the step of splitting the target login behavior information to obtain multiple login behavior information to be spliced is performed. 8. A log behavior event generating device, characterized in that, the log behavior event generating device comprises: An acquisition module, configured to acquire login behavior information according to the system login operation instruction when a system login operation instruction is detected; An extraction module, configured to perform feature extraction on the login behavior information to obtain multiple login feature information; A determining module, configured to determine log feature information from a plurality of log feature information according to a preset audit policy; The extraction module is further configured to extract target login behavior information from the login behavior information according to the log feature information; A generating module, configured to generate a log behavior event according to the target login behavior information. 9. A log behavior event generation device, characterized in that, the log behavior event generation device includes: a memory, a processor and a log behavior event generation program that is stored on the memory and can run on the processor, The log behavior event generation program is configured with steps for realizing the log behavior event generation method according to any one of claims 1-7. 10. A storage medium, characterized in that a log behavior event generation program is stored on the storage medium, and when the log behavior event generation program is executed by a processor, the method according to any one of claims 1 to 7 is realized. Steps in the logging behavior event generation method.

Images