CN116414664A - Log behavior event generation method, device, equipment and storage medium - Google Patents

Log behavior event generation method, device, equipment and storage medium Download PDF

Info

Publication number
CN116414664A
CN116414664A CN202111618228.3A CN202111618228A CN116414664A CN 116414664 A CN116414664 A CN 116414664A CN 202111618228 A CN202111618228 A CN 202111618228A CN 116414664 A CN116414664 A CN 116414664A
Authority
CN
China
Prior art keywords
login
information
behavior
behavior information
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111618228.3A
Other languages
Chinese (zh)
Inventor
邢超
袁立迪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202111618228.3A priority Critical patent/CN116414664A/en
Publication of CN116414664A publication Critical patent/CN116414664A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3438Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the technical field of data processing, and discloses a method, a device, equipment and a storage medium for generating log behavior events, wherein the method comprises the following steps: when a system login operation instruction is detected, login behavior information is obtained according to the system login operation instruction; extracting features of the login behavior information to obtain a plurality of login feature information; determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy; extracting target login behavior information from the login behavior information according to the log characteristic information; and generating a log behavior event according to the target login behavior information. In the prior art, user login information in a terminal safety response system is required to be counted manually, but the method and the device determine target login behavior information from the login behavior information based on the preset audit strategy, and then generate log behavior events according to the target login behavior information, so that accurate log behavior event acquisition is realized, and further log behavior event generation efficiency is improved.

Description

Log behavior event generation method, device, equipment and storage medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for generating a log behavior event.
Background
At present, related events such as user login and the like in a terminal safety response system are important reporting events, engineers can analyze problems generated in the terminal safety response system aiming at the related events such as the user login and the like, in the prior art, a plurality of user login information in the terminal safety response system is collected only manually at specific time, and a plurality of user login information is combined manually, but the generated log action event is inaccurate due to the mode, and the log action event generation efficiency is reduced.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a log behavior event generation method, device, equipment and storage medium, which aim to solve the technical problem of accurately acquiring log behavior events while improving the generation efficiency of the log behavior events.
In order to achieve the above object, the present invention provides a log behavior event generation method, which includes the steps of:
When a system login operation instruction is detected, acquiring login behavior information according to the system login operation instruction;
extracting features of the login behavior information to obtain a plurality of login feature information;
determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy;
extracting target login behavior information from the login behavior information according to the log characteristic information;
and generating a log behavior event according to the target login behavior information.
Optionally, the step of extracting features of the login behavior information to obtain a plurality of login feature information includes:
acquiring a behavior type corresponding to the login behavior information;
determining a corresponding preset extraction strategy according to the behavior type;
and carrying out feature extraction on the login behavior information based on the preset extraction strategy so as to obtain a plurality of login feature information.
Optionally, the step of determining the corresponding preset extraction policy according to the behavior type includes:
determining a behavior field corresponding to the login behavior information according to the behavior type;
and determining a corresponding preset extraction strategy according to the behavior field.
Optionally, the step of determining a corresponding preset extraction policy according to the behavior field includes:
generating a login behavior code according to the behavior field;
matching corresponding sample extraction strategies from a preset strategy mapping relation table according to the login behavior codes, wherein a plurality of login behavior codes and a plurality of sample extraction strategies exist in the preset strategy mapping relation table;
and taking the sample extraction strategy as a preset extraction strategy corresponding to the login behavior information.
Optionally, the step of extracting features of the login behavior information based on the preset extraction policy to obtain a plurality of login feature information includes:
performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined;
determining the feature quantity corresponding to a plurality of login feature information to be determined;
judging whether the feature quantity is larger than or equal to a preset feature threshold value;
and when the feature quantity is larger than or equal to the preset feature threshold value, taking a plurality of login feature information to be determined as a plurality of login feature information corresponding to the login behavior information.
Optionally, before the step of generating the log behavior event according to the target login behavior information, the method further includes:
Determining the storage amount corresponding to the target login behavior information;
judging whether the storage quantity meets a preset storage condition or not;
and executing the step of generating a log behavior event according to the target login behavior information when the storage amount meets the preset storage condition.
Optionally, after the step of determining whether the storage amount meets the preset storage condition, the method further includes:
when the storage quantity does not meet the preset storage condition, determining missing login information according to the target login behavior information;
acquiring login time information corresponding to the missing login information;
acquiring to-be-processed login behavior information corresponding to the missing login information according to the login time information;
determining login behavior information to be confirmed according to the target login behavior information and the login behavior information to be processed;
and obtaining the behavior type corresponding to the login behavior information to be confirmed.
Optionally, the step of generating a log behavior event according to the target login behavior information includes:
splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced;
determining a preset splicing strategy according to the login behavior information to be spliced;
And combining the login behavior information to be spliced based on the preset splicing strategy to obtain log behavior events.
Optionally, before the step of splitting the target login behavior information to obtain the login behavior information to be spliced, the method further includes:
obtaining login format information corresponding to the target login behavior information;
judging whether the login format information meets a preset format condition or not;
and executing the step of splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced when the login format information meets the preset format condition.
Optionally, the step of determining a preset splicing policy according to the login behavior information to be spliced includes:
respectively determining the behavior grade corresponding to each piece of login behavior information to be spliced;
sorting the login behavior information to be spliced according to the behavior grade to obtain a corresponding login sorting result;
and determining a preset splicing strategy according to the login sequencing result.
Optionally, the step of determining a preset splicing policy according to the login sequencing result includes:
determining first login behavior information and second login behavior information from a plurality of pieces of login behavior information to be spliced according to the login sequencing result;
Determining a distance score between the first login behavior information and the second login behavior information;
and determining a preset splicing strategy according to the distance score.
In addition, to achieve the above object, the present invention also proposes a log behavior event generating apparatus, including:
the acquisition module is used for acquiring login behavior information according to the system login operation instruction when the system login operation instruction is detected;
the extraction module is used for extracting the characteristics of the login behavior information so as to obtain a plurality of login characteristic information;
the determining module is used for determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy;
the extraction module is further used for extracting target login behavior information from the login behavior information according to the log characteristic information;
and the generation module is used for generating log behavior events according to the target login behavior information.
Optionally, the extracting module is further configured to obtain a behavior type corresponding to the login behavior information;
the extraction module is further used for determining a corresponding preset extraction strategy according to the behavior type;
the extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction policy, so as to obtain a plurality of login feature information.
Optionally, the extracting module is further configured to determine a behavior field corresponding to the login behavior information according to the behavior type;
the extraction module is further configured to determine a corresponding preset extraction policy according to the behavior field.
Optionally, the extracting module is further configured to generate a login behavior code according to the behavior field;
the extraction module is further configured to match corresponding sample extraction policies from a preset policy mapping relationship table according to the login behavior codes, where a plurality of login behavior codes and a plurality of sample extraction policies exist in the preset policy mapping relationship table;
the extraction module is further configured to use the sample extraction policy as a preset extraction policy corresponding to the login behavior information.
Optionally, the extracting module is further configured to perform feature extraction on the login behavior information based on the preset extracting policy, so as to obtain a plurality of login feature information to be determined;
the extraction module is further used for determining the feature quantity corresponding to the login feature information to be determined;
the extraction module is further used for judging whether the feature quantity is larger than or equal to a preset feature threshold value;
the extraction module is further configured to use the login feature information to be determined as a plurality of login feature information corresponding to the login behavior information when the feature quantity is greater than or equal to the preset feature threshold.
Optionally, the generating module is further configured to split the target login behavior information to obtain a plurality of login behavior information to be spliced;
the generation module is further used for determining a preset splicing strategy according to the login behavior information to be spliced;
the generating module is further configured to combine the login behavior information to be spliced based on the preset splicing policy, so as to obtain a log behavior event.
Optionally, the generating module is further configured to obtain login format information corresponding to the target login behavior information;
the generating module is further configured to determine whether the login format information meets a preset format condition;
the generating module is further configured to execute the splitting processing on the target login behavior information to obtain a plurality of operations of logging behavior information to be spliced when the login format information meets the preset format condition.
In addition, to achieve the above object, the present invention also proposes a log behavior event generating apparatus, the apparatus comprising: a memory, a processor and a log behavior event generation program stored on the memory and executable on the processor, the log behavior event generation program configured to implement the steps of the log behavior event generation method as described above.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon a log behavior event generation program which, when executed by a processor, implements the steps of the log behavior event generation method as described above.
When a system login operation instruction is detected, login behavior information is firstly obtained according to the system login operation instruction, then feature extraction is carried out on the login behavior information to obtain a plurality of login feature information, log feature information is determined from the plurality of login feature information according to a preset audit strategy, finally target login behavior information is extracted from the plurality of login behavior information according to the log feature information, and a log behavior event is generated according to the target login behavior information. In the prior art, user login information in a terminal safety response system is required to be counted manually, and the target login behavior information is determined from the login behavior information based on the preset audit strategy, and then the log behavior event is generated according to the target login behavior information, so that the log behavior event is accurately acquired, the log behavior event generation efficiency is improved, and further the user experience is improved.
Drawings
FIG. 1 is a schematic diagram of a log behavior event generating device of a hardware running environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a log behavior event generation method according to the present invention;
FIG. 3 is a flowchart illustrating a log behavior event generation method according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a third embodiment of a log behavior event generation method according to the present invention;
fig. 5 is a block diagram illustrating a first embodiment of a log behavioral event generating apparatus according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a log behavior event generating device of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the log behavior event generating apparatus may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., a W Ireless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 does not constitute a limitation of the log behavior event generating apparatus, and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 1, an operating system, a data storage module, a network communication module, a user interface module, and a log behavior event generation program may be included in the memory 1005 as one type of storage medium.
In the log behavior event generating device shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the log behavior event generating apparatus of the present invention may be provided in the log behavior event generating apparatus, which invokes the log behavior event generating program stored in the memory 1005 through the processor 1001 and executes the log behavior event generating method provided by the embodiment of the present invention.
An embodiment of the present invention provides a log behavior event generating method, and referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the log behavior event generating method of the present invention.
In this embodiment, the log behavior event generating method includes the following steps:
step S10: and when the system login operation instruction is detected, acquiring login behavior information according to the system login operation instruction.
It is to be understood that the execution body of the present embodiment may be a log behavior event generating device with functions of data processing, network communication, program running, etc., or may be other computer devices with similar functions, and the present embodiment is not limited thereto.
It can be understood that the system login operation instruction may be understood as a login operation or a browsing operation performed by the user in the access terminal security response system, and then a corresponding system login operation instruction or a system browsing operation instruction may be generated according to the login operation or the browsing operation, respectively.
The system login operation instruction includes login behavior information of the user, wherein the login behavior information includes a login account, login equipment, a login password, login time, login location and the like; the system browsing operation instruction comprises browsing behavior information of a user in the terminal safety response system, a web page, a browsing file, browsing time, browsing equipment, a browsing place and the like.
In this embodiment, when a system login operation instruction is detected, login behavior information of a user may be obtained through a pluggable authentication module (Pluggable Authentication Modules, PAM), and the login behavior information is sent to a user (user) audit of an audit module (audio).
Step S20: and extracting the characteristics of the login behavior information to obtain a plurality of login characteristic information.
It should be understood that the login feature information may be feature information existing in the login behavior information, such as account feature information, device feature information, time feature information, location feature information, and the like.
In a specific implementation, the processing manner of extracting features of the login behavior information to obtain a plurality of login feature information may be to obtain a behavior type corresponding to the login behavior information, determine a corresponding preset extraction policy according to the behavior type, and perform feature extraction on the login behavior information based on the preset extraction policy to obtain a plurality of login feature information. The behavior type may be a login type, a browsing type, or the like. The preset extraction policy may be user-defined, for example, feature total extraction or feature partial extraction.
Further, the processing manner of determining the corresponding preset extraction policy according to the behavior type may be determining a behavior field corresponding to the login behavior information according to the behavior type, and then determining the corresponding preset extraction policy according to the behavior field.
It should be noted that, the behavior field may be understood as information of a topic included in the login behavior information, and each field includes information of a certain topic. For example, in an "address book" database, "name", "contact" are attributes common to all rows in the table, and these columns may be referred to as "name" fields and "contact" fields, etc.
In order to more accurately determine the preset extraction strategy, the processing manner of determining the corresponding preset extraction strategy according to the behavior field may be to generate a login behavior code according to the behavior field, then match the corresponding sample extraction strategy from the preset strategy mapping relation table according to the login behavior code, a plurality of login behavior codes and a plurality of sample extraction strategies exist in the preset strategy mapping relation table, the login behavior codes and the sample extraction strategies have a one-to-one correspondence, and then use the sample extraction strategy as the preset extraction strategy corresponding to the login behavior information. The login behavior code can exist in the form of numbers, characters and the like.
Assuming that the action fields are a name field and an account number field respectively, and the login action codes corresponding to the name field and the account number field are XZ respectively, the corresponding sample extraction policies can be matched in a preset policy mapping relation table according to the login action codes XZ, and if the sample extraction policies are all extracted in characteristics, the sample extraction policies are used as preset extraction policies corresponding to login action information.
In a specific implementation, feature extraction is performed on login behavior information based on a preset extraction policy, so that a processing manner of obtaining a plurality of login feature information may be that feature extraction is performed on the login behavior information based on the preset extraction policy, a plurality of login feature information to be determined is obtained, then feature quantity corresponding to the login feature information to be determined is determined, whether the feature quantity is greater than or equal to a preset feature threshold value is judged, and when the feature quantity is greater than or equal to the preset feature threshold value, the login feature information to be determined is used as a plurality of login feature information corresponding to the login behavior information. The preset characteristic threshold value can be a threshold value which is set by a user according to the behavior type definition corresponding to the login behavior information, and can be 5, 7 and the like.
The login behavior information of the user is sent to an auditing module under the assumption that the login behavior information of the user is obtained through the PAM module, and the login behavior information is analyzed through an auditing log analysis engine in the auditing module. For example, if the behavior type corresponding to the login behavior information is determined to be the login type, and the preset feature threshold corresponding to the login type is 3, the login feature information to be determined in the login behavior information is respectively the device feature information, the account feature information, the password feature information and the place feature information, the feature quantity corresponding to the login feature information to be determined is known to be 4, the feature quantity is greater than the preset feature threshold, and the login feature information to be determined can be used as a plurality of login feature information corresponding to the login behavior information.
Assuming that the preset feature threshold corresponding to the login type is 3, the login feature information to be determined in the login behavior information is equipment feature information and account feature information respectively, and it can be known that the feature quantity corresponding to the login feature information to be determined is 2, the feature quantity is smaller than the preset feature threshold, and the login behavior information of the user needs to be acquired again through the pluggable authentication module.
Step S30: and determining log characteristic information from the login characteristic information according to a preset audit strategy.
It should be noted that, the preset audit policy may be set by user definition, and the user may select interesting log feature information from multiple log feature information, and may also use all the multiple log feature information as log feature information.
In a specific implementation, the audit log analysis engine in the audit module needs to determine log feature information and the like from a plurality of login feature information according to feature information which is set in advance by a user.
Step S40: and extracting target login behavior information from the login behavior information according to the log characteristic information.
In order to avoid incomplete acquired target login behavior information, determining storage capacity corresponding to the target login behavior information before the step of extracting the target login behavior information from the plurality of login behavior information according to log feature information, judging whether the storage capacity meets preset storage conditions, and generating a log behavior event according to the target login behavior information when the storage capacity meets the preset storage conditions; when the storage volume does not meet the preset storage condition, login behavior information and the like of the user need to be acquired again through the pluggable authentication module. The preset storage condition may be set by user, for example, the storage amount is greater than a preset storage threshold, and the preset storage threshold may be 7KB, 1M, or the like.
Assuming that the log feature information is equipment feature information, location feature information, account feature information and time feature information, the login behavior information is account 5226461, and the target login behavior information is account when the log feature information is logged in the intersection B by using the tenth noon of the equipment AS: 5226461, apparatus: AS, time: ten point, location: and (3) crossing B.
In this embodiment, when the storage volume does not meet the preset storage condition, determining missing login information according to the target login behavior information, then obtaining login time information corresponding to the missing login information, obtaining to-be-processed login behavior information corresponding to the missing login information according to the login time information, then determining to-be-confirmed login behavior information according to the target login behavior information and the to-be-processed login behavior information, and obtaining a behavior type corresponding to the to-be-confirmed login behavior information.
Assuming that the login behavior information is account 2546, the storage amount corresponding to the login behavior information is 1KB, when the storage amount does not meet the preset storage condition, the target login behavior information is account 2546, according to the log feature information corresponding to the target login behavior information, the user needs to acquire the equipment feature information, the place feature information and the account feature information and time feature information, the user needs to determine missing login behavior information according to the login time information corresponding to the login behavior information, the missing login behavior information comprises the equipment information, the place information and the time information, the acquired equipment information, the place information, the time information and the account information are used as login behavior information to be confirmed, and the login information to be confirmed is sent to an audit module for analysis and the like.
Step S50: and generating a log behavior event according to the target login behavior information.
In order to facilitate the clear understanding of the connection between the target login behavior information by the user, the processing manner of generating the log behavior event according to the target login behavior information may be splitting processing of the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced, determining a preset splicing policy according to the plurality of pieces of login behavior information to be spliced, and combining the plurality of pieces of login behavior information to be spliced based on the preset splicing policy to obtain the log behavior event. The preset splicing strategy can be set by user definition, can be spliced according to the grade corresponding to the login behavior information to be spliced, and can also be random splicing and the like.
Further, splitting the target login behavior information, acquiring login format information corresponding to the target login behavior information before the step of acquiring the login behavior information to be spliced, judging whether the login format information meets a preset format condition, and splitting the target login behavior information to acquire the login behavior information to be spliced when the login format information meets the preset format condition. The preset format condition is that the login format information corresponding to the target login behavior information does not have messy codes and the like.
Assuming that the target login behavior information is an account number: 5226461, apparatus: AS, time: ten point, location: and B crossing, if the login format information in the target login behavior information meets the preset format condition, splitting the target login behavior information into account numbers: 5226461; the device comprises: AS; time: a tenth point; location: crossing B, wherein account number: 5226461; the device comprises: AS; time: a tenth point; location: and B crossing as a plurality of login behavior information to be spliced, etc.
In a specific implementation, the processing manner of determining the preset splicing policy according to the plurality of login behavior information to be spliced may be to determine a behavior class corresponding to each of the login behavior information to be spliced respectively, and then sort the plurality of login behavior information to be spliced according to the behavior class to obtain a corresponding login sorting result, and determine the preset splicing policy according to the login sorting result.
Assuming that the plurality of pieces of login behavior information to be spliced are login behavior information A to be spliced, login behavior information B to be spliced and login behavior information C to be spliced respectively, the grade corresponding to the login behavior information A to be spliced is ten, the grade corresponding to the login behavior information B to be spliced is eight, the grade corresponding to the login behavior information C to be spliced is seven, the grade is higher than eight, and the grade is higher than seven, the login sequencing result is login behavior information A to be spliced, login behavior information B to be spliced, login behavior information C to be spliced and the like.
In this embodiment, the processing manner of determining the preset splicing policy according to the login sequencing result may be determining, according to the login sequencing result, first login behavior information and second login behavior information from a plurality of pieces of login behavior information to be spliced, then determining a distance score between the first login behavior information and the second login behavior information, and determining the preset splicing policy according to the distance score.
Assuming that the login sequencing result is login behavior information A to be spliced, login behavior information B to be spliced, login behavior information C to be spliced, wherein the grade corresponding to the login behavior information A to be spliced is ten, the grade corresponding to the ten grade is 10, the grade corresponding to the login behavior information B to be spliced is eight, the grade corresponding to the eight grade is 8, the grade corresponding to the login behavior information C to be spliced is seven, the grade corresponding to the seven grade is 7, the first login behavior information is login behavior information A to be spliced, the second login behavior information is login behavior information C to be spliced, the distance score between the first login behavior information and the second login behavior information is 3, the distance score is smaller than or equal to a preset distance threshold, and the preset splicing strategy can be random splicing; the distance score is larger than a preset distance threshold, and the preset splicing strategy can splice the login behavior information to be spliced according to the grade. The preset distance threshold may be user-defined, such as 3 or 5.
In a specific implementation, an audit module is further required to combine a plurality of logging actions to be spliced according to a preset splicing strategy to obtain log action events, the log action events are sent to a responsible person, and the responsible person can perform system logging analysis according to the log action events, for example, information such as a started process chain, operational file information and the like can be obtained.
In this embodiment, when a system login operation instruction is detected, login behavior information is first obtained according to the system login operation instruction, then feature extraction is performed on the login behavior information to obtain a plurality of login feature information, then log feature information is determined from the plurality of login feature information according to a preset audit policy, finally target login behavior information is extracted from the plurality of login behavior information according to the log feature information, and a log behavior event is generated according to the target login behavior information. In the prior art, user login information in a terminal safety response system needs to be manually counted, but in the embodiment, target login behavior information is determined from the login behavior information based on a preset audit strategy, and then a log behavior event is generated according to the target login behavior information, so that the log behavior event is accurately acquired, the log behavior event generation efficiency is improved, and further user experience is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of a log behavior event generating method according to the present invention.
Based on the first embodiment, in this embodiment, the step S20 includes:
step S201: and obtaining the behavior type corresponding to the login behavior information.
It should be noted that the behavior type may be a login type, a browsing type, or the like. For example, the login behavior information is account 5226461, and the device AS is used for logging in the intersection B at the tenth noon, and the behavior type corresponding to the login behavior information is the login type; the login behavior information is that the user browses the A file, and the behavior type corresponding to the login behavior information is a browsing type and the like.
Step S202: and determining a corresponding preset extraction strategy according to the behavior type.
Further, the processing manner of determining the corresponding preset extraction policy according to the behavior type may be determining a behavior field corresponding to the login behavior information according to the behavior type, and then determining the corresponding preset extraction policy according to the behavior field. The preset extraction policy may be user-defined, for example, feature total extraction or feature partial extraction.
It should be noted that, the behavior field may be understood as information of a topic included in the login behavior information, and each field includes information of a certain topic. For example, in an "address book" database, "name", "contact" are attributes common to all rows in the table, and these columns may be referred to as "name" fields and "contact" fields, etc.
In order to more accurately determine the preset extraction strategy, the processing manner of determining the corresponding preset extraction strategy according to the behavior field may be to generate a login behavior code according to the behavior field, then match the corresponding sample extraction strategy from the preset strategy mapping relation table according to the login behavior code, a plurality of login behavior codes and a plurality of sample extraction strategies exist in the preset strategy mapping relation table, the login behavior codes and the sample extraction strategies have a one-to-one correspondence, and then use the sample extraction strategy as the preset extraction strategy corresponding to the login behavior information. The login behavior code can exist in the form of numbers, characters and the like.
Assuming that the action fields are a name field and an account number field respectively, and the login action codes corresponding to the name field and the account number field are XZ respectively, the corresponding sample extraction policies can be matched in a preset policy mapping relation table according to the login action codes XZ, and if the sample extraction policies are all extracted in characteristics, the sample extraction policies are used as preset extraction policies corresponding to login action information.
Step S203: and carrying out feature extraction on the login behavior information based on the preset extraction strategy so as to obtain a plurality of login feature information.
It should be understood that the login feature information may be feature information existing in the login behavior information, such as account feature information, device feature information, time feature information, location feature information, and the like.
In a specific implementation, feature extraction is performed on login behavior information based on a preset extraction policy, so that a processing manner of obtaining a plurality of login feature information may be that feature extraction is performed on the login behavior information based on the preset extraction policy, a plurality of login feature information to be determined is obtained, then feature quantity corresponding to the login feature information to be determined is determined, whether the feature quantity is greater than or equal to a preset feature threshold value is judged, and when the feature quantity is greater than or equal to the preset feature threshold value, the login feature information to be determined is used as a plurality of login feature information corresponding to the login behavior information. The preset characteristic threshold value can be a threshold value which is set by a user according to the behavior type definition corresponding to the login behavior information, and can be 5, 7 and the like.
Assuming that the preset feature threshold corresponding to the login type is 3, the login feature information to be determined in the login behavior information is equipment feature information and account feature information respectively, and it can be known that the feature quantity corresponding to the login feature information to be determined is 2, the feature quantity is smaller than the preset feature threshold, and the login behavior information of the user needs to be acquired again through the pluggable authentication module.
The login behavior information of the user is sent to an auditing module under the assumption that the login behavior information of the user is obtained through the PAM module, and the login behavior information is analyzed through an auditing log analysis engine in the auditing module. For example, if the behavior type corresponding to the login behavior information is determined to be the login type, and the preset feature threshold corresponding to the login type is 3, the login feature information to be determined in the login behavior information is respectively the device feature information, the account feature information, the password feature information and the place feature information, the feature quantity corresponding to the login feature information to be determined is known to be 4, the feature quantity is greater than the preset feature threshold, and the login feature information to be determined can be used as a plurality of login feature information corresponding to the login behavior information.
In this embodiment, the corresponding behavior type of the login behavior information is obtained first, then a corresponding preset extraction policy is determined according to the behavior type, then feature extraction is performed on the login behavior information based on the preset extraction policy to obtain a plurality of login feature information, compared with the login feature information which is preset and fixed in the prior art, the log login behavior information cannot be accurately obtained by the login behavior information corresponding to different types, in this embodiment, the corresponding preset extraction policy is determined according to the behavior type corresponding to the login behavior information, and finally the plurality of login feature information is extracted from the login behavior information according to the preset extraction policy, thereby improving the working efficiency of the login behavior information.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of a log behavior event generating method according to the present invention.
Based on the first embodiment, in this embodiment, the step S50 includes:
step S501: and splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced.
Further, splitting the target login behavior information, acquiring login format information corresponding to the target login behavior information before the step of acquiring the login behavior information to be spliced, judging whether the login format information meets a preset format condition, and splitting the target login behavior information to acquire the login behavior information to be spliced when the login format information meets the preset format condition. The preset format condition is that the login format information corresponding to the target login behavior information does not have messy codes and the like.
Assuming that the target login behavior information is an account number: 964. the device comprises: D. time: twelve points, places: c crossing, splitting the target login behavior information into a plurality of login behavior information accounts to be spliced: 964; the device comprises: d, a step of performing the process; time: twelve points; location: crossing C, etc.
Step S502: and determining a preset splicing strategy according to the login behavior information to be spliced.
In a specific implementation, the processing manner of determining the preset splicing policy according to the plurality of login behavior information to be spliced may be to determine a behavior class corresponding to each of the login behavior information to be spliced respectively, and then sort the plurality of login behavior information to be spliced according to the behavior class to obtain a corresponding login sorting result, and determine the preset splicing policy according to the login sorting result.
Assuming that the plurality of pieces of login behavior information to be spliced are login behavior information A to be spliced, login behavior information B to be spliced and login behavior information C to be spliced respectively, the grade corresponding to the login behavior information A to be spliced is ten, the grade corresponding to the login behavior information B to be spliced is eight, the grade corresponding to the login behavior information C to be spliced is seven, the grade is higher than eight, and the grade is higher than seven, the login sequencing result is login behavior information A to be spliced, login behavior information B to be spliced, login behavior information C to be spliced and the like.
In this embodiment, the processing manner of determining the preset splicing policy according to the login sequencing result may be determining, according to the login sequencing result, first login behavior information and second login behavior information from a plurality of pieces of login behavior information to be spliced, then determining a distance score between the first login behavior information and the second login behavior information, and determining the preset splicing policy according to the distance score.
Assuming that the login sequencing result is login behavior information A to be spliced, login behavior information B to be spliced, login behavior information C to be spliced, wherein the grade corresponding to the login behavior information A to be spliced is ten, the grade corresponding to the ten grade is 10, the grade corresponding to the login behavior information B to be spliced is eight, the grade corresponding to the eight grade is 8, the grade corresponding to the login behavior information C to be spliced is seven, the grade corresponding to the seven grade is 7, the first login behavior information is login behavior information A to be spliced, the second login behavior information is login behavior information C to be spliced, the distance score between the first login behavior information and the second login behavior information is 3, the distance score is smaller than or equal to a preset distance threshold, and the preset splicing strategy can be random splicing; the distance score is larger than a preset distance threshold, and the preset splicing strategy can splice the login behavior information to be spliced according to the grade. The preset distance threshold may be user-defined, such as 3 or 5.
Step S503: and combining the login behavior information to be spliced based on the preset splicing strategy to obtain log behavior events.
In a specific implementation, an audit module is further required to combine a plurality of logging actions to be spliced according to a preset splicing strategy to obtain log action events, the log action events are sent to a responsible person, and the responsible person can perform system logging analysis according to the log action events, for example, information such as a started process chain, operational file information and the like can be obtained.
Assume that a plurality of login behavior information accounts to be spliced: 964; the device comprises: d, a step of performing the process; time: twelve points; location: c crossing, presetting splicing strategy as random splicing, and then the log behavior event can be the equipment: D. time: twelve points, places: intersection and account number: 964.
in this embodiment, splitting processing is performed on target login behavior information to obtain a plurality of pieces of login behavior information to be spliced, then a preset splicing strategy is determined according to the plurality of pieces of login behavior information to be spliced, and then the plurality of pieces of login behavior information to be spliced are combined based on the preset splicing strategy to obtain a log behavior event.
Referring to fig. 5, fig. 5 is a block diagram showing the structure of a first embodiment of the log behavioral event generating apparatus according to the present invention.
As shown in fig. 5, the log behavior event generating device provided by the embodiment of the present invention includes:
the obtaining module 5001 is configured to obtain login behavior information according to a system login operation instruction when the system login operation instruction is detected.
It can be understood that the system login operation instruction may be understood as a login operation or a browsing operation performed by the user in the access terminal security response system, and then a corresponding system login operation instruction or a system browsing operation instruction may be generated according to the login operation or the browsing operation, respectively.
The system login operation instruction includes login behavior information of the user, wherein the login behavior information includes a login account, login equipment, a login password, login time, login location and the like; the system browsing operation instruction comprises browsing behavior information of a user in the terminal safety response system, a web page, a browsing file, browsing time, browsing equipment, a browsing place and the like.
In this embodiment, when a system login operation instruction is detected, login behavior information of a user may be obtained through a pluggable authentication module (Pluggable Authentication Modules, PAM), and the login behavior information is sent to a user (user) audit of an audit module (audio).
The extracting module 5002 is configured to perform feature extraction on the login behavior information to obtain a plurality of login feature information.
It should be understood that the login feature information may be feature information existing in the login behavior information, such as account feature information, device feature information, time feature information, location feature information, and the like.
In a specific implementation, the processing manner of extracting features of the login behavior information to obtain a plurality of login feature information may be to obtain a behavior type corresponding to the login behavior information, determine a corresponding preset extraction policy according to the behavior type, and perform feature extraction on the login behavior information based on the preset extraction policy to obtain a plurality of login feature information. The behavior type may be a login type, a browsing type, or the like. The preset extraction policy may be user-defined, for example, feature total extraction or feature partial extraction.
Further, the processing manner of determining the corresponding preset extraction policy according to the behavior type may be determining a behavior field corresponding to the login behavior information according to the behavior type, and then determining the corresponding preset extraction policy according to the behavior field.
It should be noted that, the behavior field may be understood as information of a topic included in the login behavior information, and each field includes information of a certain topic. For example, in an "address book" database, "name", "contact" are attributes common to all rows in the table, and these columns may be referred to as "name" fields and "contact" fields, etc.
In order to more accurately determine the preset extraction strategy, the processing manner of determining the corresponding preset extraction strategy according to the behavior field may be to generate a login behavior code according to the behavior field, then match the corresponding sample extraction strategy from the preset strategy mapping relation table according to the login behavior code, a plurality of login behavior codes and a plurality of sample extraction strategies exist in the preset strategy mapping relation table, the login behavior codes and the sample extraction strategies have a one-to-one correspondence, and then use the sample extraction strategy as the preset extraction strategy corresponding to the login behavior information. The login behavior code can exist in the form of numbers, characters and the like.
Assuming that the action fields are a name field and an account number field respectively, and the login action codes corresponding to the name field and the account number field are XZ respectively, the corresponding sample extraction policies can be matched in a preset policy mapping relation table according to the login action codes XZ, and if the sample extraction policies are all extracted in characteristics, the sample extraction policies are used as preset extraction policies corresponding to login action information.
In a specific implementation, feature extraction is performed on login behavior information based on a preset extraction policy, so that a processing manner of obtaining a plurality of login feature information may be that feature extraction is performed on the login behavior information based on the preset extraction policy, a plurality of login feature information to be determined is obtained, then feature quantity corresponding to the login feature information to be determined is determined, whether the feature quantity is greater than or equal to a preset feature threshold value is judged, and when the feature quantity is greater than or equal to the preset feature threshold value, the login feature information to be determined is used as a plurality of login feature information corresponding to the login behavior information. The preset characteristic threshold value can be a threshold value which is set by a user according to the behavior type definition corresponding to the login behavior information, and can be 5, 7 and the like.
The login behavior information of the user is sent to an auditing module under the assumption that the login behavior information of the user is obtained through the PAM module, and the login behavior information is analyzed through an auditing log analysis engine in the auditing module. For example, if the behavior type corresponding to the login behavior information is determined to be the login type, and the preset feature threshold corresponding to the login type is 3, the login feature information to be determined in the login behavior information is respectively the device feature information, the account feature information, the password feature information and the place feature information, the feature quantity corresponding to the login feature information to be determined is known to be 4, the feature quantity is greater than the preset feature threshold, and the login feature information to be determined can be used as a plurality of login feature information corresponding to the login behavior information.
Assuming that the preset feature threshold corresponding to the login type is 3, the login feature information to be determined in the login behavior information is equipment feature information and account feature information respectively, and it can be known that the feature quantity corresponding to the login feature information to be determined is 2, the feature quantity is smaller than the preset feature threshold, and the login behavior information of the user needs to be acquired again through the pluggable authentication module.
And a determining module 5003, configured to determine log feature information from a plurality of login feature information according to a preset audit policy.
It should be noted that, the preset audit policy may be set by user definition, and the user may select interesting log feature information from multiple log feature information, and may also use all the multiple log feature information as log feature information.
In a specific implementation, the audit log analysis engine in the audit module needs to determine log feature information and the like from a plurality of login feature information according to feature information which is set in advance by a user.
The extracting module 5002 is further configured to extract target login behavior information from the login behavior information according to the log feature information.
In order to avoid incomplete acquired target login behavior information, determining storage capacity corresponding to the target login behavior information before the step of extracting the target login behavior information from the plurality of login behavior information according to log feature information, judging whether the storage capacity meets preset storage conditions, and generating a log behavior event according to the target login behavior information when the storage capacity meets the preset storage conditions; when the storage volume does not meet the preset storage condition, login behavior information and the like of the user need to be acquired again through the pluggable authentication module. The preset storage condition may be set by user, for example, the storage amount is greater than a preset storage threshold, and the preset storage threshold may be 7KB, 1M, or the like.
Assuming that the log feature information is equipment feature information, location feature information, account feature information and time feature information, the login behavior information is account 5226461, and the target login behavior information is account when the log feature information is logged in the intersection B by using the tenth noon of the equipment AS: 5226461, apparatus: AS, time: ten point, location: and (3) crossing B.
In this embodiment, when the storage volume does not meet the preset storage condition, determining missing login information according to the target login behavior information, then obtaining login time information corresponding to the missing login information, obtaining to-be-processed login behavior information corresponding to the missing login information according to the login time information, then determining to-be-confirmed login behavior information according to the target login behavior information and the to-be-processed login behavior information, and obtaining a behavior type corresponding to the to-be-confirmed login behavior information.
Assuming that the login behavior information is account 2546, the storage amount corresponding to the login behavior information is 1KB, when the storage amount does not meet the preset storage condition, the target login behavior information is account 2546, according to the log feature information corresponding to the target login behavior information, the user needs to acquire the equipment feature information, the place feature information and the account feature information and time feature information, the user needs to determine missing login behavior information according to the login time information corresponding to the login behavior information, the missing login behavior information comprises the equipment information, the place information and the time information, the acquired equipment information, the place information, the time information and the account information are used as login behavior information to be confirmed, and the login information to be confirmed is sent to an audit module for analysis and the like.
The generating module 5004 is configured to generate a log behavior event according to the target login behavior information.
In order to facilitate the clear understanding of the connection between the target login behavior information by the user, the processing manner of generating the log behavior event according to the target login behavior information may be splitting processing of the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced, determining a preset splicing policy according to the plurality of pieces of login behavior information to be spliced, and combining the plurality of pieces of login behavior information to be spliced based on the preset splicing policy to obtain the log behavior event. The preset splicing strategy can be set by user definition, can be spliced according to the grade corresponding to the login behavior information to be spliced, and can also be random splicing and the like.
Further, splitting the target login behavior information, acquiring login format information corresponding to the target login behavior information before the step of acquiring the login behavior information to be spliced, judging whether the login format information meets a preset format condition, and splitting the target login behavior information to acquire the login behavior information to be spliced when the login format information meets the preset format condition. The preset format condition is that the login format information corresponding to the target login behavior information does not have messy codes and the like.
Assuming that the target login behavior information is an account number: 5226461, apparatus: AS, time: ten point, location: and B crossing, if the login format information in the target login behavior information meets the preset format condition, splitting the target login behavior information into account numbers: 5226461; the device comprises: AS; time: a tenth point; location: crossing B, wherein account number: 5226461; the device comprises: AS; time: a tenth point; location: and B crossing as a plurality of login behavior information to be spliced, etc.
In a specific implementation, the processing manner of determining the preset splicing policy according to the plurality of login behavior information to be spliced may be to determine a behavior class corresponding to each of the login behavior information to be spliced respectively, and then sort the plurality of login behavior information to be spliced according to the behavior class to obtain a corresponding login sorting result, and determine the preset splicing policy according to the login sorting result.
Assuming that the plurality of pieces of login behavior information to be spliced are login behavior information A to be spliced, login behavior information B to be spliced and login behavior information C to be spliced respectively, the grade corresponding to the login behavior information A to be spliced is ten, the grade corresponding to the login behavior information B to be spliced is eight, the grade corresponding to the login behavior information C to be spliced is seven, the grade is higher than eight, and the grade is higher than seven, the login sequencing result is login behavior information A to be spliced, login behavior information B to be spliced, login behavior information C to be spliced and the like.
In this embodiment, the processing manner of determining the preset splicing policy according to the login sequencing result may be determining, according to the login sequencing result, first login behavior information and second login behavior information from a plurality of pieces of login behavior information to be spliced, then determining a distance score between the first login behavior information and the second login behavior information, and determining the preset splicing policy according to the distance score.
Assuming that the login sequencing result is login behavior information A to be spliced, login behavior information B to be spliced, login behavior information C to be spliced, wherein the grade corresponding to the login behavior information A to be spliced is ten, the grade corresponding to the ten grade is 10, the grade corresponding to the login behavior information B to be spliced is eight, the grade corresponding to the eight grade is 8, the grade corresponding to the login behavior information C to be spliced is seven, the grade corresponding to the seven grade is 7, the first login behavior information is login behavior information A to be spliced, the second login behavior information is login behavior information C to be spliced, the distance score between the first login behavior information and the second login behavior information is 3, the distance score is smaller than or equal to a preset distance threshold, and the preset splicing strategy can be random splicing; the distance score is larger than a preset distance threshold, and the preset splicing strategy can splice the login behavior information to be spliced according to the grade. The preset distance threshold may be user-defined, such as 3 or 5.
In a specific implementation, an audit module is further required to combine a plurality of logging actions to be spliced according to a preset splicing strategy to obtain log action events, the log action events are sent to a responsible person, and the responsible person can perform system logging analysis according to the log action events, for example, information such as a started process chain, operational file information and the like can be obtained.
In this embodiment, when a system login operation instruction is detected, login behavior information is first obtained according to the system login operation instruction, then feature extraction is performed on the login behavior information to obtain a plurality of login feature information, then log feature information is determined from the plurality of login feature information according to a preset audit policy, finally target login behavior information is extracted from the plurality of login behavior information according to the log feature information, and a log behavior event is generated according to the target login behavior information. In the prior art, user login information in a terminal safety response system needs to be manually counted, but in the embodiment, target login behavior information is determined from the login behavior information based on a preset audit strategy, and then a log behavior event is generated according to the target login behavior information, so that the log behavior event is accurately acquired, the log behavior event generation efficiency is improved, and further user experience is improved.
Other embodiments or specific implementation manners of the log behavior event generating device of the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read-only memory/random-access memory, magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
The invention also discloses A1, a log behavior event generation method, which comprises the following steps:
when a system login operation instruction is detected, acquiring login behavior information according to the system login operation instruction;
extracting features of the login behavior information to obtain a plurality of login feature information;
determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy;
extracting target login behavior information from the login behavior information according to the log characteristic information;
and generating a log behavior event according to the target login behavior information.
A2, the method of A1, the step of extracting the characteristic of the login behavior information to obtain a plurality of login characteristic information, includes:
acquiring a behavior type corresponding to the login behavior information;
Determining a corresponding preset extraction strategy according to the behavior type;
and carrying out feature extraction on the login behavior information based on the preset extraction strategy so as to obtain a plurality of login feature information.
A3, the method of A2, the step of determining a corresponding preset extraction strategy according to the behavior type, includes:
determining a behavior field corresponding to the login behavior information according to the behavior type;
and determining a corresponding preset extraction strategy according to the behavior field.
A4, the method of A3, the step of determining a corresponding preset extraction strategy according to the behavior field, includes:
generating a login behavior code according to the behavior field;
matching corresponding sample extraction strategies from a preset strategy mapping relation table according to the login behavior codes, wherein a plurality of login behavior codes and a plurality of sample extraction strategies exist in the preset strategy mapping relation table;
and taking the sample extraction strategy as a preset extraction strategy corresponding to the login behavior information.
A5, the method of A2, the step of extracting the characteristics of the login behavior information based on the preset extraction policy to obtain a plurality of login characteristic information, includes:
Performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined;
determining the feature quantity corresponding to a plurality of login feature information to be determined;
judging whether the feature quantity is larger than or equal to a preset feature threshold value;
and when the feature quantity is larger than or equal to the preset feature threshold value, taking a plurality of login feature information to be determined as a plurality of login feature information corresponding to the login behavior information.
A6, the method of any one of A1-A5, before the step of generating the log behavior event according to the target login behavior information, further comprises:
determining the storage amount corresponding to the target login behavior information;
judging whether the storage quantity meets a preset storage condition or not;
and executing the step of generating a log behavior event according to the target login behavior information when the storage amount meets the preset storage condition.
A7, after the step of determining whether the storage amount meets the preset storage condition, the method of A6 further includes:
when the storage quantity does not meet the preset storage condition, determining missing login information according to the target login behavior information;
Acquiring login time information corresponding to the missing login information;
acquiring to-be-processed login behavior information corresponding to the missing login information according to the login time information;
determining login behavior information to be confirmed according to the target login behavior information and the login behavior information to be processed;
and obtaining the behavior type corresponding to the login behavior information to be confirmed.
A8, the method of any one of A1-A5, the step of generating a log behavior event according to the target login behavior information, comprises the following steps:
splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced;
determining a preset splicing strategy according to the login behavior information to be spliced;
and combining the login behavior information to be spliced based on the preset splicing strategy to obtain log behavior events.
A9, the method of A8, before the step of splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced, further comprises:
obtaining login format information corresponding to the target login behavior information;
judging whether the login format information meets a preset format condition or not;
And executing the step of splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced when the login format information meets the preset format condition.
A10, determining a preset splicing strategy according to a plurality of login behavior information to be spliced according to the method of A9, wherein the method comprises the following steps:
respectively determining the behavior grade corresponding to each piece of login behavior information to be spliced;
sorting the login behavior information to be spliced according to the behavior grade to obtain a corresponding login sorting result;
and determining a preset splicing strategy according to the login sequencing result.
A11, the method of A10, the step of determining a preset splicing strategy according to the login sequencing result, includes:
determining first login behavior information and second login behavior information from a plurality of pieces of login behavior information to be spliced according to the login sequencing result;
determining a distance score between the first login behavior information and the second login behavior information;
and determining a preset splicing strategy according to the distance score.
The invention also discloses a B12 and a log behavior event generating device, wherein the log behavior event generating device comprises:
The acquisition module is used for acquiring login behavior information according to the system login operation instruction when the system login operation instruction is detected;
the extraction module is used for extracting the characteristics of the login behavior information so as to obtain a plurality of login characteristic information;
the determining module is used for determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy;
the extraction module is further used for extracting target login behavior information from the login behavior information according to the log characteristic information;
and the generation module is used for generating log behavior events according to the target login behavior information.
B13, the device as described in B12, the extraction module is further configured to obtain a behavior type corresponding to the login behavior information;
the extraction module is further used for determining a corresponding preset extraction strategy according to the behavior type;
the extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction policy, so as to obtain a plurality of login feature information.
B14, the device of B13, the said extraction module, is used for confirming the correspondent behavior field of the said login behavior information according to the said behavior type;
The extraction module is further configured to determine a corresponding preset extraction policy according to the behavior field.
B15, the device of B14, the said extraction module, is used for also producing the code of the login behavior according to the said behavior field;
the extraction module is further configured to match corresponding sample extraction policies from a preset policy mapping relationship table according to the login behavior codes, where a plurality of login behavior codes and a plurality of sample extraction policies exist in the preset policy mapping relationship table;
the extraction module is further configured to use the sample extraction policy as a preset extraction policy corresponding to the login behavior information.
B16, the device of B13, the extraction module is further configured to perform feature extraction on the login behavior information based on the preset extraction policy, to obtain a plurality of login feature information to be determined;
the extraction module is further used for determining the feature quantity corresponding to the login feature information to be determined;
the extraction module is further used for judging whether the feature quantity is larger than or equal to a preset feature threshold value;
the extraction module is further configured to use the login feature information to be determined as a plurality of login feature information corresponding to the login behavior information when the feature quantity is greater than or equal to the preset feature threshold.
B17, the device as set forth in any one of B12-B16, the generating module is further configured to split the target login behavior information to obtain a plurality of login behavior information to be spliced;
the generation module is further used for determining a preset splicing strategy according to the login behavior information to be spliced;
the generating module is further configured to combine the login behavior information to be spliced based on the preset splicing policy, so as to obtain a log behavior event.
B18, the device of B17, the said generation module, is used for obtaining the correspondent login format information of the said goal login behavior information;
the generating module is further configured to determine whether the login format information meets a preset format condition;
the generating module is further configured to execute the splitting processing on the target login behavior information to obtain a plurality of operations of logging behavior information to be spliced when the login format information meets the preset format condition.
The invention also discloses C19, a log behavior event generating device, which comprises: a memory, a processor and a log behavior event generation program stored on the memory and executable on the processor, the log behavior event generation program being configured with steps to implement the log behavior event generation method as described above.
The invention also discloses D20, a storage medium, wherein the storage medium stores a log behavior event generation program, and the log behavior event generation program realizes the steps of the log behavior event generation method when being executed by a processor.

Claims (10)

1. A log behavioral event generation method, characterized in that the log behavioral event generation method comprises the steps of:
when a system login operation instruction is detected, acquiring login behavior information according to the system login operation instruction;
extracting features of the login behavior information to obtain a plurality of login feature information;
determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy;
extracting target login behavior information from the login behavior information according to the log characteristic information;
and generating a log behavior event according to the target login behavior information.
2. The method of claim 1, wherein the step of performing feature extraction on the login behavior information to obtain a plurality of login feature information comprises:
acquiring a behavior type corresponding to the login behavior information;
determining a corresponding preset extraction strategy according to the behavior type;
And carrying out feature extraction on the login behavior information based on the preset extraction strategy so as to obtain a plurality of login feature information.
3. The method of claim 2, wherein the step of determining the corresponding preset extraction policy based on the behavior type comprises:
determining a behavior field corresponding to the login behavior information according to the behavior type;
and determining a corresponding preset extraction strategy according to the behavior field.
4. The method of claim 3, wherein the step of determining the corresponding preset extraction policy from the behavior field comprises:
generating a login behavior code according to the behavior field;
matching corresponding sample extraction strategies from a preset strategy mapping relation table according to the login behavior codes, wherein a plurality of login behavior codes and a plurality of sample extraction strategies exist in the preset strategy mapping relation table;
and taking the sample extraction strategy as a preset extraction strategy corresponding to the login behavior information.
5. The method of claim 2, wherein the step of extracting features of the login behavior information based on the preset extraction policy to obtain a plurality of login feature information comprises:
Performing feature extraction on the login behavior information based on the preset extraction strategy to obtain a plurality of login feature information to be determined;
determining the feature quantity corresponding to a plurality of login feature information to be determined;
judging whether the feature quantity is larger than or equal to a preset feature threshold value;
and when the feature quantity is larger than or equal to the preset feature threshold value, taking a plurality of login feature information to be determined as a plurality of login feature information corresponding to the login behavior information.
6. The method of any one of claims 1-5, wherein the step of generating a log behavior event from the target login behavior information comprises:
splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced;
determining a preset splicing strategy according to the login behavior information to be spliced;
and combining the login behavior information to be spliced based on the preset splicing strategy to obtain log behavior events.
7. The method of claim 6, wherein before the step of splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced, the method further comprises:
Obtaining login format information corresponding to the target login behavior information;
judging whether the login format information meets a preset format condition or not;
and executing the step of splitting the target login behavior information to obtain a plurality of pieces of login behavior information to be spliced when the login format information meets the preset format condition.
8. A log behavioral event generation device, characterized in that the log behavioral event generation device includes:
the acquisition module is used for acquiring login behavior information according to the system login operation instruction when the system login operation instruction is detected;
the extraction module is used for extracting the characteristics of the login behavior information so as to obtain a plurality of login characteristic information;
the determining module is used for determining log characteristic information from a plurality of login characteristic information according to a preset audit strategy;
the extraction module is further used for extracting target login behavior information from the login behavior information according to the log characteristic information;
and the generation module is used for generating log behavior events according to the target login behavior information.
9. A log behavioral event generation device, characterized in that the log behavioral event generation device comprises: a memory, a processor, and a log behavior event generation program stored on the memory and executable on the processor, the log behavior event generation program being configured with steps to implement the log behavior event generation method of any one of claims 1 to 7.
10. A storage medium having stored thereon a log behavior event generation program which, when executed by a processor, implements the steps of the log behavior event generation method of any one of claims 1 to 7.
CN202111618228.3A 2021-12-27 2021-12-27 Log behavior event generation method, device, equipment and storage medium Pending CN116414664A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111618228.3A CN116414664A (en) 2021-12-27 2021-12-27 Log behavior event generation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111618228.3A CN116414664A (en) 2021-12-27 2021-12-27 Log behavior event generation method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116414664A true CN116414664A (en) 2023-07-11

Family

ID=87056414

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111618228.3A Pending CN116414664A (en) 2021-12-27 2021-12-27 Log behavior event generation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116414664A (en)

Similar Documents

Publication Publication Date Title
CN109509021B (en) Behavior track-based anomaly identification method and device, server and storage medium
CN110795732A (en) SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal
CN109194689B (en) Abnormal behavior recognition method, device, server and storage medium
CN112580047B (en) Industrial malicious code marking method, equipment, storage medium and device
CN112632537A (en) Malicious code detection method, device, equipment and storage medium
CN113486350A (en) Malicious software identification method, device, equipment and storage medium
CN116340939A (en) Webshell detection method, device, equipment and storage medium
CN116126291A (en) Quick development method, device, equipment and storage medium based on information management
CN110191097B (en) Method, system, equipment and storage medium for detecting security of login page
CN109299592B (en) Man-machine behavior characteristic boundary construction method, system, server and storage medium
CN109284590B (en) Method, equipment, storage medium and device for access behavior security protection
CN112817816B (en) Embedded point processing method and device, computer equipment and storage medium
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
CN110795706B (en) Hash-based verification method, equipment, storage medium and device
CN110691090B (en) Website detection method, device, equipment and storage medium
CN116414664A (en) Log behavior event generation method, device, equipment and storage medium
CN113987486B (en) Malicious program detection method and device and electronic equipment
CN116366264A (en) Alarm evaluation method, device, equipment and storage medium based on safety equipment
CN113194191A (en) Fault processing method, device and equipment based on cloud mobile phone and storage medium
CN109359462B (en) Virtual standby identification method, equipment, storage medium and device
CN110941814B (en) Behavior verification compatible method, device, storage medium and apparatus
CN113721960A (en) Application program bug fixing method and device based on RPA and AI
CN110704483A (en) User routing process positioning method, device, storage medium and device
CN113128538A (en) Network behavior classification method, equipment, storage medium and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination