CN117614750A - Network security log query method and system - Google Patents

Abstract

The invention belongs to the technical field of log query, and discloses a network security log query method and system. The method comprises the following steps: constructing a blockchain network based on the cloud data center; collecting a network security log based on an enterprise terminal as a log storage; based on a cloud data center, carrying out consensus on a log storage request in a blockchain network; based on the block chain network, performing uplink storage on the decrypted network security log in the block chain network; collecting query data based on an enterprise terminal as a log querier; based on a cloud data center, carrying out consensus on a log query request in a blockchain network; searching and matching are carried out according to the decrypted query data based on the block chain network; and obtaining and visualizing the decrypted target network security log based on the enterprise terminal serving as the log inquirer. The invention solves the problems of low data safety, low reliability, high labor cost investment, high workload, low query accuracy and poor effect in the prior art.

Description

Network security log query method and system

Technical Field

The invention belongs to the technical field of log query, and particularly relates to a network security log query method and system.

Background

With the increasing development of network technology, the importance of network application in maintaining and guaranteeing network security is becoming more and more prominent, and the rapid growth of network information data in the current stage also puts higher demands on the current network security protection work. In an enterprise server, in order to ensure the security of enterprise data, various defense means are often adopted to intercept and protect network attacks, such as a protection wall, a security defense program, and the like, and generate corresponding network security logs. The network security log has important significance for tracing, learning and recording network attacks, so that a network security log storage and query platform needs to be constructed to uniformly manage and analyze the network security log.

The existing network security log storage and query platform is mainly used for storing based on a localization database of an enterprise terminal, so that the network security log is low in data security and reliability and is easy to lose or damage due to local hard disk breakdown; the network security logs are queried by manual searching and matching, so that the investment of labor cost is high, the workload is high, the query result is accurate and low, and the effect is poor.

Disclosure of Invention

The invention aims to solve the problems of low data security, low reliability, large labor cost investment, large workload, low query accuracy and poor effect in the prior art, and provides a network security log query method and a network security log query system.

The technical scheme adopted by the invention is as follows:

a network security log query method comprises the following steps:

based on a cloud data center, constructing a legal user database and a blockchain network, calling a trusted authority, performing entity registration and key initialization on all enterprise terminals connected to the cloud data center to obtain registration information and public and private key pairs of each enterprise terminal, returning private keys in the registration information and public and private key pairs to corresponding enterprise terminals, and publishing public keys in the public and private key pairs to the blockchain network;

based on an enterprise terminal serving as a log storage person, invoking a legal user database, carrying out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to a corresponding private key and registration information to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

Based on a cloud data center, carrying out consensus on a log storage request in a blockchain network, calling a trusted authority after the consensus is successful, carrying out signature verification on first signature data, and decrypting the encrypted network security log according to a corresponding public key after the signature verification is passed to obtain a decrypted network security log;

based on the block chain network, constructing an inverted index of the decrypted network security log, performing uplink storage on the decrypted network security log in the block chain network, and adding the storage address and the corresponding inverted index into a preset inverted index table;

based on an enterprise terminal serving as a log inquirer, invoking a legal user database, carrying out login verification on an inquired user, collecting inquiry data after the login verification is passed, generating a log inquiry request, encrypting and signing the inquiry data according to a corresponding private key and registration information to obtain encrypted inquiry data and second signature data, and uploading the log inquiry request, the encrypted inquiry data and the second signature data to a cloud data center;

based on a cloud data center, carrying out consensus on the log query request in a blockchain network, calling a trusted mechanism after the consensus is successful, carrying out signature verification on second signature data, and decrypting the encrypted query data according to a public key of a log querier after the signature verification is passed to obtain decrypted query data;

Searching and matching the decrypted query data in an inverted index table based on a blockchain network, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal;

and decrypting the encrypted target network security log according to the private key based on the enterprise terminal serving as the log inquirer to obtain and visualize the decrypted target network security log.

Further, the websecurity log includes core information and monitoring information.

Further, the core information includes network security monitoring record information, network attack record information, network defense execution record information, network defense upgrading record information, and malicious attacker registration information.

Further, the monitoring information includes network attack capturing time, malicious attack source IP, malicious attack source port, enterprise terminal source IP, enterprise terminal source port, city information where malicious attack is located and city information where enterprise terminal is located.

Further, based on the cloud data center, a legal user database and a blockchain network are constructed, a trusted authority is called, entity registration and key initialization are carried out on all enterprise terminals connected to the cloud data center, registration information and public and private key pairs of each enterprise terminal are obtained, private keys in the registration information and public and private key pairs are returned to the corresponding enterprise terminals, and public keys in the public and private key pairs are published to the blockchain network, and the method comprises the following steps:

based on a cloud data center, collecting user data of legal users, setting query permission and allowable query space of the legal users, and constructing a legal user database according to the user data, the query permission and the allowable query space of all the legal users;

a plurality of data servers preset by a cloud data center are used as data nodes for distributed connection, intelligent contracts and inverted index tables are set, and a blockchain network is constructed;

collecting terminal attribute information and terminal entity IDs of all enterprise terminals connected to a cloud data center, and sending the terminal attribute information and the terminal entity IDs to a trusted institution;

based on a trusted institution, initializing a key according to terminal attribute information and a terminal entity ID to obtain a public and private key pair of each enterprise terminal;

According to the terminal entity ID and the corresponding public and private key pair, entity registration is carried out to obtain registration information of each enterprise terminal;

and returning the registration information and the private key in the public-private key pair to the corresponding enterprise terminal, and publishing the public key in the public-private key pair to the blockchain network.

Further, based on the enterprise terminal as the log storage, invoking a legal user database to perform login verification on the storage user, collecting the network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to the registration information and the private key to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center, wherein the method comprises the following steps of:

if the enterprise terminal receives the log storage instruction, the corresponding enterprise terminal is used as a log storage person;

based on the enterprise terminal as a log storage party, collecting storage user data of a storage user, and sending the storage user data to a cloud data center;

based on the cloud data center, calling a legal user database by using an intelligent contract, searching and matching the stored user data with the legal user database, and returning a login verification passing instruction to an enterprise terminal serving as a log storage if the successfully matched legal user data exists;

If the enterprise terminal serving as the log storage person receives the login verification passing instruction, the login verification passes, the network security log locally stored by the enterprise terminal serving as the log storage person is collected, and a log storage request is generated;

encrypting the network security log by using an asymmetric encryption algorithm according to a private key of an enterprise terminal serving as a log storage, so as to obtain an encrypted network security log;

signing the encrypted network security log according to the registration information of the enterprise terminal serving as the log storage person to obtain first signature data of the encrypted network security log;

and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center.

Further, based on the cloud data center, the log storage request is subjected to consensus in the blockchain network, after the consensus is successful, a trusted authority is invoked to perform signature verification on the first signature data, after the signature verification is passed, the encrypted websafety log is decrypted according to the public key of the log storage person to obtain the decrypted websafety log, an inverted index of the decrypted websafety log is constructed, the decrypted websafety log is subjected to uplink storage in the blockchain network, and the storage address and the corresponding inverted index are added into a preset inverted index table, and the method comprises the following steps:

Based on a cloud data center, carrying out consensus on a log storage request in a blockchain network;

after the consensus is successful, the first signature data is sent to a trusted organization, and signature verification is carried out on the first signature data based on the trusted organization according to registration information corresponding to the enterprise terminal serving as a log storage;

after the signature passes the verification, decrypting the encrypted network security log according to the public key of the enterprise terminal serving as the log storage, so as to obtain a decrypted network security log;

extracting a plurality of first keywords of core information of the decrypted network security log by using a TF-IDF-CI algorithm, and extracting first subject words of the plurality of first keywords by using a BTM algorithm;

constructing an inverted index of the decrypted network security log according to the first keywords and the first subject words;

converting the decrypted network security log into a block by using a block chain network, carrying out uplink storage on the block, extracting a corresponding storage address and storage time, and setting the access authority of the block;

and calling an intelligent contract, and adding the access authority, the storage time, the storage address and the corresponding inverted index into a preset inverted index table.

Further, based on the cloud data center, the log storage request is consensus in the blockchain network, and the method comprises the following steps of:

Clustering a plurality of data nodes of the block chain network by using a DIANA algorithm to obtain a plurality of clusters;

selecting the master nodes of each cluster according to a credibility rewarding and punishing mechanism to obtain a plurality of master nodes;

based on the first master node, carrying out correctness verification on the received log storage request;

if the correctness check is passed, generating a pre-preparation message, broadcasting the pre-preparation message to all first data nodes of the cluster corresponding to the first master node, and performing first PBFT consensus;

broadcasting a pre-preparation message to all other second master nodes if the first PBFT consensus is successful, otherwise, returning a consensus failure instruction to the cloud data center;

if the second master node receives the pre-preparation message, broadcasting the digital signature of the second master node to other second master nodes, collecting the digital signatures from other second master nodes, and performing a second PBFT consensus;

if the second PBFT consensus is successful, all second master nodes are used, packaging information is generated according to all collected digital signatures, and the packaging information is broadcasted to the first master nodes;

and based on the first master node, carrying out digital signature statistics according to the packaging information, if the first master node receives the digital signatures of all other second master nodes, returning a consensus success instruction to the cloud data center, and otherwise, returning a consensus failure instruction to the cloud data center.

Further, based on the blockchain network, searching and matching the decrypted query data in an inverted index table, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal, wherein the method comprises the following steps:

based on the block chain network, calling intelligent contracts, extracting the query authority and the allowed query space of a query user, and the query time and the query address of the decrypted query data;

if the query address exceeds the allowable query space of the query user, returning a query failure instruction to the enterprise terminal serving as the log querier;

extracting a plurality of second keywords of the decrypted query data by using a TF-IDF-CI algorithm, and extracting second keywords of the plurality of second keywords by using a BTM algorithm;

screening in an inverted index table according to the second subject term to obtain a plurality of first alternative inverted indexes;

According to the query time, searching and matching are carried out in the storage time of the plurality of first alternative inverted indexes, so as to obtain a plurality of second alternative inverted indexes;

according to the second keywords, searching and matching are carried out in the second alternative inverted indexes, so that a target inverted index successfully matched with the corresponding access right, storage time and storage address are obtained;

if the access right of the target inverted index is higher than the query right of the query user, returning a query failure instruction to the enterprise terminal serving as the log querier, otherwise, returning a target storage address corresponding to the target inverted index successfully matched to the enterprise terminal serving as the log querier;

extracting a corresponding target block according to the target storage address, converting the target block into a target network security log, generating a query return request, and carrying out consensus on the query return request in a blockchain network;

and after the consensus is successful, encrypting the target network security log according to the public key of the log inquirer to obtain the encrypted target network security log.

The system comprises a cloud data center, a trusted organization and a plurality of enterprise terminals, wherein the cloud data center is provided with a legal user database and a blockchain network, the cloud data center is respectively in communication connection with the trusted organization and the enterprise terminals, the trusted organization is respectively in communication connection with the enterprise terminals, and the enterprise terminals comprise enterprise terminals serving as log storage and enterprise terminals serving as log inquirers;

The cloud data center is used for constructing a legal user database and a blockchain network and calling a trusted mechanism; the log storage request is subjected to consensus in a blockchain network, after the consensus is successful, a trusted authority is called to perform signature verification on the first signature data, after the signature verification is passed, the encrypted network security log is decrypted according to a corresponding public key, and the decrypted network security log is obtained; the log inquiry request is subjected to consensus in the blockchain network, after the consensus is successful, a trusted mechanism is called to perform signature verification on the second signature data, after the signature verification is passed, the encrypted inquiry data is decrypted according to the public key of a log inquirer, and decrypted inquiry data are obtained;

the system comprises a block chain network, a storage address and a preset reverse index table, wherein the block chain network is used for constructing the reverse index of the decrypted network security log, carrying out uplink storage on the decrypted network security log in the block chain network, and adding the storage address and the corresponding reverse index into the preset reverse index table; searching and matching the decrypted query data in an inverted index table, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal;

The trusted mechanism is used for carrying out entity registration and key initialization on all enterprise terminals connected to the cloud data center to obtain registration information and public and private key pairs of each enterprise terminal, returning private keys in the registration information and public and private key pairs to the corresponding enterprise terminals, and publishing public keys in the public and private key pairs to the blockchain network; performing signature verification on the first/second signature data;

the enterprise terminal is used as a log storage user and used for calling a legal user database, carrying out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to a corresponding private key and registration information to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

the enterprise terminal is used as a log inquirer and is used for calling a legal user database, carrying out login verification on an inquired user, collecting inquiry data after the login verification is passed, generating a log inquiry request, encrypting and signing the inquiry data according to a corresponding private key and registration information to obtain encrypted inquiry data and second signature data, and uploading the log inquiry request, the encrypted inquiry data and the second signature data to a cloud data center; and decrypting the encrypted target network security log according to the private key to obtain and visualize the decrypted target network security log.

The beneficial effects of the invention are as follows:

the invention discloses a network security log query method and a system, which are used for uniformly managing network security logs through a cloud data center, so that the management efficiency and the practicability are improved; the network security logs are stored in a distributed mode based on the block chain network, so that the storage reliability of the network security logs is improved, and the hardware investment of an enterprise terminal is reduced; the data communication and transmission in the network security log query process are encrypted by adopting an asymmetric encryption algorithm and a digital identity technology, so that the data security of the network security log is improved; the inverted index table is used as a query retrieval basis, so that the retrieval efficiency and the query accuracy of the network security log in the blockchain network are improved, manual searching and matching are avoided, and the labor cost investment and the workload are reduced; and endorsement and consensus are carried out on the log storage and the log inquiry based on the blockchain network, so that each storage and inquiry are enabled to be tracked, and the traceability of the network security log storage and inquiry is improved.

Other advantageous effects of the present invention will be further described in the detailed description.

Drawings

FIG. 1 is a flow chart of a network security log query method in the present invention.

Fig. 2 is a block diagram of the network security log query system according to the present invention.

Detailed Description

The invention is further illustrated by the following description of specific embodiments in conjunction with the accompanying drawings.

Example 1:

as shown in fig. 1, the present embodiment provides a network security log query method, which includes the following steps:

s1: based on a cloud data center, a legal user database and a blockchain network are constructed, a trusted mechanism is called, entity registration and key initialization are carried out on all enterprise terminals connected to the cloud data center, registration information and public and private key pairs of each enterprise terminal are obtained, private keys in the registration information and public and private key pairs are returned to the corresponding enterprise terminals, and public keys in the public and private key pairs are published to the blockchain network, and the method comprises the following steps:

s1-1: based on a cloud data center, collecting user data of legal users, setting query permission and allowable query space of the legal users, and constructing a legal user database according to the user data, the query permission and the allowable query space of all the legal users;

the legal user database is used for storing basic information and corresponding rights of all legal users, and dividing the rights of the legal users, so that a hierarchical management system of network security log inquiry is realized, the security and reliability of the network security log inquiry are improved, the leakage of the network security log is avoided, and the security of the network security log is improved;

S1-2: a plurality of data servers preset by a cloud data center are used as data nodes for distributed connection, intelligent contracts and inverted index tables are set, and a blockchain network is constructed;

the inverted index table is also commonly referred to as an inverted index, an embedded file or an inverted file, and is used for storing a mapping of a storage position of a word in a document or a group of documents under full text search, and in this embodiment, the inverted index table is used for storing access authority, storage time, storage address and corresponding inverted index of each network security log, so that efficiency and accuracy of network security log query are improved, and query confusion is avoided;

s1-3: collecting terminal attribute information of all enterprise terminals connected to cloud data centerAnd terminal entity IDTransmitting the terminal attribute information and the terminal entity ID to a trusted institution;

s1-4: based on the trusted mechanism, according to the terminal attribute informationAnd terminal entity ID->Initializing a key to obtain a public and private key pair of each enterprise terminal, wherein the formula is as follows:

in the method, in the process of the invention,public parameters generated for initialization; />Are all circulation groups; />Is->Is a generator of (1); />Is a bilinear map; />Are all generation element parameters; />Are one-way mapping hash functions; / >Generating a meta-random number; />Is a random number; />A master key generated for initialization; />To generate meta-coefficients; />Is prime order; />Is a prime field base point;

in the method, in the process of the invention,are all generation element parameters; />Generating a meta-random number; />Is an encryption parameter;

in the method, in the process of the invention,for enterprise terminal->A private key in the corresponding public-private key pair; />For enterprise terminal->Terminal entity ID of (c); />For enterprise terminal->Terminal attribute information of (a); />For enterprise terminal->A public key of the corresponding public-private key pair; />Is a public key random number; />Indicating the quantity for the enterprise terminal;

s1-5: according to the terminal entity ID and the corresponding public and private key pair, entity registration is carried out to obtain registration information of each enterprise terminal, and the formula is as follows:

in the method, in the process of the invention,is a random number; />For data node->Is a registered information of (a); />For data node->Is a registered parameter of (a); />For data node->Is registered with (a)ID；/>For data node->Terminal entity ID of (c); />Is prime order; />Is a prime field base point; />Is a one-way mapped hash function; />For data node->Is a private key of (a);

s1-6: returning the registration information and the private key in the public-private key pair to the corresponding enterprise terminal, and publishing the public key in the public-private key pair to the blockchain network;

s2: based on an enterprise terminal serving as a log storage person, invoking a legal user database, carrying out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to a corresponding private key and registration information to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

The network security log comprises core information and monitoring information;

the core information comprises network security monitoring record information, network attack record information, network defense execution record information, network defense upgrading record information and malicious attacker registration information;

the monitoring information comprises network attack capturing time, malicious attack source IP, malicious attack source port, enterprise terminal source IP, enterprise terminal source port, city information of malicious attack and city information of enterprise terminal;

the method comprises the following steps:

s2-1: if the enterprise terminal receives the log storage instruction, the corresponding enterprise terminal is used as a log storage person;

s2-2: based on the enterprise terminal as a log storage party, collecting storage user data of a storage user, and sending the storage user data to a cloud data center;

s2-3: based on the cloud data center, calling a legal user database by using an intelligent contract, searching and matching the stored user data with the legal user database, and returning a login verification passing instruction to an enterprise terminal serving as a log storage if the successfully matched legal user data exists;

s2-4: if the enterprise terminal serving as the log storage person receives the login verification passing instruction, the login verification passes, the network security log locally stored by the enterprise terminal serving as the log storage person is collected, and a log storage request is generated;

S2-5: according to the private key of the enterprise terminal as a log storage, encrypting the network security log by using an asymmetric encryption algorithm to obtain an encrypted network security log, wherein the formula is as follows:

in the method, in the process of the invention,for enterprise terminal->Is an encrypted network security log; />Is an asymmetric encryption function; />For enterprise terminal->Is a network security log of (1); />Indicating the quantity for the enterprise terminal; />Terminal for destination enterprise->Is a private key of (a);

s2-6: signing the encrypted network security log according to the registration information of the enterprise terminal serving as the log storage, and obtaining first signature data of the encrypted network security log, wherein the formula is as follows:

in the method, in the process of the invention,for enterprise terminal->The encrypted first signature data of the web security log; /> Signature parameters; />Is a random number; />Is prime order; />Is a prime field base point; />Is a one-way mapped hash function; />For enterprise terminal->Is a registered information of (a); />For enterprise terminal->Is a registered parameter of (a); />For enterprise terminalsIs registered with (a)ID；/>For enterprise terminal->A terminal entity ID of (a); />For enterprise terminal->Is an encrypted network security log;

s2-7: uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

S3: based on a cloud data center, a log storage request is subjected to consensus in a blockchain network, after the consensus is successful, a trusted authority is called to perform signature verification on first signature data, after the signature verification is passed, the encrypted network security log is decrypted according to a corresponding public key to obtain a decrypted network security log, and the method comprises the following steps:

s3-1: based on the cloud data center, the log storage request is commonly recognized in the blockchain network, and the method comprises the following steps of:

s3-1-1: clustering a plurality of data nodes of a blockchain network using a classification clustering (DIANA, divisive Analysis) algorithm to obtain a plurality of clusters, comprising the steps of:

s3-1-1-1: based on a DIANA algorithm, acquiring Euclidean distance of any two nodes in the cluster, taking the Euclidean distance as the dissimilarity of the two data nodes, and traversing the cluster to obtain the dissimilarity of the cluster;

the formula of the dissimilarity is:

s3-1-1-2: in the method, in the process of the invention,for data node->And->Euclidean distance, i.e. dissimilarity; />Data nodes->And->Is the first of (2)jDimensional coordinate parameters；i、kAll are node indication quantities;jis a dimension indicating quantity;

s3-1-1-3: dividing the cluster with the largest dissimilarity into a plurality of sub-clusters, and acquiring the dissimilarity between each sub-cluster and other clusters;

S3-1-1-4: repeating cluster division according to the dissimilarity between clusters to obtain a plurality of clusters with a preset quantity threshold or a preset dissimilarity threshold;

s3-1-2: according to a credibility rewarding and punishing mechanism, selecting the master nodes of each cluster to obtain a plurality of master nodes, wherein the formula is as follows:

the credibility rewarding and punishing mechanism comprises a rewarding mechanism and a punishing mechanism;

the formula of the reward mechanism is:

in the method, in the process of the invention,for the current time under the rewarding mechanism +.>The +.>Reputation value of data node; />For the last moment +.>The +.>Reputation value of data node; />The data node is a reward value, which indicates that the data node is a trusted node, and a fixed value of the consensus node is rewarded; />Indicating an amount for a cluster; />Indicating an amount for the data node;

the penalty mechanism formula is:

in the method, in the process of the invention,for the current time under punishment mechanism +.>The +.>Reputation value of data node; />、/>All the data nodes are penalty values, which means that the data nodes are Bayesian nodes and punish the fixed values of the consensus nodes;

introducing a credibility reward and punishment mechanism, selecting a node with high credibility as a main node, ensuring that a blockchain is safer, avoiding resource waste caused by random selection, grading the credibility of the node according to the behavior of a consensus node in the consensus process, evaluating the state of the node according to a defined credibility threshold interval, and correspondingly evaluating and feeding back the node behavior if the states of different nodes in different levels of the node reward and punishment mechanism are different;

S3-1-3: based on the first master node, carrying out correctness verification on the received log storage request;

s3-1-4: if the correctness check is passed, generating a pre-preparation message, broadcasting the pre-preparation message to all first data nodes of a cluster corresponding to the first master node, and performing first Bayesian type practical fault tolerance (PBFT, practical Byzantine Fault Tolerance) consensus;

s3-1-5: broadcasting a pre-preparation message to all other second master nodes if the first PBFT consensus is successful, otherwise, returning a consensus failure instruction to the cloud data center;

s3-1-6: if the second master node receives the pre-preparation message, broadcasting the digital signature of the second master node to other second master nodes, collecting the digital signatures from other second master nodes, and performing a second PBFT consensus;

s3-1-7: if the second PBFT consensus is successful, all second master nodes are used, packaging information is generated according to all collected digital signatures, and the packaging information is broadcasted to the first master nodes;

s3-1-8: based on the first master node, carrying out digital signature statistics according to the packaging information, if the first master node receives the digital signatures of all other second master nodes, returning a consensus success instruction to the cloud data center, otherwise, returning a consensus failure instruction to the cloud data center;

S3-2: after the consensus is successful, the first signature data is sent to a trusted organization, and based on the trusted organization, the first signature data is subjected to signature verification according to registration information corresponding to an enterprise terminal serving as a log storage, wherein the formula is as follows:

in the method, in the process of the invention,the signature authentication parameters; />Indicating the quantity for the enterprise terminal; />Are one-way mapping hash functions; />Is a prime field base point; />For enterprise terminal->Terminal entity ID of (c); />For enterprise terminal->Is a registered parameter of (a); /> Signature parameters; />For enterprise terminal->Is an encrypted network security log; />For enterprise terminalsThe encrypted first signature data of the web security log; />For enterprise terminal->Is a public key of (a);

s3-3: after the signature passes the verification, decrypting the encrypted network security log according to the public key of the enterprise terminal serving as the log storage, and obtaining the decrypted network security log, wherein the formula is as follows:

in the method, in the process of the invention,for enterprise terminal->Is an encrypted network security log; />Is an asymmetric decryption function; />For enterprise terminal->Is a network security log after decryption; />For enterprise terminal->Is a public key of (a);

s3-4: extracting a plurality of first keywords of core information of the decrypted weblog using a (TF-IDF-CI, term Frequency-Inverse Document Frequency-Class Information) algorithm, and extracting first keywords of the plurality of first keywords using a topic model (BTM, biterm Topic Model) algorithm, comprising the steps of;

S3-4-1: the discrete factor extraction module of the keyword extraction model is used for extracting the inter-class discrete factors and the intra-class discrete factors of the preprocessed financial data, and the formula is as follows:

in the method, in the process of the invention,is an inter-class discrete factor; />Is the characterising word->Standard deviation of (2); />Is the characterising word->Is a category of (2);is the total number of categories; />Is the characterising word->And in category->Is a frequency of occurrence in the first and second embodiments; />Is->Frequency of occurrence in each class; />Indicating the quantity for the feature words; />Indicating the quantity for the category;

in the method, in the process of the invention,is an intra-class discrete factor; />For category->The feature word ++>Is the number of (3);to include characteristic words->Category of->Is a number of documents; />To include category->Is a total number of documents;

s3-4-2: extracting word frequency of current preprocessed financial data by using word frequency reverse text frequency extraction moduleAnd reverse text frequency->；

S3-4-3: according to the inter-class discrete factors, the intra-class discrete factors, the word frequency and the reverse text frequency, a weight extraction module is used for extracting the weight of each characteristic word;

in the method, in the process of the invention,is the characterising word->Weights of (2); />Is word frequency; />Is the reverse text frequency; />Is a discrete factor;

s3-4-4: sorting according to the weights of the feature words, and selecting the front partThe feature words are used for obtaining the core information of the decrypted network security log >A first keyword;

s3-4-5: extraction using topic model (BTM, biterm Topic Model) algorithmFirst subject words of the first keywords;

s3-5: according toThe first keywords and the first subject words are used for constructing an inverted index of the decrypted websecurity log;

s3-6: converting the decrypted network security log into a block by using a block chain network, carrying out uplink storage on the block, extracting a corresponding storage address and storage time, and setting the access authority of the block;

s3-7: calling an intelligent contract, and adding the access right, the storage time, the storage address and the corresponding inverted index into a preset inverted index table;

s4: based on the block chain network, constructing an inverted index of the decrypted network security log, performing uplink storage on the decrypted network security log in the block chain network, and adding the storage address and the corresponding inverted index into a preset inverted index table;

s5: based on an enterprise terminal serving as a log inquirer, invoking a legal user database, carrying out login verification on an inquired user, collecting inquiry data after the login verification is passed, generating a log inquiry request, encrypting and signing the inquiry data according to a corresponding private key and registration information to obtain encrypted inquiry data and second signature data, and uploading the log inquiry request, the encrypted inquiry data and the second signature data to a cloud data center;

S6: based on a cloud data center, carrying out consensus on the log query request in a blockchain network, calling a trusted mechanism after the consensus is successful, carrying out signature verification on second signature data, and decrypting the encrypted query data according to a public key of a log querier after the signature verification is passed to obtain decrypted query data;

based on the cloud data center, the log query request is commonly recognized in the blockchain network, and the method comprises the following steps of:

s3-1-3: based on a third master node, carrying out correctness checking on the received log query request;

s3-1-4: if the correctness check is passed, generating a pre-preparation message, broadcasting the pre-preparation message to all third data nodes of the cluster corresponding to the third master node, and performing first PBFT consensus;

s3-1-5: broadcasting a pre-preparation message to all other fourth master nodes if the first PBFT consensus is successful, otherwise, returning a consensus failure instruction to the cloud data center;

s3-1-6: if the fourth master node receives the pre-preparation message, broadcasting the digital signature of the fourth master node to other fourth master nodes, collecting the digital signatures from other fourth master nodes, and performing a second PBFT consensus;

s3-1-7: if the second PBFT consensus is successful, all the fourth master nodes are used, a packaging message is generated according to all the collected digital signatures, and the packaging message is broadcasted to the third master node;

S3-1-8: based on the third main node, carrying out digital signature statistics according to the packaging information, if the third main node receives the digital signatures of all other fourth main nodes, returning a consensus success instruction to the cloud data center, otherwise, returning a consensus failure instruction to the cloud data center;

s7: searching and matching the decrypted query data in an inverted index table based on a blockchain network, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal, wherein the method comprises the following steps:

s7-1: based on the block chain network, calling intelligent contracts, extracting the query authority and the allowed query space of a query user, and the query time and the query address of the decrypted query data;

s7-2: if the query address exceeds the allowable query space of the query user, returning a query failure instruction to the enterprise terminal serving as the log querier;

S7-3: extracting a plurality of second keywords of the decrypted query data by using a TF-IDF-CI algorithm, and extracting second keywords of the plurality of second keywords by using a BTM algorithm;

s7-4: screening in an inverted index table according to the second subject term to obtain a plurality of first alternative inverted indexes;

s7-5: according to the query time, searching and matching are carried out in the storage time of the plurality of first alternative inverted indexes, so as to obtain a plurality of second alternative inverted indexes;

s7-6: according to the second keywords, searching and matching are carried out in the second alternative inverted indexes, so that a target inverted index successfully matched with the corresponding access right, storage time and storage address are obtained;

s7-7: if the access right of the target inverted index is higher than the query right of the query user, returning a query failure instruction to the enterprise terminal serving as the log querier, otherwise, returning a target storage address corresponding to the target inverted index successfully matched to the enterprise terminal serving as the log querier;

s7-8: extracting a corresponding target block according to the target storage address, converting the target block into a target network security log, generating a query return request, and carrying out consensus on the query return request in a blockchain network;

S7-9: after the consensus is successful, encrypting the target network security log according to the public key of the log inquirer to obtain an encrypted target network security log;

according to the query address, the second subject term, the query time, the second keyword and the query authority, performing refined search matching step by step, under the corresponding authority management, improving the data security of the network security log, and the accuracy and reliability of the query, and avoiding the condition that the returned target network security log is too much or exceeds the authority of the user to perform log query;

s8: decrypting the encrypted target network security log according to the private key based on the enterprise terminal serving as the log inquirer to obtain a decrypted target network security log, and visualizing target network security monitoring record information, target network attack record information, target network defense execution record information, target network defense upgrading record information, target malicious attacker registration information, target network attack capture time, target malicious attack source IP, target malicious attack source port, target enterprise terminal source IP, target enterprise terminal source port, city information where the target malicious attack is located and city information where the target enterprise terminal is located corresponding to the decrypted target network security log.

Example 2:

as shown in fig. 2, the present embodiment provides a network security log query system, for implementing a network security log query method, where the system includes a cloud data center, a trusted authority, and a plurality of enterprise terminals, the cloud data center is provided with a legal user database and a blockchain network, and the cloud data center is respectively in communication connection with the trusted authority and the plurality of enterprise terminals, the trusted authority is respectively in communication connection with the plurality of enterprise terminals, and the enterprise terminals include an enterprise terminal serving as a log storage and an enterprise terminal serving as a log querier;

the cloud data center is used for constructing a legal user database and a blockchain network and calling a trusted mechanism; the log storage request is subjected to consensus in a blockchain network, after the consensus is successful, a trusted authority is called to perform signature verification on the first signature data, after the signature verification is passed, the encrypted network security log is decrypted according to a corresponding public key, and the decrypted network security log is obtained; the log inquiry request is subjected to consensus in the blockchain network, after the consensus is successful, a trusted mechanism is called to perform signature verification on the second signature data, after the signature verification is passed, the encrypted inquiry data is decrypted according to the public key of a log inquirer, and decrypted inquiry data are obtained;

The system comprises a block chain network, a storage address and a preset reverse index table, wherein the block chain network is used for constructing the reverse index of the decrypted network security log, carrying out uplink storage on the decrypted network security log in the block chain network, and adding the storage address and the corresponding reverse index into the preset reverse index table; searching and matching the decrypted query data in an inverted index table, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal;

the trusted mechanism is used for carrying out entity registration and key initialization on all enterprise terminals connected to the cloud data center to obtain registration information and public and private key pairs of each enterprise terminal, returning private keys in the registration information and public and private key pairs to the corresponding enterprise terminals, and publishing public keys in the public and private key pairs to the blockchain network; performing signature verification on the first/second signature data;

The enterprise terminal is used as a log storage user and used for calling a legal user database, carrying out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to a corresponding private key and registration information to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

the enterprise terminal is used as a log inquirer and is used for calling a legal user database, carrying out login verification on an inquired user, collecting inquiry data after the login verification is passed, generating a log inquiry request, encrypting and signing the inquiry data according to a corresponding private key and registration information to obtain encrypted inquiry data and second signature data, and uploading the log inquiry request, the encrypted inquiry data and the second signature data to a cloud data center; and decrypting the encrypted target network security log according to the private key to obtain and visualize the decrypted target network security log.

The invention discloses a network security log query method and a system, which are used for uniformly managing network security logs through a cloud data center, so that the management efficiency and the practicability are improved; the network security logs are stored in a distributed mode based on the block chain network, so that the storage reliability of the network security logs is improved, and the hardware investment of an enterprise terminal is reduced; the data communication and transmission in the network security log query process are encrypted by adopting an asymmetric encryption algorithm and a digital identity technology, so that the data security of the network security log is improved; the inverted index table is used as a query retrieval basis, so that the retrieval efficiency and the query accuracy of the network security log in the blockchain network are improved, manual searching and matching are avoided, and the labor cost investment and the workload are reduced; and endorsement and consensus are carried out on the log storage and the log inquiry based on the blockchain network, so that each storage and inquiry are enabled to be tracked, and the traceability of the network security log storage and inquiry is improved.

The invention is not limited to the alternative embodiments described above, but any person may derive other various forms of products in the light of the present invention. The above detailed description should not be construed as limiting the scope of the invention, which is defined in the claims and the description may be used to interpret the claims.

Claims (10)

1. A network security log query method is characterized in that: the method comprises the following steps:

based on a cloud data center, constructing a legal user database and a blockchain network, calling a trusted authority, performing entity registration and key initialization on all enterprise terminals connected to the cloud data center to obtain registration information and public and private key pairs of each enterprise terminal, returning private keys in the registration information and public and private key pairs to corresponding enterprise terminals, and publishing public keys in the public and private key pairs to the blockchain network;

based on an enterprise terminal serving as a log storage person, invoking a legal user database, carrying out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to a corresponding private key and registration information to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

Based on a cloud data center, carrying out consensus on a log storage request in a blockchain network, calling a trusted authority after the consensus is successful, carrying out signature verification on first signature data, and decrypting the encrypted network security log according to a corresponding public key after the signature verification is passed to obtain a decrypted network security log;

based on the block chain network, constructing an inverted index of the decrypted network security log, performing uplink storage on the decrypted network security log in the block chain network, and adding the storage address and the corresponding inverted index into a preset inverted index table;

based on an enterprise terminal serving as a log inquirer, invoking a legal user database, carrying out login verification on an inquired user, collecting inquiry data after the login verification is passed, generating a log inquiry request, encrypting and signing the inquiry data according to a corresponding private key and registration information to obtain encrypted inquiry data and second signature data, and uploading the log inquiry request, the encrypted inquiry data and the second signature data to a cloud data center;

based on a cloud data center, carrying out consensus on the log query request in a blockchain network, calling a trusted mechanism after the consensus is successful, carrying out signature verification on second signature data, and decrypting the encrypted query data according to a public key of a log querier after the signature verification is passed to obtain decrypted query data;

Searching and matching the decrypted query data in an inverted index table based on a blockchain network, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal;

and decrypting the encrypted target network security log according to the private key based on the enterprise terminal serving as the log inquirer to obtain and visualize the decrypted target network security log.

2. The network security log query method of claim 1, wherein: the network security log comprises core information and monitoring information.

3. The network security log query method of claim 2, wherein: the core information comprises network security monitoring record information, network attack record information, network defense execution record information, network defense upgrading record information and malicious attacker registration information.

4. The network security log query method of claim 2, wherein: the monitoring information comprises network attack capturing time, malicious attack source IP, malicious attack source port, enterprise terminal source IP, enterprise terminal source port, city information of malicious attack and city information of enterprise terminal.

5. The network security log query method of claim 2, wherein: based on a cloud data center, a legal user database and a blockchain network are constructed, a trusted mechanism is called, entity registration and key initialization are carried out on all enterprise terminals connected to the cloud data center, registration information and public and private key pairs of each enterprise terminal are obtained, private keys in the registration information and public and private key pairs are returned to the corresponding enterprise terminals, and public keys in the public and private key pairs are published to the blockchain network, and the method comprises the following steps:

based on a cloud data center, collecting user data of legal users, setting query permission and allowable query space of the legal users, and constructing a legal user database according to the user data, the query permission and the allowable query space of all the legal users;

a plurality of data servers preset by a cloud data center are used as data nodes for distributed connection, intelligent contracts and inverted index tables are set, and a blockchain network is constructed;

Collecting terminal attribute information and terminal entity IDs of all enterprise terminals connected to a cloud data center, and sending the terminal attribute information and the terminal entity IDs to a trusted institution;

based on a trusted institution, initializing a key according to terminal attribute information and a terminal entity ID to obtain a public and private key pair of each enterprise terminal;

according to the terminal entity ID and the corresponding public and private key pair, entity registration is carried out to obtain registration information of each enterprise terminal;

and returning the registration information and the private key in the public-private key pair to the corresponding enterprise terminal, and publishing the public key in the public-private key pair to the blockchain network.

6. The network security log query method of claim 5, wherein: based on an enterprise terminal as a log storage party, invoking a legal user database to carry out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to registration information and a private key to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center, wherein the method comprises the following steps of:

If the enterprise terminal receives the log storage instruction, the corresponding enterprise terminal is used as a log storage person;

based on the enterprise terminal as a log storage party, collecting storage user data of a storage user, and sending the storage user data to a cloud data center;

based on the cloud data center, calling a legal user database by using an intelligent contract, searching and matching the stored user data with the legal user database, and returning a login verification passing instruction to an enterprise terminal serving as a log storage if the successfully matched legal user data exists;

if the enterprise terminal serving as the log storage person receives the login verification passing instruction, the login verification passes, the network security log locally stored by the enterprise terminal serving as the log storage person is collected, and a log storage request is generated;

encrypting the network security log by using an asymmetric encryption algorithm according to a private key of an enterprise terminal serving as a log storage, so as to obtain an encrypted network security log;

signing the encrypted network security log according to the registration information of the enterprise terminal serving as the log storage person to obtain first signature data of the encrypted network security log;

And uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center.

7. The network security log query method of claim 5, wherein: based on a cloud data center, carrying out consensus on a log storage request in a blockchain network, calling a trusted authority after the consensus is successful, carrying out signature verification on first signature data, decrypting the encrypted network security log according to a public key of a log storage after the signature verification is passed, obtaining a decrypted network security log, constructing an inverted index of the decrypted network security log, carrying out uplink storage on the decrypted network security log in the blockchain network, and adding a storage address and a corresponding inverted index into a preset inverted index table, wherein the method comprises the following steps of:

based on a cloud data center, carrying out consensus on a log storage request in a blockchain network;

after the consensus is successful, the first signature data is sent to a trusted organization, and signature verification is carried out on the first signature data based on the trusted organization according to registration information corresponding to the enterprise terminal serving as a log storage;

after the signature passes the verification, decrypting the encrypted network security log according to the public key of the enterprise terminal serving as the log storage, so as to obtain a decrypted network security log;

Extracting a plurality of first keywords of core information of the decrypted network security log by using a TF-IDF-CI algorithm, and extracting first subject words of the plurality of first keywords by using a BTM algorithm;

constructing an inverted index of the decrypted network security log according to the first keywords and the first subject words;

converting the decrypted network security log into a block by using a block chain network, carrying out uplink storage on the block, extracting a corresponding storage address and storage time, and setting the access authority of the block;

and calling an intelligent contract, and adding the access authority, the storage time, the storage address and the corresponding inverted index into a preset inverted index table.

8. The network security log querying method according to claim 7, wherein: based on the cloud data center, the log storage request is commonly recognized in the blockchain network, and the method comprises the following steps of:

clustering a plurality of data nodes of the block chain network by using a DIANA algorithm to obtain a plurality of clusters;

selecting the master nodes of each cluster according to a credibility rewarding and punishing mechanism to obtain a plurality of master nodes;

based on the first master node, carrying out correctness verification on the received log storage request;

If the correctness check is passed, generating a pre-preparation message, broadcasting the pre-preparation message to all first data nodes of the cluster corresponding to the first master node, and performing first PBFT consensus;

broadcasting a pre-preparation message to all other second master nodes if the first PBFT consensus is successful, otherwise, returning a consensus failure instruction to the cloud data center;

if the second master node receives the pre-preparation message, broadcasting the digital signature of the second master node to other second master nodes, collecting the digital signatures from other second master nodes, and performing a second PBFT consensus;

if the second PBFT consensus is successful, all second master nodes are used, packaging information is generated according to all collected digital signatures, and the packaging information is broadcasted to the first master nodes;

and based on the first master node, carrying out digital signature statistics according to the packaging information, if the first master node receives the digital signatures of all other second master nodes, returning a consensus success instruction to the cloud data center, and otherwise, returning a consensus failure instruction to the cloud data center.

9. The network security log querying method according to claim 7, wherein: searching and matching the decrypted query data in an inverted index table based on a blockchain network, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal, wherein the method comprises the following steps:

Based on the block chain network, calling intelligent contracts, extracting the query authority and the allowed query space of a query user, and the query time and the query address of the decrypted query data;

if the query address exceeds the allowable query space of the query user, returning a query failure instruction to the enterprise terminal serving as the log querier;

extracting a plurality of second keywords of the decrypted query data by using a TF-IDF-CI algorithm, and extracting second keywords of the plurality of second keywords by using a BTM algorithm;

screening in an inverted index table according to the second subject term to obtain a plurality of first alternative inverted indexes;

according to the query time, searching and matching are carried out in the storage time of the plurality of first alternative inverted indexes, so as to obtain a plurality of second alternative inverted indexes;

according to the second keywords, searching and matching are carried out in the second alternative inverted indexes, so that a target inverted index successfully matched with the corresponding access right, storage time and storage address are obtained;

if the access right of the target inverted index is higher than the query right of the query user, returning a query failure instruction to the enterprise terminal serving as the log querier, otherwise, returning a target storage address corresponding to the target inverted index successfully matched to the enterprise terminal serving as the log querier;

Extracting a corresponding target block according to the target storage address, converting the target block into a target network security log, generating a query return request, and carrying out consensus on the query return request in a blockchain network;

and after the consensus is successful, encrypting the target network security log according to the public key of the log inquirer to obtain the encrypted target network security log.

10. A network security log query system for implementing a network security log query method as claimed in any one of claims 1 to 9, wherein: the system comprises a cloud data center, a trusted organization and a plurality of enterprise terminals, wherein the cloud data center is provided with a legal user database and a blockchain network, the cloud data center is respectively in communication connection with the trusted organization and the enterprise terminals, the trusted organization is respectively in communication connection with the enterprise terminals, and the enterprise terminals comprise enterprise terminals serving as log storage persons and enterprise terminals serving as log inquirers;

the cloud data center is used for constructing a legal user database and a blockchain network and calling a trusted mechanism; the log storage request is subjected to consensus in a blockchain network, after the consensus is successful, a trusted authority is called to perform signature verification on the first signature data, after the signature verification is passed, the encrypted network security log is decrypted according to a corresponding public key, and the decrypted network security log is obtained; the log inquiry request is subjected to consensus in the blockchain network, after the consensus is successful, a trusted mechanism is called to perform signature verification on the second signature data, after the signature verification is passed, the encrypted inquiry data is decrypted according to the public key of a log inquirer, and decrypted inquiry data are obtained;

The system comprises a block chain network, a storage address and a preset reverse index table, wherein the block chain network is used for constructing the reverse index of the decrypted network security log, carrying out uplink storage on the decrypted network security log in the block chain network, and adding the storage address and the corresponding reverse index into the preset reverse index table; searching and matching the decrypted query data in an inverted index table, extracting a corresponding target network security log according to a target storage address corresponding to a target inverted index which is successfully matched, generating a query return request, carrying out consensus on the query return request, encrypting the target network security log according to a public key of a log inquirer after the consensus is successful, obtaining an encrypted target network security log, and returning the encrypted target network security log to a corresponding enterprise terminal;

the trusted mechanism is used for carrying out entity registration and key initialization on all enterprise terminals connected to the cloud data center to obtain registration information and public and private key pairs of each enterprise terminal, returning private keys in the registration information and public and private key pairs to the corresponding enterprise terminals, and publishing public keys in the public and private key pairs to the blockchain network; performing signature verification on the first/second signature data;

The enterprise terminal is used as a log storage user and used for calling a legal user database, carrying out login verification on a storage user, collecting a network security log after the login verification is passed, generating a log storage request, encrypting and signing the network security log according to a corresponding private key and registration information to obtain an encrypted network security log and first signature data, and uploading the log storage request, the encrypted network security log and the first signature data to a cloud data center;

the enterprise terminal is used as a log inquirer and is used for calling a legal user database, carrying out login verification on an inquired user, collecting inquiry data after the login verification is passed, generating a log inquiry request, encrypting and signing the inquiry data according to a corresponding private key and registration information to obtain encrypted inquiry data and second signature data, and uploading the log inquiry request, the encrypted inquiry data and the second signature data to a cloud data center; and decrypting the encrypted target network security log according to the private key to obtain and visualize the decrypted target network security log.