Safe log analyzing method and system

An analysis method and log technology, applied in the field of information security, can solve problems such as large number of alarms, many irrelevant alarms, and difficulty in achieving expected results, so as to avoid interference and reduce workload

Inactive Publication Date: 2009-04-01
BEIJING VENUS INFORMATION TECH
View PDF1 Cites 47 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Due to the large number of alarms and many irrelevant alarms, most of the energy of security management personnel is spent on processing useless information, and it is difficult to understand the security threat status of the system
[0004] 2. Most of the existing security products are detected based on a single data packet, which is reflected in the form of expression. The alarm information of security products is an isolated intrusion event
This method directly performs data mining on the collected logs. If the log information contains a large number of invalid logs and false positive logs, the association rules mined will be meaningless and it is difficult to achieve the expected results.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Safe log analyzing method and system
  • Safe log analyzing method and system
  • Safe log analyzing method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0031] This embodiment is the workflow of the log analysis system, such as figure 1 shown, including the following steps:

[0032] 1. The IDS detectors distributed in each protected network report the observed intrusion events to the unified log server, complete the summary of the logs, and predict the logs according to the set clustering threshold requirements and set attribute divisions. deal with.

[0033] 2. The AOI hierarchical clustering module divides according to the attributes specified by the administrator, performs clustering analysis on the summarized logs, and derives the clustering rules. The generated clustering rules are divided into three categories: for the description of large-scale network security events (such as DDOS), the administrator can take corresponding measures to deal with them; It is set as a filtering rule; the event description that the administrator thinks needs to be further processed may not be processed.

[0034] 3. According to the clas...

Embodiment 2

[0038] This embodiment is the processing flow of the AOI hierarchical clustering module, such as figure 2 shown, including the following steps:

[0039] Step 201: Set clustering threshold and attribute division. The clustering threshold refers to the conditions under which the number of logs contained in a cluster can be processed as a whole, and the attribute division refers to the hierarchical relationship on the log attributes participating in the clustering.

[0040] Step 202: Determine whether the number of unclustered logs is lower than the clustering threshold, if yes, end the clustering process, otherwise go to step 203.

[0041] Step 203: Select the attributes to be summarized from the attributes participating in the clustering.

[0042] Step 204: For the selected attribute, the value of the log in the log database on the attribute is represented by the value of the upper layer attribute in the attribute division.

[0043] Step 205: Classify the logs with the same...

Embodiment 3

[0046] This embodiment is a specific processing flow of the log analysis system.

[0047] In this embodiment, the logs generated by a network intrusion detection system running continuously for one month in a real network environment are used, with a total of 82,383 entries. Processing includes the following steps:

[0048] 1. Set the clustering threshold to 5% of the total log volume, that is, when the number of logs contained in a cluster obtained by clustering exceeds 5% of the total log volume, further induction of the cluster will be stopped.

[0049] Set the division of each attribute: the division of the source address and the destination address are the same, both of which are divided by IP address. Divide the IP address into two parts: the internal network and the external network. The internal network is the address of the 192.168.2.0 network segment, and the external network is other addresses except the internal network address. Divide events into different types b...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for analyzing a security log and a system thereof, which realizes filtration of invalid logs and misreported logs in mass logs, and discovers large-scale network security events and common attack sequences. The method comprises the following steps: the mass logs are subject to cluster analysis by the attribute-oriented inductive algorithm so as to generate class description of each class of log after clustering; an administrator sets filtration regulations according to the clustered class description, unrelated and misreported logs are removed from the current log base so as to simplify the mass logs; Internet Worms, distributed denial of service attacks and other large-scale network security events characteristics are extracted; the simplified log is subject to sequential pattern mining to find attack behavior sequence description commonly used by attackers to be finally submitted to the administrator. The system comprises a clustering analysis module, a filtration module and a sequential pattern mining module. The method and the system can be applied to information processing of the mass logs of security products.

Description

technical field [0001] The invention relates to the field of information security, in particular to a security log analysis method and system. Background technique [0002] The rapid development of the Internet has brought great convenience to the dissemination and utilization of information, but at the same time, human society is facing a huge challenge of information security. In order to alleviate the increasingly serious security problems, security products such as firewalls, intrusion detection systems, and security audit systems have been deployed more and more widely. However, the introduction of a large number of security devices has also brought new problems, which are mainly reflected in the following two aspects: [0003] 1. Continuously running security devices will generate a large amount of logs. In addition to the defects of the security products themselves, a considerable part of the alarms are false alarms, while the truly valuable alarm information is subm...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L9/00H04L29/06
Inventor 周涛叶润国骆拥政王征
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap