Variance-based firewall abnormal log detection method

A detection method and firewall technology, applied in the information field, can solve problems such as the inability to mine abnormal behavior information and the lack of abnormal log analysis functions

Inactive Publication Date: 2013-11-20
CHINA TOBACCO ZHEJIANG IND
View PDF4 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] Now there are some tools for managing firewall logs, but these tools usually only manage logs of a specific firewall, such as the log management system of Tianrongxin, which mainly manages logs of Log collection, storage, display and query, but without the analysis function of abnormal logs, it is impossible to mine abnormal behavior information from a large number of logs

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Variance-based firewall abnormal log detection method
  • Variance-based firewall abnormal log detection method
  • Variance-based firewall abnormal log detection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0023] The specific implementation method of the technical solution proposed by the present invention will be described below according to the firewall logs.

[0024] Such as figure 1 As shown, the implemented method of the present invention first defines analysis parameters, step S1. For example, set the following parameters:

[0025] ●Analysis target: destination IP address

[0026] ●Time range: last thirty days

[0027] ●Variance threshold: 90

[0028] Take out the log information of the last thirty days from the firewall log, step S2. For example, the number of records in the log is 10,000.

[0029] According to the destination IP address, all different destination IP addresses are listed in the extracted 10,000 logs to form a destination IP address set, step S3. For example, in the firewall logs of the last thirty days, there are one hundred different destination IP addresses, and the set of destination IP addresses is {a 1 , a 2 , a 3 …a 100}.

[0030] Count t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a variance-based firewall abnormal log detection method. The variance-based firewall abnormal log detection method comprises the following steps: (1) extracting a log set of all time values in a time range n from a firewall log according to the time range n; (2) classifying all different values of an analysis target A in the log set involved in the step (1) to generate a set {a1, a2, a3 ellipsis am} according to the analysis target A, wherein A is one of the four parameters, i.e., an IP (Internet Protocol), a source port, a destination IP address and a destination port; (3) extracting an element from the set {a1, a2, a3 ellipsis am}, counting in the unit of day according to the log set involved in the step (1) to obtain the frequency of occurrence of the element every day: x1, x2, x3 ellipsis xn; (4) performing analysis of variance on the x1, x2, x3 ellipsis xn and performing alarm processing if a variance value exceeds a variance threshold; (5) repeating the steps (3) and (4) until each element in the set {a1, a2, a3 ellipsis am} is processed. The variance-based firewall abnormal log detection method provides favorable technical support for a security management system and a network monitoring analysis system.

Description

technical field [0001] The invention relates to the field of information technology, in particular to an analysis method for firewall logs. Background technique [0002] Currently, firewalls are widely used in computer network security. All firewalls have a log recording function, which can record all access to the internal network and external network through the firewall. The content of the log mainly includes time, source IP address, source port, destination IP address, and destination port, collectively referred to as the five-tuple of network access. Collecting, managing, and analyzing firewall logs to discover abnormal network access behaviors is a common practice in network security management. Although firewall logs contain a lot of useful information, these logs are only useful after in-depth analysis. Although most firewall manufacturers provide firewall log management systems, they only focus on the unified collection, storage, query, and statistics of logs. Th...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L12/24H04L29/06
Inventor 姜学峰李威李健俊王正敏
Owner CHINA TOBACCO ZHEJIANG IND
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap