Hierarchical clustering-based log audition method and device

Abstract

The invention relates to a hierarchical clustering-based log audition method and device. The method comprises the following steps of: dividing a log into a first part and a second part; respectively determining vectors of the first part and the second part; and clustering the log by utilizing the vectors of the first part and the second part of the log so as to obtain a clustering result of the log, wherein the first part comprises attributes expressed by uniform structures in the log and the second part comprises attributes expressed by non-uniform structures in the log. According to the method and device provided by the invention, log audition is carried out by utilizing a hierarchical clustering method so as to carry out clustering on logs, so that abnormal log information in logs of people is mined.

Description

technical field [0001] The invention relates to the field of network security, in particular to a log audit method and device based on hierarchical clustering. Background technique [0002] With the development of informatization, network security issues have become more and more prominent. As a means of security recording, logs can still play an important role in the current security needs. However, in the face of massive log information, traditional log audit methods are stretched. Taking intrusion detection detection as an example, according to Julisch's investigation, as early as 2000, when the network was not inflated, the system generally triggered at least 3 alarm logs per minute. Now Logs have long belonged to the category of big data. Massive data will bring great difficulties to decision-making analysis, and manual analysis is not only labor-intensive but also error-prone. Nowadays, using the clustering method in data mining to mine network data has become the ma...

AI Technical Summary

Problems solved by technology

Although there are many mature hierarchical clustering algorithms, there are very few algorithms that apply them to log auditing. On the one hand, because of the limitations of the clustering method itself, partition-based clustering algorithms such as k-means can only process numerical values. type data, and the anti-interference ability is poor; the density-based clustering algorithm needs to determine the corresponding threshold; the difficulty of the grid-based clustering algorithm is to select the appropriate cell size and number, and to summarize and quantify the information of the objects in each cell Determination of scale; model-based clustering algorithms are not suitable for clustering data in large databases

On the other hand, due to the singleness of the log content, the diversity of the format, and the pertinence of the application, although there are association algorithms such as the association rule algorithm to discover the association rules in the log, it is still not possible to analyze the massive Filter the logs to find out the abnormal log information, which is not enough to fully display the information in the massive logs

Images