Log ciphertext retrieval method based on alarm association

Abstract

The invention discloses a log ciphertext retrieval method based on alarm association. A distributed storage structure based on a block chain is constructed, so that the security of the alarm log is ensured; a function for calculating the threat degree of the source address is defined; clustering and index construction are carried out on the alarm logs according to the calculated threat degree; theindex construction method based on alarm association is designed, the alarm logs belonging to the same attack process are extracted by performing correlation analysis on the alarm logs, the securityindex is constructed, effective retrieval is performed, the alarm logs with attack intention are acquired, and the analysis efficiency of the alarm logs can be improved. The designed method comprisesa log owner module, a distributed log storage module and a log searcher module, and has the advantages of being high in storage safety, high in log search efficiency and the like.

Description

technical field [0001] The invention is applied to the retrieval field of alarm logs, and is a log ciphertext retrieval method capable of ensuring log security and improving follow-up analysis efficiency. Background technique [0002] With the rapid development of information technology, there are more and more attack methods of network intrusion, and the role of network protection system is also more obvious. The intrusion detection system (IDS, intrusion detection system) is responsible for real-time monitoring of the overall operating status of the network and system. By discovering and recording various attack behaviors, it can ensure the normal operation of the network system and increase the security and integrity of the network protection system. sex. By using the IDS alarm log to record the detected attack behavior, the security loopholes in the network environment can be found out in time through log analysis, and the protection system in the network device can be ...

AI Technical Summary

Problems solved by technology

However, there are two very serious problems in the management and use of the alarm log. First, the alarm log records the attack events in the network and can analyze the attack intention of the intruder. It is different from ordinary data files. It is more It is vulnerable to tampering or theft. If the same storage method as ordinary data files is used, the alarm log is very likely to be attacked, which makes it difficult to guarantee the integrity and security of the log

Second, due to the large number of alarm logs, if you want to know the security problems in the network, the log administrator needs to conduct security analysis on the massive alarm logs, which contain a large number of false alarms and irrelevant alarms. These low-level alarms are not practical. attack behavior, and it is not helpful to the results of log analysis, which interferes with the correct analysis of the intruder's attack intention and makes the analysis inefficient

Images