Web log abnormal behavior identification method based on knowledge graph

Abstract

In order to improve the capability of analyzing the logs of the network DNS server, the invention innovatively proposes the construction of the domain name resolution system-oriented knowledge graph by integrating multiple technologies. The method comprises the following steps: firstly, designing an automatic crawler model based on the combination of aiohttp and dig technologies by applying the principles of domain name resolution, an authoritative domain name server, alias resolution, an autonomous system and the like, and constructing a corresponding domain knowledge base; secondly, on the basis of the knowledge base, designing a domain name resolution system-oriented knowledge graph prototype and completing the construction of the knowledge graph, wherein the node scale of the knowledge graph prototype reaches nearly 5 million; and finally, completing construction of a web log abnormal behavior recognition model based on assistance of the knowledge graph. Through experiment and practical application feedback, the knowledge graph plays a key role in the process of detecting and analyzing the abnormal behavior of the web server log, and the recognition rate of the abnormal behavior model of the web log is improved.

Description

technical field [0001] The invention relates to a knowledge graph-based webi log abnormal behavior recognition method, which belongs to the technical field of knowledge graph information utilization. Background technique [0002] Generally speaking, source governance is the best method. How to detect abnormal online behavior can start from the source of domain name resolution. Domain name resolution is the process of converting a domain name into an IP through a dedicated domain name resolution server (DNS). Each resolution will generate four types of log data, including DNS, URL, IP, and SSL logs. The logs may be filled with a large number of machine behaviors such as crawlers, port scans, brute force domain name cracking, and connectivity tests, that is, abnormal behaviors. [0003] The applicant's research found that most of the work of identifying abnormal behaviors in the prior art is done by researchers using log analysis tools with single functions and limited beh...

AI Technical Summary

Problems solved by technology

It can be found that the use of knowledge graphs makes work tasks easier, but in log analysis, a subfield of network information security, there is currently no complete and effective knowledge graph to support researchers to complete the work of log analysis

Although the document Yan Zhihao et al. constructed a domain name system knowledge graph based on Alexa's top 100w domain names in "CDN Domain Name Identification Technology Based on Domain Name System Knowledge Graph", the function of the domain name system knowledge graph constructed by it is limited to the identification of CDN domain names. The log analysis of the

Images