[go: up one dir, main page]

CN110262949A - Intelligent device log processing system and method - Google Patents

Intelligent device log processing system and method Download PDF

Info

Publication number
CN110262949A
CN110262949A CN201910354819.0A CN201910354819A CN110262949A CN 110262949 A CN110262949 A CN 110262949A CN 201910354819 A CN201910354819 A CN 201910354819A CN 110262949 A CN110262949 A CN 110262949A
Authority
CN
China
Prior art keywords
log
rule
analysis
structuring
smart machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910354819.0A
Other languages
Chinese (zh)
Inventor
徐国爱
张淼
张霖
王浩宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201910354819.0A priority Critical patent/CN110262949A/en
Publication of CN110262949A publication Critical patent/CN110262949A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/231Hierarchical techniques, i.e. dividing or merging pattern sets so as to obtain a dendrogram
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/02Knowledge representation; Symbolic representation
    • G06N5/022Knowledge engineering; Knowledge acquisition
    • G06N5/025Extracting rules from data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Computational Linguistics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了智能设备日志处理系统及方法,涉及物联网智能设备日志处理系统,包括日志获取器:用于根据智能设备的参数,获取智能设备的原始日志;日志解析器:用于接收所述原始日志,将非结构化或半结构化的所述原始日志解析成结构化日志,并生成日志序列;安全规则库:包含日志分析规则;日志分析引擎:用于接收所述结构化日志和日志序列,并根据所述安全规则库的日志分析规则对所述结构化日志进行规则匹配,并对日志序列进行层次聚类;日志分析报告器:用于根据所述日志分析引擎的结果和所述安全规则库,将分析结果生成报告;用户接口模块:用于与用户交互,接收智能设备所述参数,及将所述报告输出给用户。本发明日志获取高效、简单、准确。

The invention discloses a log processing system and method for smart devices, and relates to a log processing system for smart devices in the Internet of Things, including a log acquirer: used to obtain the original log of the smart device according to the parameters of the smart device; a log parser: used to receive the Raw logs, parsing unstructured or semi-structured raw logs into structured logs, and generating log sequences; security rule base: containing log analysis rules; log analysis engine: used to receive the structured logs and logs sequence, and perform rule matching on the structured log according to the log analysis rules of the security rule base, and perform hierarchical clustering on the log sequence; log analysis reporter: used to analyze the log according to the results of the log analysis engine and the The security rule library generates a report from the analysis results; the user interface module: used to interact with the user, receive the parameters of the smart device, and output the report to the user. The log acquisition of the invention is efficient, simple and accurate.

Description

智能设备日志处理系统及方法Intelligent device log processing system and method

技术领域technical field

本发明涉及物联网智能设备日志处理系统技术领域,特别是指智能设备日志处理系统及其处理方法。The invention relates to the technical field of a log processing system for an intelligent device of the Internet of Things, in particular to a log processing system for an intelligent device and a processing method thereof.

背景技术Background technique

目前日志的审计方法有很多种,其中包括基于规则库、基于数据挖掘、基于免疫系统和基于神经网络的审计方法等。基于规则库的审计检测准确率高,但不适用于多变的网络攻击行为。基于数据挖掘的审计可处理大规模数据文件,但准确率需要调优。基于进化算法的审计可通过多维度进行有效审计优化,但无法检测同时发生的攻击行为。基于免疫系统的审计可以对具有记忆的攻击和病原体进行检测,但无法判断条件竞争、身份伪装的攻击。其中,常用的且已有一定成果是基于规则库的审计方法以及由于大数据热潮而得到关注的数据挖掘算法。涉及生物学的神经网络算法、遗传算法和进化算法仍待进一步研究。对于数据挖掘而言,针对日志的分析主要分为监督学习和无监督学习,主要取决于日志是否有标。监督学习主要采用分类算法,而无监督学习主要采用聚类算法,通过聚类分析将收集到的原始日志分为正常日志和可疑日志两大类,然后再分别对两类日志进行关联规则挖掘,得出正常操作规则和异常操作规则。At present, there are many audit methods for logs, including audit methods based on rule base, data mining, immune system and neural network. The audit detection accuracy based on the rule base is high, but it is not suitable for changing network attacks. Auditing based on data mining can handle large-scale data files, but the accuracy rate needs to be tuned. Auditing based on evolutionary algorithms can effectively optimize auditing through multiple dimensions, but it cannot detect simultaneous attacks. Auditing based on the immune system can detect attacks with memory and pathogens, but cannot judge attacks with race conditions and identity masquerade. Among them, the audit method based on the rule base and the data mining algorithm that has attracted attention due to the upsurge of big data are commonly used and have achieved certain results. Neural network algorithms, genetic algorithms and evolutionary algorithms related to biology are still to be further studied. For data mining, the analysis of logs is mainly divided into supervised learning and unsupervised learning, mainly depending on whether the logs are marked. Supervised learning mainly uses classification algorithms, while unsupervised learning mainly uses clustering algorithms. Through cluster analysis, the collected original logs are divided into two categories: normal logs and suspicious logs, and then the association rules of the two types of logs are mined separately. Get normal operation rules and abnormal operation rules.

目前主流的日志分析工具发展比较成熟,但是其局限性在于,收集日志时需要在采集对象上部署采集软件或加装日志收集工具,对于智能设备而言,在其上进行软件部署复杂、难度较大。对于日志采集常用协议,部分智能设备并不支持,增加了对智能设备日志获取的难度。At present, the mainstream log analysis tools are relatively mature, but their limitations are that when collecting logs, it is necessary to deploy collection software or install log collection tools on the collection objects. For smart devices, it is complicated and difficult to deploy software on them. big. Some smart devices do not support common protocols for log collection, making it difficult to obtain logs from smart devices.

在对获取到的日志进行审计时,目前主流的手段依旧是基于规则进行匹配,这种方法效率较高、简单直观,但是随着攻击手段的增多,对于不在安全规则库中的攻击手段而言,日志审计效果不好,而且对于大规模的日志数据无法挖掘出规则以外的信息。When auditing the obtained logs, the current mainstream method is still rule-based matching. This method is efficient, simple and intuitive, but with the increase of attack methods, for attack methods that are not in the security rule base , the log audit effect is not good, and for large-scale log data, it is impossible to dig out information other than the rules.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提出智能设备日志处理系统及其处理方法,用于解决背景技术中智能设备日志获取难度大,日志审计效果不好的问题,其具有日志获取简单,审计效果出色的特点。In view of this, the purpose of the present invention is to propose a smart device log processing system and its processing method, which are used to solve the problems in the background technology that the log acquisition of smart devices is difficult and the log audit effect is not good. It has the advantages of simple log acquisition and excellent audit effect specialty.

本发明提供了一种智能设备日志处理系统,包括:The present invention provides an intelligent device log processing system, comprising:

日志获取器:用于根据智能设备的参数,获取智能设备的原始日志;Log acquirer: used to obtain the original log of the smart device according to the parameters of the smart device;

日志解析器:用于接收所述原始日志,将非结构化或半结构化的所述原始日志解析成结构化日志,并生成日志序列;Log parser: used to receive the original log, parse the unstructured or semi-structured original log into a structured log, and generate a log sequence;

安全规则库:包含日志分析规则;Security rule base: contains log analysis rules;

日志分析引擎:用于接收所述结构化日志和日志序列,并根据所述安全规则库的日志分析规则对所述结构化日志进行规则匹配,并对日志序列进行层次聚类;Log analysis engine: used to receive the structured log and log sequence, and perform rule matching on the structured log according to the log analysis rules of the security rule base, and perform hierarchical clustering on the log sequence;

日志分析报告器:用于根据所述日志分析引擎的结果和所述安全规则库,将分析结果生成报告;Log analysis reporter: used to generate a report on the analysis results according to the results of the log analysis engine and the security rule base;

用户接口模块:用于与用户交互,接收智能设备所述参数,及将所述报告输出给用户。User interface module: used to interact with the user, receive the parameters of the smart device, and output the report to the user.

可选的,所述日志获取器通过智能设备提供的接口识别智能设备的品牌和型号,确定智能设备所采用的协议以及通信方式,根据智能设备所采用的协议和交互方式向智能设备对应的IP发送请求,并通过解析智能设备返回的响应获取智能设备运行过程生成的原始日志。Optionally, the log acquirer identifies the brand and model of the smart device through the interface provided by the smart device, determines the protocol and communication method adopted by the smart device, and reports the IP address corresponding to the smart device according to the protocol and interaction mode adopted by the smart device. Send a request, and obtain the original log generated by the running process of the smart device by parsing the response returned by the smart device.

可选的,所述日志解析器包括:Optionally, the log parser includes:

日志清洗器:用于将所述原始日志中的冗余信息去除,将所述原始日志解析为所述结构化日志;Log cleaner: for removing redundant information in the original log, and parsing the original log into the structured log;

事件抽取器:用于提取出解析后的所述结构化日志记录的操作事件;An event extractor: used to extract the operation events of the parsed structured log records;

日志组合器:用于根据所述结构化日志发生的时间和所述操作事件,将单条所述结构化日志按照上下文进行组合,生成对应的日志序列。A log combiner: used to combine a single structured log according to the context according to the occurrence time of the structured log and the operation event, and generate a corresponding log sequence.

可选的,所述日志分析引擎包括:Optionally, the log analysis engine includes:

规则匹配器:用于根据用户配置的规则和所述安全规则库中的日志分析规则,从所述结构化日志中匹配出相应日志记录,并对日志记录进行汇总和整理;Rule matcher: for matching the corresponding log records from the structured logs according to the rules configured by the user and the log analysis rules in the security rule base, and summarizing and sorting the log records;

聚类分析器:用于对所述日志解析器生成的所述日志序列进行层次聚类,根据聚类结果发现大聚簇和孤立点,由大聚簇分析设备运行规律,由孤立点发现异常行为,获得结构化日志中规则外蕴含的信息;Clustering Analyzer: used to perform hierarchical clustering on the log sequence generated by the log parser, find large clusters and isolated points according to the clustering results, analyze the operating rules of the equipment from the large clusters, and find abnormalities from the isolated points Behaviors to obtain information beyond the rules in structured logs;

日志分析接口:用于根据所述规则匹配器和所述聚类分析器的结果与所述日志分析报告器进行交互。Log analysis interface: for interacting with the log analysis reporter according to the results of the rule matcher and the cluster analyzer.

基于相同的发明创造,本发明还提供了一种智能设备日志处理方法,包括:Based on the same invention, the present invention also provides a smart device log processing method, including:

根据接收的智能设备的参数,获取智能设备非结构化或半结构化的原始日志;Obtain unstructured or semi-structured original logs of smart devices according to the received smart device parameters;

将所述非结构化或半结构化的原始日志解析成结构化日志,生成日志序列;Parsing the unstructured or semi-structured original log into a structured log to generate a log sequence;

根据安全规则库的日志分析规则对所述结构化日志进行规则匹配;performing rule matching on the structured log according to the log analysis rules of the security rule base;

对所述日志序列进行层次聚类;performing hierarchical clustering on the log sequence;

根据所述日志序列的规则匹配结果以及层次聚类结果生成报告;以及输出所述报告。generating a report according to the rule matching result and the hierarchical clustering result of the log sequence; and outputting the report.

可选的,所述原始日志解析包括:Optionally, the parsing of the original log includes:

将所述原始日志中的冗余信息去除,将所述原始日志解析为所述结构化日志;removing redundant information in the original log, and parsing the original log into the structured log;

提取解析后的所述结构化日志记录的操作事件;extracting the operation events of the parsed structured log records;

根据所述结构化日志发生的时间和所述操作事件,将单条所述结构化日志按照上下文进行组合,生成对应的日志序列。According to the occurrence time of the structured log and the operation event, a single structured log is combined according to the context to generate a corresponding log sequence.

可选的,所述规则匹配和层次聚类包括:Optionally, the rule matching and hierarchical clustering include:

根据用户配置的规则和所述安全规则库中的日志分析规则,从所述结构化日志中匹配出相应日志记录;matching the corresponding log records from the structured logs according to the rules configured by the user and the log analysis rules in the security rule base;

对所述日志序列进行层次聚类,根据聚类结果发现大聚簇和孤立点,由大聚簇分析设备运行规律,由孤立点发现异常行为,获得结构化日志中规则外蕴含的信息;Perform hierarchical clustering on the log sequence, find large clusters and isolated points according to the clustering results, analyze the operating rules of the equipment from the large clusters, find abnormal behaviors from the isolated points, and obtain information contained outside the rules in the structured log;

根据所述规则匹配器和所述聚类分析器的结果与所述日志分析报告器进行交互。Interacting with the log analysis reporter based on the results of the rule matcher and the cluster analyzer.

可选的,所述从所述结构化日志中匹配出相应日志记录包括:通过规则匹配器,利用用户自定义规则和安全规则库中规则对结构化日志进行匹配,统计命中数量,记录命中日志。Optionally, the matching of corresponding log records from the structured logs includes: using a rule matcher, using user-defined rules and rules in the security rule base to match the structured logs, counting the number of hits, and recording hit logs .

可选的,所述对日志序列进行层次聚类包括:Optionally, performing hierarchical clustering on log sequences includes:

对于所述日志序列进行预处理,将日志序列转换成向量数据;Preprocessing the log sequence, converting the log sequence into vector data;

使用改进的余弦相似度算法利用向量数据生成距离矩阵,输入层次聚类算法,生成聚类树;Use the improved cosine similarity algorithm to generate a distance matrix using vector data, input the hierarchical clustering algorithm, and generate a clustering tree;

针对不同聚簇数量计算相关评价指标参数,选取最佳参数对应的聚簇数量作为聚簇数目;Calculate the relevant evaluation index parameters for different cluster numbers, and select the cluster number corresponding to the best parameter as the cluster number;

遍历每个聚簇数目内的日志,统计各聚簇数目内日志数量和类型。Traverse the logs in each cluster number, and count the number and type of logs in each cluster number.

对规则匹配和层次聚类的结果进行归纳分析和关联分析,生成新的安全规则并补偿入所述安全规则库。Inductive analysis and association analysis are performed on the results of rule matching and hierarchical clustering, and new security rules are generated and compensated into the security rule base.

基于相同的发明创造,本发明还提供了一种智能设备日志处理系统的保密安全检查方法,包括:Based on the same invention, the present invention also provides a confidential security inspection method for a log processing system of an intelligent device, including:

提交待测智能设备参数;Submit the parameters of the smart device to be tested;

进入待测智能设备日志处理系统,并获得留存的日志审计报告;Enter the log processing system of the smart device under test and obtain the retained log audit report;

检测日志审计报告;Detection log audit report;

基于检测结果,通过风险定位、风险排查和溯源对违规操作溯源。Based on the detection results, trace the source of illegal operations through risk positioning, risk investigation and traceability.

由上述所述本发明具有如下优点:The present invention has the following advantages by the foregoing:

本系统利用智能设备提供的接口与日志获取器连接,首先识别智能设备品牌和型号,生成对应实例,根据不同设备的协议和交互方式向指定IP发送请求,通过解析响应自动化地获取设备运行日志,不需要通过恢复智能设备存储介质或是在智能设备上加装日志采集装置来获取日志,日志获取高效、简单、准确。This system uses the interface provided by the smart device to connect with the log acquirer. First, it identifies the brand and model of the smart device, generates a corresponding instance, sends a request to the specified IP according to the protocol and interaction mode of different devices, and automatically obtains the device operation log by analyzing the response. There is no need to restore the storage medium of the smart device or install a log collection device on the smart device to obtain the log, and the log acquisition is efficient, simple and accurate.

本系统除利用安全规则库进行日志处理外,还引入了聚类方法,能够挖掘规则外内容,如智能设备运行规律、用户使用习惯以及孤立点对应的异常事件,并能够将异常事件动态补偿给安全规则库,提升了日志的审计效果。In addition to using the security rule base for log processing, this system also introduces a clustering method, which can mine content outside the rules, such as the operation rules of smart devices, user habits, and abnormal events corresponding to isolated points, and can dynamically compensate abnormal events to The security rule base improves the audit effect of logs.

附图说明Description of drawings

图1为本发明实施例所述的智能设备日志处理系统的结构框图;Fig. 1 is the structural block diagram of the intelligent device log processing system described in the embodiment of the present invention;

图2为本发明实施例所述的智能设备日志处理方法流程图;2 is a flow chart of a method for processing a log of a smart device according to an embodiment of the present invention;

图3为本发明实施例日志分析引擎处理流程图;Fig. 3 is a flow chart of log analysis engine processing according to an embodiment of the present invention;

图4为本发明实施例所述的智能设备日志处理系统进行保密安全检查的方法流程图。Fig. 4 is a flow chart of a method for performing a security check by the smart device log processing system according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be described in further detail below in conjunction with specific embodiments and with reference to the accompanying drawings.

本发明的主要目标是开发一套针对物联网智能设备的日志安全处理系统,该系统可以根据用户输入的智能设备型号自动化地获取设备运行日志,根据用户配置的安全规则在日志中寻找用户感兴趣的事件,同时利用聚类手段对日志进行分析,反映设备运行规律,利用孤立点定位异常,并报告给用户。智能设备第一步考虑支持市场主流数码复印机品牌及其子型号。The main objective of the present invention is to develop a set of log security processing system for smart devices in the Internet of Things. The system can automatically obtain device operation logs according to the smart device model input by the user, and find the user's interest in the log according to the security rules configured by the user. At the same time, clustering methods are used to analyze logs to reflect equipment operation rules, and isolated points are used to locate abnormalities and report to users. The first step for smart devices is to consider supporting mainstream digital copier brands and their sub-models in the market.

本发明实施例所述的智能设备日志处理系统,包括:The smart device log processing system described in the embodiment of the present invention includes:

日志获取器:用于根据智能设备的参数,获取智能设备的原始日志;Log acquirer: used to obtain the original log of the smart device according to the parameters of the smart device;

日志解析器:用于接收所述原始日志,将非结构化或半结构化的所述原始日志解析成结构化日志,并生成日志序列;Log parser: used to receive the original log, parse the unstructured or semi-structured original log into a structured log, and generate a log sequence;

安全规则库:包含日志分析规则;Security rule base: contains log analysis rules;

日志分析引擎:用于接收所述日志序列,并根据所述安全规则库的日志分析规则对所述结构化日志进行规则匹配,并对日志序列进行层次聚类;A log analysis engine: used to receive the log sequence, perform rule matching on the structured log according to the log analysis rules of the security rule base, and perform hierarchical clustering on the log sequence;

日志分析报告器:用于根据所述日志分析引擎的结果和所述安全规则库,将分析结果生成报告;Log analysis reporter: used to generate a report on the analysis results according to the results of the log analysis engine and the security rule base;

用户接口模块:用于与用户交互,接收智能设备所述参数,及将所述报告输出给用户。User interface module: used to interact with the user, receive the parameters of the smart device, and output the report to the user.

本系统利用智能设备提供的接口与日志获取器连接,首先识别智能设备品牌和型号,生成对应实例,根据不同设备的协议和交互方式向指定IP发送请求,通过解析响应自动化地获取设备运行日志,不需要通过恢复智能设备存储介质或是在智能设备上加装日志采集装置来获取日志,日志获取高效、简单、准确。This system uses the interface provided by the smart device to connect with the log acquirer. First, it identifies the brand and model of the smart device, generates a corresponding instance, sends a request to the specified IP according to the protocol and interaction mode of different devices, and automatically obtains the device operation log by analyzing the response. There is no need to restore the storage medium of the smart device or install a log collection device on the smart device to obtain the log, and the log acquisition is efficient, simple and accurate.

本系统除利用安全规则库进行日志审计外,还引入了聚类方法,能够挖掘规则外内容,如智能设备运行规律、用户使用习惯以及孤立点对应的异常事件,并能够将异常事件动态补偿给安全规则库,提升了日志的审计效果。In addition to using the security rule base for log auditing, this system also introduces a clustering method, which can mine content outside the rules, such as the operation rules of smart devices, user habits, and abnormal events corresponding to isolated points, and can dynamically compensate abnormal events to The security rule base improves the audit effect of logs.

如图1所示,在一些实施例中,智能设备日志处理系统包括:As shown in Figure 1, in some embodiments, the smart device log processing system includes:

日志获取器:用于根据智能设备参数,获取智能设备的原始日志。Log acquirer: used to obtain the original log of the smart device according to the parameters of the smart device.

在本发明的实施例中,上述智能设备参数可以包括智能设备型号、设备IP和用于自定义规则。In an embodiment of the present invention, the above-mentioned smart device parameters may include a smart device model, a device IP, and user-defined rules.

在本发明的实施例中,上述日志获取器可以通过智能设备提供的接口识别智能设备的品牌和型号,确定智能设备所采用的协议以及通信方式,从而生成与智能设备对应的实例;根据智能设备所采用的协议和交互方式向智能设备对应的IP发送请求,并通过解析智能设备返回的响应自动化地获取智能设备运行过程生成的原始日志。In an embodiment of the present invention, the above-mentioned log acquirer can identify the brand and model of the smart device through the interface provided by the smart device, determine the protocol and communication method adopted by the smart device, and thereby generate an instance corresponding to the smart device; according to the smart device The adopted protocol and interaction method send a request to the corresponding IP of the smart device, and automatically obtain the original log generated by the running process of the smart device by analyzing the response returned by the smart device.

日志解析器:用于接收所述原始日志,将所述原始日志进行处理和解析,从而将非结构化或半结构化的所述原始日志解析成结构化日志,并生成日志序列。Log parser: for receiving the original log, processing and parsing the original log, thereby parsing the unstructured or semi-structured original log into a structured log, and generating a log sequence.

日志分析引擎:用于对所述日志解析器生成的内容进行分析,具体分为根据安全规则库内的日志分析规则对结构化日志进行规则匹配,以及对日志序列进行层次聚类。Log analysis engine: used to analyze the content generated by the log parser, specifically including rule matching of structured logs according to the log analysis rules in the security rule base, and hierarchical clustering of log sequences.

安全规则库:用于为所述日志分析引擎提供日志分析规则。Security rule base: used to provide log analysis rules for the log analysis engine.

在本发明的实施例中,上述安全规则库还可以进一步为所述日志分析引擎提供对应的安全风险支持。具体表现为安全规则库中保存有两种内容:一是用户配置的规则,如对于涉密单位而言,对于涉密设备进行U盘操作属于敏感操作,应该预先配置在安全规则库中;二是经系统处理后由审计人员判定为异常或非安全的日志操作行为,应该以规则形式补充到安全规则库中。In the embodiment of the present invention, the above security rule base may further provide corresponding security risk support for the log analysis engine. The specific performance is that there are two kinds of content stored in the security rule base: one is the rules configured by users. For example, for secret-related units, the operation of U disk for secret-related equipment is a sensitive operation and should be pre-configured in the security rule base; two. It is the log operation behavior judged by the auditors as abnormal or unsafe after being processed by the system, and should be added to the security rule base in the form of rules.

在本发明的实施例中,上述安全规则库还可以用于提供风险改进策略报告,具体表现为规则中会有一个字段记录规则的安全等级,如高危、中等、普通等,这个字段由用户或审计人员指定,生成报告时,敏感事件的安全等级会被反映在报告中,从而对风险进行评估。In the embodiment of the present invention, the above-mentioned security rule base can also be used to provide risk improvement strategy reports, specifically, there will be a field in the rule to record the security level of the rule, such as high risk, medium, common, etc., this field is set by the user or Auditors specify that when a report is generated, the security level of sensitive events is reflected in the report, thereby assessing the risk.

日志分析报告器:用于根据所述日志分析引擎的结果和安全规则库,将分析结果生成报告。Log analysis reporter: used to generate a report on the analysis results according to the results of the log analysis engine and the security rule base.

在本发明的实施例中,上述分析结果可以包括用户感兴趣规则、设备运行规律和发现的安全风险等。In an embodiment of the present invention, the above analysis results may include user interest rules, device operation rules, discovered security risks, and the like.

用户接口模块:用于与用户交互,一方面接收智能设备所述参数,另一方面将所述报告输出给用户。User interface module: used to interact with the user, on the one hand, receive the parameters of the smart device, and on the other hand, output the report to the user.

本系统利用智能设备提供的接口与日志获取器连接,首先识别智能设备品牌和型号,生成对应实例,根据不同设备的协议和交互方式向指定IP发送请求,通过解析响应自动化地获取设备运行日志,不需要通过恢复智能设备存储介质或是在智能设备上加装日志采集装置来获取日志,日志获取高效、简单、准确。This system uses the interface provided by the smart device to connect with the log acquirer. First, it identifies the brand and model of the smart device, generates a corresponding instance, sends a request to the specified IP according to the protocol and interaction mode of different devices, and automatically obtains the device operation log by analyzing the response. There is no need to restore the storage medium of the smart device or install a log collection device on the smart device to obtain the log, and the log acquisition is efficient, simple and accurate.

本系统除利用用户自定义规则和安全规则库进行日志审计外,还引入了聚类方法,能够挖掘规则外内容,如智能设备运行规律、用户使用习惯以及孤立点对应的异常事件,并能够将异常事件动态补偿给安全规则库。In addition to using user-defined rules and security rule bases for log auditing, this system also introduces a clustering method, which can mine content outside the rules, such as the operating rules of smart devices, user habits, and abnormal events corresponding to isolated points, and can Abnormal events are dynamically compensated to the security rule base.

在一些实施例中,所述日志解析器可以包括:In some embodiments, the log parser may include:

日志清洗器:用于将所述原始日志中的冗余信息去除,将所述原始日志解析为所述结构化日志;Log cleaner: for removing redundant information in the original log, and parsing the original log into the structured log;

事件抽取器:用于提取出解析后的所述结构化日志记录的操作事件,具体地,操作事件指在部分智能设备中,用户的一次操作行为会被分解成一系列操作事件,如在用户利用数码复印机进行复印操作时,复印行为在数码复印机中对应登录、复印、登出三个操作事件;Event extractor: used to extract the operation events of the parsed structured log records. Specifically, the operation event refers to that in some smart devices, a user's operation behavior will be decomposed into a series of operation events, such as when the user utilizes When the digital copier performs a copy operation, the copy behavior corresponds to three operation events of login, copy, and logout in the digital copier;

日志组合器:用于根据所述结构化日志发生的时间和操作事件,将单条所述结构化日志按照上下文进行组合,生成对应的日志序列。Log combiner: used to combine a single structured log according to the context and generate a corresponding log sequence according to the occurrence time and operation event of the structured log.

在一些实施例中,所述日志分析引擎包括:In some embodiments, the log analysis engine includes:

规则匹配器:用于根据用户配置的规则和安全规则库中的日志分析规则,从所述结构化日志中匹配出相应日志记录,并对日志记录进行汇总和整理,具体表现为对命中数量进行记录、对命中内容高亮显示;Rule matcher: used to match the corresponding log records from the structured logs according to the rules configured by the user and the log analysis rules in the security rule base, and summarize and organize the log records. Record and highlight the hit content;

聚类分析器:用于对所述日志解析器生成的所述日志序列进行层次聚类,根据聚类结果发现大聚簇和孤立点,由大聚簇分析设备运行规律,由孤立点发现异常行为,从而获得结构化日志中规则外蕴含的信息;Clustering Analyzer: used to perform hierarchical clustering on the log sequence generated by the log parser, find large clusters and isolated points according to the clustering results, analyze the operating rules of the equipment from the large clusters, and find abnormalities from the isolated points Behavior, so as to obtain the information contained in the structured log outside the rules;

日志分析接口:用于根据所述规则匹配器和所述聚类分析器的结果与日志分析报告器进行交互。Log analysis interface: for interacting with the log analysis reporter according to the results of the rule matcher and the cluster analyzer.

基于相同的发明创造,本发明还提供了一种智能设备日志的处理方法。如图2所示,该方法包括以下步骤:Based on the same invention, the present invention also provides a processing method for smart device logs. As shown in Figure 2, the method includes the following steps:

S11:根据接收的智能设备的参数,获取智能设备非结构化或半结构化的原始日志;S11: Obtain unstructured or semi-structured raw logs of the smart device according to the received parameters of the smart device;

S12:将所述非结构化或半结构化的原始日志解析成结构化日志,生成日志序列;S12: Parse the unstructured or semi-structured original log into a structured log to generate a log sequence;

S13:根据安全规则库的日志分析规则对所述结构化日志进行规则匹配;S13: Perform rule matching on the structured log according to the log analysis rules of the security rule base;

S14:对所述日志序列进行层次聚类;S14: Perform hierarchical clustering on the log sequence;

S15:根据所述日志序列的规则匹配结果以及层次聚类结果生成报告;以及输出所述报告。S15: Generate a report according to the rule matching result and the hierarchical clustering result of the log sequence; and output the report.

在一些实施例中,上述获取智能设备非结构化或半结构化的原始日志具体可以包括:识别智能设备的品牌和型号;确定智能设备所采用的协议以及通信方式;根据智能设备所采用的协议和交互方式向智能设备对应的IP发送请求;以及通过解析智能设备返回的响应获取智能设备运行过程生成的原始日志。In some embodiments, the acquisition of the unstructured or semi-structured original log of the smart device may specifically include: identifying the brand and model of the smart device; determining the protocol and communication method adopted by the smart device; Send a request to the IP corresponding to the smart device in an interactive way; and obtain the original log generated by the running process of the smart device by analyzing the response returned by the smart device.

在一些实施例中,所述对原始日志进行解析还可以包括以下步骤:In some embodiments, the parsing of the original log may also include the following steps:

S21:将所述原始日志中的冗余信息去除,将所述原始日志解析为所述结构化日志;S21: Remove redundant information in the original log, and parse the original log into the structured log;

S22:提取解析后的所述结构化日志记录的操作事件;S22: extracting the operation event recorded in the structured log after parsing;

S23:根据所述结构化日志发生的时间和所述操作事件,将单条所述结构化日志按照上下文进行组合,生成对应的日志序列。S23: According to the occurrence time of the structured log and the operation event, combine the single structured log according to the context to generate a corresponding log sequence.

日志解析器除了会生成结构化日志外,还会对结构化日志根据上下文进行分析,形成日志组合,从而保证在聚类过程中聚类对象不是单条日志而是日志组合,从而提升聚类效果。In addition to generating structured logs, the log parser will also analyze the structured logs according to the context to form a log combination, so as to ensure that the clustering object is not a single log but a log combination during the clustering process, thereby improving the clustering effect.

具体地,所述规则匹配和层次聚类可以包括:Specifically, the rule matching and hierarchical clustering may include:

根据用户配置的规则和所述安全规则库中的日志分析规则,从所述结构化日志中匹配出相应日志记录;matching the corresponding log records from the structured logs according to the rules configured by the user and the log analysis rules in the security rule base;

对所述日志解析器生成的所述日志序列进行层次聚类,根据聚类结果发现大聚簇和孤立点,由大聚簇分析设备运行规律,由孤立点发现异常行为,获得结构化日志中规则外蕴含的信息;Perform hierarchical clustering on the log sequence generated by the log parser, find large clusters and isolated points according to the clustering results, analyze the operating rules of the equipment from the large clusters, find abnormal behaviors from the isolated points, and obtain the structured logs. Information implied outside the rules;

根据所述规则匹配器和所述聚类分析器的结果与所述日志分析报告器进行交互。Interacting with the log analysis reporter based on the results of the rule matcher and the cluster analyzer.

如图3所示,在一些实施例中,上述对结构化日志的规则匹配和日志序列的层次聚类分析具体可以包括以下步骤:As shown in FIG. 3 , in some embodiments, the above-mentioned rule matching of structured logs and hierarchical clustering analysis of log sequences may specifically include the following steps:

a)判断待分析日志是结构化日志还是日志序列,如果是结构化日志,通过规则匹配器,利用用户自定义规则和安全规则库中规则对结构化日志进行匹配,统计命中数量,记录命中日志,进入步骤f,如果是日志序列,进入步骤b;a) Determine whether the log to be analyzed is a structured log or a log sequence. If it is a structured log, use the user-defined rules and the rules in the security rule base to match the structured log through the rule matcher, count the number of hits, and record the hit log , go to step f, if it is a log sequence, go to step b;

b)对于日志序列,对其进行预处理,将日志序列转换成向量数据;b) For the log sequence, it is preprocessed to convert the log sequence into vector data;

c)利用向量数据生成距离矩阵,计算方法是改进的余弦相似度算法,并输入层次聚类算法,生成聚类树,日志间距离的计算方法并没有使用日志聚类中常用的汉明距离,而是对向量化后的日志数据采用改进余弦相似度进行计算,生成距离矩阵;c) Using vector data to generate a distance matrix, the calculation method is an improved cosine similarity algorithm, and input a hierarchical clustering algorithm to generate a clustering tree. The calculation method of the distance between logs does not use the Hamming distance commonly used in log clustering. Instead, the vectorized log data is calculated using the improved cosine similarity to generate a distance matrix;

d)针对不同聚簇数量计算相关评价指标参数,选取最佳参数对应的聚簇数量作为聚簇数目;d) Calculate the relevant evaluation index parameters for different cluster numbers, and select the cluster number corresponding to the best parameter as the cluster number;

e)遍历每个聚簇数目内的日志,统计各聚簇数目内日志数量和类型;e) traverse the logs in each cluster number, and count the number and type of logs in each cluster number;

f)对步骤a和步骤e的结果进行归纳分析和关联分析,生成新的安全规则并补偿入安全规则库。f) Conduct inductive analysis and correlation analysis on the results of step a and step e, generate new safety rules and compensate them into the safety rule base.

本系统除利用用户自定义规则和安全规则库进行日志审计外,还引入了聚类方法,能够挖掘规则外内容,如智能设备运行规律、用户使用习惯以及孤立点对应的异常事件,并能够将异常事件动态补偿给安全规则库,提升了日志的审计效果。In addition to using user-defined rules and security rule bases for log auditing, this system also introduces a clustering method, which can mine content outside the rules, such as the operating rules of smart devices, user habits, and abnormal events corresponding to isolated points, and can Abnormal events are dynamically compensated to the security rule base, which improves the audit effect of logs.

基于相同的发明创造,本发明还提供了一种智能设备日志处理系统的保密安全检查方法,如图4所示,包括以下步骤:Based on the same invention, the present invention also provides a confidential security inspection method for a log processing system of an intelligent device, as shown in FIG. 4 , comprising the following steps:

S41:提交待测智能设备参数;S41: Submit parameters of the smart device to be tested;

S42:进入待测智能设备日志处理系统,并获得留存的日志审计报告;S42: Enter the log processing system of the smart device under test, and obtain the retained log audit report;

S43:检测日志审计报告;S43: detection log audit report;

S44:基于检测结果,通过风险定位、风险排查和溯源对违规操作溯源。S44: Based on the detection results, trace the source of illegal operations through risk positioning, risk investigation, and traceability.

保密单位对其涉密智能设备进行安全检查时,可以使用本系统对智能设备留存的日志进行获取和检测,查找风险操作,并对违规操作溯源,提升了系统的实用性。When the confidentiality unit conducts security inspections on its secret-related smart devices, it can use this system to obtain and detect the logs retained by the smart devices, find risky operations, and trace the source of illegal operations, which improves the practicability of the system.

所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本公开的范围(包括权利要求)被限于这些例子;在本发明的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,步骤可以以任意顺序实现,并存在如上所述的本发明的不同方面的许多其它变化,为了简明它们没有在细节中提供。Those of ordinary skill in the art should understand that: the discussion of any of the above embodiments is exemplary only, and is not intended to imply that the scope of the present disclosure (including claims) is limited to these examples; under the idea of the present invention, the above embodiments or Combinations between technical features in different embodiments are also possible, steps may be carried out in any order, and there are many other variations of the different aspects of the invention as described above, which are not presented in detail for the sake of brevity.

Claims (10)

1. smart machine log processing system characterized by comprising
Log acquisition device: for the parameter according to smart machine, the original log of smart machine is obtained;
Log resolver: for receiving the original log, the unstructured or semi-structured original log is parsed into Structuring log, and generate logged sequence;
Security rule base: include log analysis rule;
Log analysis engine: for receiving the structuring log and logged sequence, and according to the log of the security rule base Analysis rule carries out rule match to the structuring log, and carries out hierarchical clustering to logged sequence;
Log analysis reporter: for according to the log analysis engine result and the security rule base, result will be analyzed Generate report;
Subscriber Interface Module SIM: for interacting with user, parameter described in smart machine is received, and by the report output to user.
2. system according to claim 1, which is characterized in that the interface that the log acquisition device is provided by smart machine The brand and model of identification intelligent equipment, determine agreement and communication mode used by smart machine, according to smart machine institute The agreement and interactive mode of use send request to the corresponding IP of smart machine, and are obtained by the response that parsing smart machine returns The original log for taking smart machine operational process to generate.
3. system according to claim 1, which is characterized in that the log resolver includes:
Log washer: for removing the redundancy in the original log, the original log is resolved into the knot Structure log;
Event extraction device: for extracting the action event of the structuring log recording after parsing;
Log combiner: time and the action event for being occurred according to the structuring log, by structure described in single Change log to be contextually combined, generates corresponding logged sequence.
4. system according to claim 1, which is characterized in that the log analysis engine includes:
Rule match device: for according to the log analysis rule in the rule of user configuration and the security rule base, from described Corresponding log recording is matched in structuring log, and log recording is summarized and arranged;
Clustering device: the logged sequence for generating to the log resolver carries out hierarchical clustering, is tied according to cluster Fruit discovery clusters greatly and isolated point, obtains structuring by Outlier detection abnormal behaviour by big clustering analysis equipment moving law The outer information contained of rule in log;
Log analysis interface: for according to the result of the rule match device and the clustering device and the log analysis report Device is accused to interact.
5. a kind of smart machine log processing method characterized by comprising
The parameter of smart machine based on the received obtains the unstructured or semi-structured original log of smart machine;
Described unstructured or semi-structured original log is parsed into structuring log, generates logged sequence;
Rule match is carried out to the structuring log according to the log analysis rule of security rule base;
Hierarchical clustering is carried out to the logged sequence;
Report is generated according to the rule match result of the logged sequence and hierarchical clustering result;And the output report.
6. method according to claim 5, which is characterized in that the original log, which parses, includes:
By the redundancy removal in the original log, the original log is resolved into the structuring log;
The action event of the structuring log recording after extracting parsing;
The time occurred according to the structuring log and the action event, contextually by structuring log described in single It is combined, generates corresponding logged sequence.
7. according to the method described in claim 5, it is characterized in that, the rule match and hierarchical clustering include:
According to the log analysis rule in the rule of user configuration and the security rule base, matched from the structuring log Corresponding log recording out;
Hierarchical clustering is carried out to the logged sequence, is clustered and isolated point greatly according to cluster result discovery, is set by big clustering analysis Standby moving law obtains the outer information contained of rule in structuring log by Outlier detection abnormal behaviour;
It is interacted according to the result of the rule match device and the clustering device and the log analysis reporter.
8. the method according to the description of claim 7 is characterized in that described match corresponding log from the structuring log Record includes: to be carried out using rule in user's custom rule and security rule base to structuring log by rule match device Matching counts hit quantity, record hit log.
9. according to the method described in claim 5, it is characterized in that, described include: to logged sequence progress hierarchical clustering
The logged sequence is pre-processed, logged sequence is converted into vector data;
Distance matrix is generated using vector data using improved cosine similarity algorithm, inputs hierarchical clustering algorithm, is generated poly- Class tree;
Relevant evaluation index parameter is calculated for the difference quantity that clusters, chooses the corresponding quantity that clusters of optimal parameter as clustering number Mesh;
The log that traversal each clusters in number counts log number amount and type in the number that respectively clusters.
The result of rule match and hierarchical clustering is summarized and analyzed and association analysis, generates new safety regulation and compensation enters The security rule base.
10. a kind of secret and safe inspection method of smart machine log processing system characterized by comprising
Submit smart machine parameter to be measured;
Into smart machine log processing system to be measured, and obtain the log audit report of retention;
Detect log audit report;
Based on testing result, checks and trace to the source and trace to the source violation operation by risk positioning, risk.
CN201910354819.0A 2019-04-29 2019-04-29 Intelligent device log processing system and method Pending CN110262949A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910354819.0A CN110262949A (en) 2019-04-29 2019-04-29 Intelligent device log processing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910354819.0A CN110262949A (en) 2019-04-29 2019-04-29 Intelligent device log processing system and method

Publications (1)

Publication Number Publication Date
CN110262949A true CN110262949A (en) 2019-09-20

Family

ID=67914109

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910354819.0A Pending CN110262949A (en) 2019-04-29 2019-04-29 Intelligent device log processing system and method

Country Status (1)

Country Link
CN (1) CN110262949A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110825873A (en) * 2019-10-11 2020-02-21 支付宝(杭州)信息技术有限公司 Method and device for expanding log exception classification rules
CN111353892A (en) * 2020-03-31 2020-06-30 中国建设银行股份有限公司 Transaction risk monitoring method and device
CN112468472A (en) * 2020-11-18 2021-03-09 中通服咨询设计研究院有限公司 Security policy self-feedback method based on security log association analysis
CN112667572A (en) * 2020-12-23 2021-04-16 国网宁夏电力有限公司信息通信公司 Log calibration method and device
CN112751876A (en) * 2020-12-30 2021-05-04 北京天融信网络安全技术有限公司 Control method and device of message acquisition system, electronic equipment and storage medium
CN113657443A (en) * 2021-07-10 2021-11-16 东南大学 An online IoT device identification method based on SOINN network
CN114546793A (en) * 2020-11-24 2022-05-27 腾讯科技(深圳)有限公司 A log generation method, apparatus and computer-readable storage medium
CN115033463A (en) * 2022-08-12 2022-09-09 北京优特捷信息技术有限公司 Method, device, equipment and storage medium for determining system exception type

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104076725A (en) * 2014-07-07 2014-10-01 浙江维融电子科技股份有限公司 Cash-counting machine operating state monitoring method, device and system
CN106446076A (en) * 2016-09-07 2017-02-22 南京理工大学 Hierarchical clustering-based log audit method
CN107368516A (en) * 2017-05-25 2017-11-21 全球能源互联网研究院 A kind of log audit method and device based on hierarchical clustering
CN109271272A (en) * 2018-10-15 2019-01-25 江苏物联网研究发展中心 Big data component faults based on unstructured log assist repair system
US20190095233A1 (en) * 2017-09-22 2019-03-28 Fujitsu Limited Apparatus and method to predict a time interval taken for a live migration of a virtual machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104076725A (en) * 2014-07-07 2014-10-01 浙江维融电子科技股份有限公司 Cash-counting machine operating state monitoring method, device and system
CN106446076A (en) * 2016-09-07 2017-02-22 南京理工大学 Hierarchical clustering-based log audit method
CN107368516A (en) * 2017-05-25 2017-11-21 全球能源互联网研究院 A kind of log audit method and device based on hierarchical clustering
US20190095233A1 (en) * 2017-09-22 2019-03-28 Fujitsu Limited Apparatus and method to predict a time interval taken for a live migration of a virtual machine
CN109271272A (en) * 2018-10-15 2019-01-25 江苏物联网研究发展中心 Big data component faults based on unstructured log assist repair system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110825873A (en) * 2019-10-11 2020-02-21 支付宝(杭州)信息技术有限公司 Method and device for expanding log exception classification rules
CN111353892A (en) * 2020-03-31 2020-06-30 中国建设银行股份有限公司 Transaction risk monitoring method and device
CN112468472A (en) * 2020-11-18 2021-03-09 中通服咨询设计研究院有限公司 Security policy self-feedback method based on security log association analysis
CN112468472B (en) * 2020-11-18 2022-09-06 中通服咨询设计研究院有限公司 Security policy self-feedback method based on security log association analysis
CN114546793A (en) * 2020-11-24 2022-05-27 腾讯科技(深圳)有限公司 A log generation method, apparatus and computer-readable storage medium
CN112667572A (en) * 2020-12-23 2021-04-16 国网宁夏电力有限公司信息通信公司 Log calibration method and device
CN112751876A (en) * 2020-12-30 2021-05-04 北京天融信网络安全技术有限公司 Control method and device of message acquisition system, electronic equipment and storage medium
CN112751876B (en) * 2020-12-30 2022-11-15 北京天融信网络安全技术有限公司 Control method and device of message acquisition system, electronic equipment and storage medium
CN113657443A (en) * 2021-07-10 2021-11-16 东南大学 An online IoT device identification method based on SOINN network
CN113657443B (en) * 2021-07-10 2024-03-19 东南大学 An online IoT device identification method based on SOINN network
CN115033463A (en) * 2022-08-12 2022-09-09 北京优特捷信息技术有限公司 Method, device, equipment and storage medium for determining system exception type
CN115033463B (en) * 2022-08-12 2022-11-22 北京优特捷信息技术有限公司 System exception type determining method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110262949A (en) Intelligent device log processing system and method
CN112114995B (en) Terminal abnormality analysis method, device, equipment and storage medium based on process
Ektefa et al. Intrusion detection using data mining techniques
CN108881263B (en) Network attack result detection method and system
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN111782484A (en) An abnormality detection method and device
CN108833185B (en) Network attack route restoration method and system
CN107733902A (en) A kind of monitoring method and device of target data diffusion process
CN110908957A (en) Analysis method of network security log audit in power industry
CN107409134A (en) Method card analysis
CN118214605A (en) Cross-regional group company network security management method and system
CN108540473A (en) A kind of data analysing method and data analysis set-up
CN110460611A (en) Full flow attack detecting technology based on machine learning
CN119484017A (en) A method and system for identifying and analyzing power sensitive data
CN117454376A (en) Industrial Internet data security detection response and tracing method and device
CN117176441A (en) System and method for detecting security log event of network equipment
CN119276604A (en) A monitoring method for cloud security system
CN110855461A (en) Log analysis method based on association analysis and rule base
CN117973347A (en) Automatic traceability report automatic generation method and system based on automatic template filling technology
CN114422341B (en) Industrial control asset identification method and system based on fingerprint characteristics
CN117033501A (en) Big data acquisition and analysis system
CN111339050B (en) A method and system for centralized security audit based on big data platform
CN108959922B (en) A Bayesian network-based malicious document detection method and device
KR20230055822A (en) Apparatus and method for generating data set
CN117640240A (en) Dynamic white list admittance release method and system based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190920