可视化日志分析系统的研究与实现
|
摘要
从信息安全风险管理角度来看,针对各类系统的运行日志和用户网络访问行为的审计系统是信息安全保障体系中不可或缺的一部分,因此,日志分析作为网络安全防御系统的组成部分,在网络安全中起着重要的作用。一个良好的日志分析系统能够通过全面的日志及行为分析弥补现有各类技术产品在威胁分析发现方面的不足,并能够为安全事故的责任追查、故障定位提供有力的技术手段。
本文在分析了同类产品优缺点的基础上,根据企业用户的实际需求,结合数据挖掘技术的发展,设计和实现了新的可视化日志分析系统。
本文首先介绍了日志分析系统的基本概念,简要阐述了日志分析系统的重要性,并对国内外一些类似产品作了对比,分析了日志分析系统的发展趋势和目前的日志分析系统存在的问题。然后,结合部分企业对日志分析系统的实际需求,提出了新的日志分析系统所必须满足的基本功能。
在此基础上,本文详细描述了该系统的整体架构、数据库结构、采集分析模块的流程、用户管理界面的结构以及告警引擎接口。重点说明了数据库的设计原则,讨论了海量日志的存储方法,提出以设备或以时间为基本数据表的存储方式,在提高查询效率的同时也极大增加了系统的可维护性;优化了数据采集的方式,提出了增加数据缓存区结合多线程并行处理的方式,极大的提高了系统的吞吐量;提出了日志处理的多层模型,将处理过程分为接收、过滤、合并、分析告警、保存等几个处理层次,分别阐述了各个处理层次的流程以及关键的处理方法,并结合分析过程给出了部分重要的数据结构;描述了日志分析系统中管理程序的设计原则,详细分析了安全模块的设计方法,列举了主要的功能菜单;结合重点属性的关联分析,说明了关联分析在本研究中的具体应用;给出了告警规则的实际设计,并阐明了告警规则中的详细条目以及在系统中具体的应用方法。最后,给出了该系统在实际网络中的测试情况,验证了可视化日志分析系统的设计功能能够满足企业用户的实际需求。
From the perspective of information security risk management, the auditing system aiming at running logs of the system for all types and logs of network access is an integral part of information security system. Therefore, Log Analysis, as component of security defense system, plays an important role in network security. An effective Log Analysis System, by the overall analysis to log activities, analyses and complements drawbacks in intimidation detection and analysis made by current various types of products. What's more, it is able to provide effective technological approaches for trace of responsibility and location of breakdown.
Based on researching merits and faults existed in the similar sort of products, this paper, in accordance with practical demand and integrating the development of data digging technology, designs and makes the Visual Log Analysis System.
Firstly, this paper introduces the basic concept about Log Analysis System and describes in brief the importance of the System. By comparison with some products resembled at home and abroad, this paper describes the trends of the Log Analysis System and discusses the current problems in the log analysis system. And then, by integrating the practical demand proposed by partial enterprises, the basic function to a new type of the Log Analysis System is effectively displayed.
On the base of the above-mentioned, this paper designed the Visual Log Analysis System which meets the new demand from clients and described in details the framework of the system, structure of database, the flowchart of the modules for collection and analysis, the structure of the interface for client management and alarming engine interface. It illustrates designing principle of database, discusses the approach of storage for bulk of logs, and puts forward the storing modes based on equipment or time as the basic data diagram. It promotes the system maintainability with increase of consulting efficiency, optimizes the way of collection of data and proposes the mode of integrity of increasing data cache and multithreading perform, extremely broadens the capability of system. What's more, it puts forward the multi-layer model of the log dealing, which divides the process into receiving, filtering, connecting, analyzing-alarming and storage, and separately describes the flowchart of each layer and crucial dealing ways. The design contrives data structure of partial section by linking analyzing process. It illustrates the designing principle of management program under the log analyzing system and the analyzing in details the designing way of safety module, and lists main function menu. Besides, it states the specific application in the research of linking analysis in connection with key attribution. Moreover, practical design of alarming principle is shown, which displays specific items in the alarming principle as well as detailed usage in the system. It eventually shows the details in real test environment and verifies the function designed of Visual Log Analysis System which is able to attain the practical need of clients.
本文在分析了同类产品优缺点的基础上,根据企业用户的实际需求,结合数据挖掘技术的发展,设计和实现了新的可视化日志分析系统。
本文首先介绍了日志分析系统的基本概念,简要阐述了日志分析系统的重要性,并对国内外一些类似产品作了对比,分析了日志分析系统的发展趋势和目前的日志分析系统存在的问题。然后,结合部分企业对日志分析系统的实际需求,提出了新的日志分析系统所必须满足的基本功能。
在此基础上,本文详细描述了该系统的整体架构、数据库结构、采集分析模块的流程、用户管理界面的结构以及告警引擎接口。重点说明了数据库的设计原则,讨论了海量日志的存储方法,提出以设备或以时间为基本数据表的存储方式,在提高查询效率的同时也极大增加了系统的可维护性;优化了数据采集的方式,提出了增加数据缓存区结合多线程并行处理的方式,极大的提高了系统的吞吐量;提出了日志处理的多层模型,将处理过程分为接收、过滤、合并、分析告警、保存等几个处理层次,分别阐述了各个处理层次的流程以及关键的处理方法,并结合分析过程给出了部分重要的数据结构;描述了日志分析系统中管理程序的设计原则,详细分析了安全模块的设计方法,列举了主要的功能菜单;结合重点属性的关联分析,说明了关联分析在本研究中的具体应用;给出了告警规则的实际设计,并阐明了告警规则中的详细条目以及在系统中具体的应用方法。最后,给出了该系统在实际网络中的测试情况,验证了可视化日志分析系统的设计功能能够满足企业用户的实际需求。
From the perspective of information security risk management, the auditing system aiming at running logs of the system for all types and logs of network access is an integral part of information security system. Therefore, Log Analysis, as component of security defense system, plays an important role in network security. An effective Log Analysis System, by the overall analysis to log activities, analyses and complements drawbacks in intimidation detection and analysis made by current various types of products. What's more, it is able to provide effective technological approaches for trace of responsibility and location of breakdown.
Based on researching merits and faults existed in the similar sort of products, this paper, in accordance with practical demand and integrating the development of data digging technology, designs and makes the Visual Log Analysis System.
Firstly, this paper introduces the basic concept about Log Analysis System and describes in brief the importance of the System. By comparison with some products resembled at home and abroad, this paper describes the trends of the Log Analysis System and discusses the current problems in the log analysis system. And then, by integrating the practical demand proposed by partial enterprises, the basic function to a new type of the Log Analysis System is effectively displayed.
On the base of the above-mentioned, this paper designed the Visual Log Analysis System which meets the new demand from clients and described in details the framework of the system, structure of database, the flowchart of the modules for collection and analysis, the structure of the interface for client management and alarming engine interface. It illustrates designing principle of database, discusses the approach of storage for bulk of logs, and puts forward the storing modes based on equipment or time as the basic data diagram. It promotes the system maintainability with increase of consulting efficiency, optimizes the way of collection of data and proposes the mode of integrity of increasing data cache and multithreading perform, extremely broadens the capability of system. What's more, it puts forward the multi-layer model of the log dealing, which divides the process into receiving, filtering, connecting, analyzing-alarming and storage, and separately describes the flowchart of each layer and crucial dealing ways. The design contrives data structure of partial section by linking analyzing process. It illustrates the designing principle of management program under the log analyzing system and the analyzing in details the designing way of safety module, and lists main function menu. Besides, it states the specific application in the research of linking analysis in connection with key attribution. Moreover, practical design of alarming principle is shown, which displays specific items in the alarming principle as well as detailed usage in the system. It eventually shows the details in real test environment and verifies the function designed of Visual Log Analysis System which is able to attain the practical need of clients.
引文
[1]李承,王伟钊,程立,汪为农,李家滨.基于防火墙日志的网络安全审计系统研究与实现[J].计算机工程,2002,(06);
[2]王新昌,杨艳,刘育楠.一种基于局域网监控日志的安全审计系统[J].计算机应用,2007,(02);
[3]黄艺海,胡君.日志审计系统设计与实现[J].计算机工程,2006,32(22):67-68;
[4]崔蔚,赵强,姜建国,黄钧.基于主机的安全审计系统研究[J].计算机应用,2004,(04);
[5]潘军,王桂森,李祥和.Windows平台下安全审计技术的探讨与实现[J].微计算机应用,2005,(03);
[6]杨仁华,刘培玉.基于日志的安全审计系统研究与实现[J].网络与信息安全,2009,(04);
[7]陈江.计算机安全审计技术研究[D].广东工业大学,2005;
[8]姜传菊.网络日志分析在网络安全中的作用[J].现代图书情报技术,2004,(12);
[9]周子庭,李建华.系统日志分析及在主机入侵检测中的应用[J].信息安全与通信保密,2004,(09);
[10]文娟,薛永生,段江娇,等.基于关联规则的日志分析系统的设计与实现[J].厦门大学学报:自然科学版,2003,44:258-261.
[11]徐菁.基于数据挖掘技术的入侵监测模型[D].北京:中国科学院高能物理研究所,2001:70-71.
[12]Lee W, Stolfo S J, Mok K. Algorithms for Mining System Audit Data[C]//Lin T Y, Yao Y Y, Zadeh L A, et al. Data Mining, Rough Sets, and Granular Computing. Heidelberg:Physica-Verlag,2002:166-189.
[13]黄文,文春生,欧红星.基于日志分析策略的分布式网络入侵预警系统模型[J].湘潭大学自然科学学报,2004,(04);
[14]刘凯,邓兰,黄明和.在局域网中防止ARP欺骗的一种方法及其实现[J].江西师范大学学报(自然科学版),2005,(02);
[15]赵小敏,侯强,陈庆章.系统日志的安全管理方案与分析处理策略[J].计算机工程与科学,2003,(03);
[16]余亚玲,唐红武,杜海霞.基于日志的安全事件管理系统的研究与实现[J].计算机工程,2007.33(16):128-130
[17]张学宏.北京大学图书馆的主页日志分析[J].现代图书情报技术,2005,(05);
[18]王艳清,李海峰.基于XML的网络日志分析[J].北京化工大学学报(自然科学版),2004,(06);
[19]吴教育,卢宁,陈一天.日志文件的集中管理和分析[J].电脑开发与应用,2004,(05);
[20]金可仲.基于关键属性约束的关联规则挖掘在日志分析中的应用[J].温州大学学报,2008(29),56-60;
[21]高峰.监视日志文件保护网络安全[J].电脑,1998,(11);
[22]刘合富.基于syslog技术的防火墙日志数据采集方法的研究[D].华中师范大学,2006;
[23]周兵斌NIDS警报日志分析系统设计与实现[D].合肥工业大学,2004;
[24]王小奎.防火墙日志系统的分析与研究[D].电子科技大学,2007;
[25]王蕊.Linux环境下日志分析系统的设计与实现[D].北京工业大学,2006;
[26]何玉洁译.数据库设计.机械工业出版社,2010
[27]赵小敏.基于日志的计算机取证技术的研究及系统设计与实现[D].浙江工业大学,2003:
[28]李俊.基于Windows平台的网络入侵及防范技术研究[D].武汉理工大学,2003;
[29]周子庭,李建华.系统日志分析及在主机入侵检测中的应用[J].信息安全与通信保密,2004,(09);
[30]黄文,文春生,欧红星.分布式网络系统日志的安全性研究[J].零陵学院学报,2004,(05);
[31]王震宇,尤晋元GNU/Linux环境下的安全日志系统的构建[J].计算机工程,2005,(02);
[32]孙鹏程,周利华Linux环境下syslog日志管理系统研究[J].电子科技,2007,(07);
[33]王晓文Syslog在网络管理中的应用[J].网络通信-电信专辑,2005,(06);
[34]姜良华,陈超泉.Web日志统计分析系统的设计与实现[J].福建电脑,2008,(11);
[35]习慧丹,李泽平.Web日志挖掘探析[J].计算机与数字工程,2009,(07);
[36]秦文胜.Web日志挖掘中数据与处理技术的研究[J].广东轻工职业技术学院学报,2008,(09);
[37]姚德中,吴荣泉,许延武Windows NT日志分析与修复[J].计算机工程,2008,(09);
[38]黄海隆,陈赛聘.计算机日志分析与管理方法的研究[J].大众科技,2007,(07)[24]的参考文献;
[39]王伟,杨永川Windows Vista日志文件格式分析与数据恢复[J].计算机安全,2009,(04);
[40]李红丽Windows环境下日志管理和时间跟中的深入研究[D].吉林大学硕士论文:
[41]范春荣,张战勇,肖新华.充分利用Web日志分析检测黑客入侵[J].石家庄铁路职业技术学院学报,2009,(04);
[42]郭振英,赵文兵,魏育辉.电子资源日志统计系统分析与设计[J].现代图书情报技术,2008,,(09);
[43]黄家林,程暄.电子资源日志统计系统分析与设计[J].现代图书情报技术,2008,(09);
[44]郭亚和.基于SYSLOG的网络监测管理系统设计与实现[J].电信快报,2009,(04);
[45]Srikant R, Vu Q. Mining association rules with Item Constraints[C]//Heckerman D, Mannila H, Pregibon D, etal.Proceedings of the 3rd International Conference on Data Mining and Knowledge Discovery. California:AAAI Press,1997:67-73.
[46]Welch V, Siebenist F, Foster I, et al Security for Grid Services. In:Proceedings of 12th IEEE International Symposium on High Performance Distributed Computing. Seattle (WA.USA),2003. Los Alamitos (CA, USA):IEEE Computer Society,2003: 48-57;
[47]Boukari N, Aljane A. Security and Auditing of VPN. In:Proceedings of Third International Workshop on Services in Distributed and Networked Environments. Macao(China),1996. Los Alamitos (CA, USA):IEEE Computer Society, 1996.132-138;
[48]http://www.siweicn.com/siweicn_jishuzhongxin_jishu-wenzhai_anquanshenj.ht ml;
[49]Nasihin Bin,Baharin K, Md Din N, Zaini Jamaludin M, et al Third Party Security Audit Procedure for Network Environment. In:Proceedings of4thNationalConference on Telecommunication Technology. Shah Alam (Malaysia),2003.26-30;
[50]Kogan B, Jajodia S. An Audit Model for Object-oriented Data-bases. In: Proceedings of 7th Annual Computer Security Applications Conference. San Antonio (TX, USA),1991. Los Alamitos(CA, USA):IEEE Computer Society, 1991.90-99.
[2]王新昌,杨艳,刘育楠.一种基于局域网监控日志的安全审计系统[J].计算机应用,2007,(02);
[3]黄艺海,胡君.日志审计系统设计与实现[J].计算机工程,2006,32(22):67-68;
[4]崔蔚,赵强,姜建国,黄钧.基于主机的安全审计系统研究[J].计算机应用,2004,(04);
[5]潘军,王桂森,李祥和.Windows平台下安全审计技术的探讨与实现[J].微计算机应用,2005,(03);
[6]杨仁华,刘培玉.基于日志的安全审计系统研究与实现[J].网络与信息安全,2009,(04);
[7]陈江.计算机安全审计技术研究[D].广东工业大学,2005;
[8]姜传菊.网络日志分析在网络安全中的作用[J].现代图书情报技术,2004,(12);
[9]周子庭,李建华.系统日志分析及在主机入侵检测中的应用[J].信息安全与通信保密,2004,(09);
[10]文娟,薛永生,段江娇,等.基于关联规则的日志分析系统的设计与实现[J].厦门大学学报:自然科学版,2003,44:258-261.
[11]徐菁.基于数据挖掘技术的入侵监测模型[D].北京:中国科学院高能物理研究所,2001:70-71.
[12]Lee W, Stolfo S J, Mok K. Algorithms for Mining System Audit Data[C]//Lin T Y, Yao Y Y, Zadeh L A, et al. Data Mining, Rough Sets, and Granular Computing. Heidelberg:Physica-Verlag,2002:166-189.
[13]黄文,文春生,欧红星.基于日志分析策略的分布式网络入侵预警系统模型[J].湘潭大学自然科学学报,2004,(04);
[14]刘凯,邓兰,黄明和.在局域网中防止ARP欺骗的一种方法及其实现[J].江西师范大学学报(自然科学版),2005,(02);
[15]赵小敏,侯强,陈庆章.系统日志的安全管理方案与分析处理策略[J].计算机工程与科学,2003,(03);
[16]余亚玲,唐红武,杜海霞.基于日志的安全事件管理系统的研究与实现[J].计算机工程,2007.33(16):128-130
[17]张学宏.北京大学图书馆的主页日志分析[J].现代图书情报技术,2005,(05);
[18]王艳清,李海峰.基于XML的网络日志分析[J].北京化工大学学报(自然科学版),2004,(06);
[19]吴教育,卢宁,陈一天.日志文件的集中管理和分析[J].电脑开发与应用,2004,(05);
[20]金可仲.基于关键属性约束的关联规则挖掘在日志分析中的应用[J].温州大学学报,2008(29),56-60;
[21]高峰.监视日志文件保护网络安全[J].电脑,1998,(11);
[22]刘合富.基于syslog技术的防火墙日志数据采集方法的研究[D].华中师范大学,2006;
[23]周兵斌NIDS警报日志分析系统设计与实现[D].合肥工业大学,2004;
[24]王小奎.防火墙日志系统的分析与研究[D].电子科技大学,2007;
[25]王蕊.Linux环境下日志分析系统的设计与实现[D].北京工业大学,2006;
[26]何玉洁译.数据库设计.机械工业出版社,2010
[27]赵小敏.基于日志的计算机取证技术的研究及系统设计与实现[D].浙江工业大学,2003:
[28]李俊.基于Windows平台的网络入侵及防范技术研究[D].武汉理工大学,2003;
[29]周子庭,李建华.系统日志分析及在主机入侵检测中的应用[J].信息安全与通信保密,2004,(09);
[30]黄文,文春生,欧红星.分布式网络系统日志的安全性研究[J].零陵学院学报,2004,(05);
[31]王震宇,尤晋元GNU/Linux环境下的安全日志系统的构建[J].计算机工程,2005,(02);
[32]孙鹏程,周利华Linux环境下syslog日志管理系统研究[J].电子科技,2007,(07);
[33]王晓文Syslog在网络管理中的应用[J].网络通信-电信专辑,2005,(06);
[34]姜良华,陈超泉.Web日志统计分析系统的设计与实现[J].福建电脑,2008,(11);
[35]习慧丹,李泽平.Web日志挖掘探析[J].计算机与数字工程,2009,(07);
[36]秦文胜.Web日志挖掘中数据与处理技术的研究[J].广东轻工职业技术学院学报,2008,(09);
[37]姚德中,吴荣泉,许延武Windows NT日志分析与修复[J].计算机工程,2008,(09);
[38]黄海隆,陈赛聘.计算机日志分析与管理方法的研究[J].大众科技,2007,(07)[24]的参考文献;
[39]王伟,杨永川Windows Vista日志文件格式分析与数据恢复[J].计算机安全,2009,(04);
[40]李红丽Windows环境下日志管理和时间跟中的深入研究[D].吉林大学硕士论文:
[41]范春荣,张战勇,肖新华.充分利用Web日志分析检测黑客入侵[J].石家庄铁路职业技术学院学报,2009,(04);
[42]郭振英,赵文兵,魏育辉.电子资源日志统计系统分析与设计[J].现代图书情报技术,2008,,(09);
[43]黄家林,程暄.电子资源日志统计系统分析与设计[J].现代图书情报技术,2008,(09);
[44]郭亚和.基于SYSLOG的网络监测管理系统设计与实现[J].电信快报,2009,(04);
[45]Srikant R, Vu Q. Mining association rules with Item Constraints[C]//Heckerman D, Mannila H, Pregibon D, etal.Proceedings of the 3rd International Conference on Data Mining and Knowledge Discovery. California:AAAI Press,1997:67-73.
[46]Welch V, Siebenist F, Foster I, et al Security for Grid Services. In:Proceedings of 12th IEEE International Symposium on High Performance Distributed Computing. Seattle (WA.USA),2003. Los Alamitos (CA, USA):IEEE Computer Society,2003: 48-57;
[47]Boukari N, Aljane A. Security and Auditing of VPN. In:Proceedings of Third International Workshop on Services in Distributed and Networked Environments. Macao(China),1996. Los Alamitos (CA, USA):IEEE Computer Society, 1996.132-138;
[48]http://www.siweicn.com/siweicn_jishuzhongxin_jishu-wenzhai_anquanshenj.ht ml;
[49]Nasihin Bin,Baharin K, Md Din N, Zaini Jamaludin M, et al Third Party Security Audit Procedure for Network Environment. In:Proceedings of4thNationalConference on Telecommunication Technology. Shah Alam (Malaysia),2003.26-30;
[50]Kogan B, Jajodia S. An Audit Model for Object-oriented Data-bases. In: Proceedings of 7th Annual Computer Security Applications Conference. San Antonio (TX, USA),1991. Los Alamitos(CA, USA):IEEE Computer Society, 1991.90-99.