[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN111274218A - Multi-source log data processing method for power information system - Google Patents

Multi-source log data processing method for power information system Download PDF

Info

Publication number
CN111274218A
CN111274218A CN202010030016.2A CN202010030016A CN111274218A CN 111274218 A CN111274218 A CN 111274218A CN 202010030016 A CN202010030016 A CN 202010030016A CN 111274218 A CN111274218 A CN 111274218A
Authority
CN
China
Prior art keywords
log
data
log data
source
logs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010030016.2A
Other languages
Chinese (zh)
Inventor
何东
张辰
饶涵宇
徐海青
徐唯耀
陈是同
吴小华
董媛媛
吴立刚
浦正国
张彬彬
胡心颖
郭庆
张鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
Anhui Jiyuan Software Co Ltd
Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
Anhui Jiyuan Software Co Ltd
Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Information and Telecommunication Co Ltd, Anhui Jiyuan Software Co Ltd, Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202010030016.2A priority Critical patent/CN111274218A/en
Publication of CN111274218A publication Critical patent/CN111274218A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/25Fusion techniques
    • G06F18/251Fusion techniques of input or preprocessed data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/06Energy or water supply

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Economics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Human Resources & Organizations (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Public Health (AREA)
  • Water Supply & Treatment (AREA)
  • General Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a multisource log data processing method of an electric power information system, which comprises the steps of collecting log data, scanning and dividing each piece of collected log information into field sequences, and storing the field sequences in a database, wherein the log data sources comprise network equipment logs, safety equipment logs and system logs; the data preprocessing is used for removing redundant data to obtain effective data, removing the redundant data from the network equipment log, the safety equipment log and the system log and respectively storing the redundant data in corresponding databases; and (4) associating and fusing multi-source log data, and establishing an association rule base according to the collected network equipment logs, the safety equipment logs and log data in a system log database. In the data preprocessing, in order to remove redundant data which is not in a research range, the log data are classified by adopting a fuzzy clustering algorithm, and the log data are divided into categories in an uncertain manner by adopting a fuzzy clustering method, so that the method is more suitable for actual conditions.

Description

一种电力信息系统多源日志数据处理方法A method for processing multi-source log data of power information system

技术领域technical field

本发明涉及电力系统日志分析技术领域,特别是涉及一种电力信息系统多源日志数据处理方法。The invention relates to the technical field of power system log analysis, in particular to a method for processing multi-source log data of a power information system.

背景技术Background technique

日志信息能够全方位的记录系统的运行,大量的事件和攻击,用于分析网络态势很重要,但在日志分析中也会因为一些日志本身的原因带来很多不便和缺陷,在多源日志分析中主要的关键点和难点如下:Log information can comprehensively record the operation of the system, a large number of events and attacks, and it is very important to analyze the network situation. The main key points and difficulties are as follows:

(1)不同数据源的日志信息格式不同。在结合多种数据源的日志进行分析时不得不面对不同格式的日志数据,不同数据源的日志不仅格式有差异,存储的方式等也会有区别。有的日志信息能够轻易理解但也有部分日志信息不容易理解,所以如何在对多源日志信息综合分析时将所有日志的字段都理解清楚是多源日志分析的关键问题。(1) The log information formats of different data sources are different. When analyzing logs from multiple data sources, you have to deal with log data in different formats. Logs from different data sources not only have different formats, but also different storage methods. Some log information can be easily understood, but some log information is not easy to understand. Therefore, how to understand all log fields clearly when comprehensively analyzing multi-source log information is a key issue in multi-source log analysis.

(2)需要分析的日志数据量大。无论是哪一个来源的日志记录在时间的积累下都会积累成一个庞大的信息量,当结合了多个数据源中的日志数据后,需要分析的日志量将会非常庞大,如何快速的筛选出所需的信息并进行处理也是一个难点。(2) The amount of log data to be analyzed is large. No matter which source log records are accumulated over time, a huge amount of information will be accumulated. When log data from multiple data sources are combined, the amount of logs to be analyzed will be very large. How to quickly filter out Getting the required information and processing it is also a challenge.

(3)数据对准。不同的来源的日志信息提供的内容是根据自身的参数设置产生的,要将不同的信息结合起来分析就需要将它们放入同一个参数体系中,这时属性归并删减和数据对准就是至关重要的问题。(3) Data alignment. The content provided by the log information from different sources is generated according to its own parameter settings. To combine and analyze different information, it is necessary to put them into the same parameter system. At this time, attribute merging and deletion and data alignment are the most important factors. important issues.

(4)矛盾信息。因为每个设备、应用的功能不同,在对同一网络环境进行测量时,可能因为一些噪声的原因产生虚假的信息导致不同来源的日志结论大相径庭,如何处理这些虚假信息并将正确信息有效的融合将是一个关键问题。(4) Contradictory information. Because the functions of each device and application are different, when measuring the same network environment, false information may be generated due to some noise, resulting in very different log conclusions from different sources. How to deal with these false information and effectively integrate the correct information will is a key question.

发明内容SUMMARY OF THE INVENTION

针对上述现有技术存在的问题,本发明提供了一种电力信息系统多源日志数据处理方法,包括:In view of the problems existing in the above-mentioned prior art, the present invention provides a method for processing multi-source log data of a power information system, including:

步骤1:采集日志数据,用于获取多种来源不同的日志数据,并将采集的每条日志信息扫描分割成字段序列存储到数据库中,日志数据来源包括网络设备日志,安全设备日志和系统日志;Step 1: Collect log data, which is used to obtain log data from various sources, and scan and segment each log information collected into field sequences and store them in the database. The log data sources include network device logs, security device logs and system logs. ;

步骤2:数据预处理,用于去除冗余数据获取有效数据,将网络设备日志,安全设备日志和系统日志去除冗余数据并分别存储到对应的数据库中;Step 2: data preprocessing, for removing redundant data to obtain valid data, removing redundant data from network device logs, security device logs and system logs and storing them in corresponding databases respectively;

步骤3:关联融合多源日志数据,根据采集到的网络设备日志,安全设备日志和系统日志数据库中的日志数据建立关联规则库。Step 3: Correlate and integrate multi-source log data, and establish an association rule base according to the collected network device logs, security device logs, and log data in the system log database.

作为上述方案的进一步优化,所述多源日志数据预处理包括:As a further optimization of the above solution, the multi-source log data preprocessing includes:

去除每条日志信息的多余属性数据:每种来源的日志数据,根据预设需要保留的属性字段,通过正则表达式匹配的方式将每条日志信息中的需要保留的属性字段提取出来存储;Remove redundant attribute data of each log information: For each source of log data, according to the preset attribute fields to be retained, the attribute fields to be retained in each log information are extracted and stored by regular expression matching;

去除属性值超范围的日志信息:根据对某一属性的属性值预设的范围,滤除超范围的数据;Remove the log information whose attribute value exceeds the range: filter out the data that exceeds the range according to the preset range of the attribute value of a certain attribute;

将不同来源的日志数据统一格式,根据预设的统一格式中每条日志信息需要的属性,将所有日志数据转换为相同格式;Unify the log data from different sources, and convert all log data into the same format according to the attributes required by each log information in the preset unified format;

作为上述方案的进一步优化,所述去除属性值超范围的日志信息,先将去除多余属性数据后的数据通过模糊聚类方法分类,分类完成后:As a further optimization of the above scheme, to remove the log information whose attribute value exceeds the range, the data after removing the redundant attribute data is first classified by the fuzzy clustering method, and after the classification is completed:

将主机系统日志按照事件类型模糊分类,保留事件类型为错误,审核失败和警告的日志数据;Fuzzy classification of host system logs according to event types, and keep log data with event types as errors, audit failures and warnings;

将安全设备日志按事件严重程度模糊分类,保留事件严重程度为攻击和可疑的事件;Fuzzy classification of security device logs according to the severity of events, and retention of events with the severity of attacks and suspicious events;

将网络设备日志按照事件严重程度模糊分类,保留严重级别为emergency、alert、critical、error和warnings的事件。Fuzzy classification of network device logs according to event severity, and events with severity levels emergency, alert, critical, error, and warnings are retained.

作为上述方案的进一步优化,所述通过模糊聚类方法分类具体为:As a further optimization of the above scheme, the classification by the fuzzy clustering method is specifically:

4.1、将采集的日志数据记为X={x1,x2,x3,.....xn},其中Xi是用保留下的属性对应的属性值组成的向量数据;4.1. Record the collected log data as X={x1, x2, x3,.....xn}, where Xi is the vector data composed of the attribute values corresponding to the retained attributes;

4.2、根据矩阵X获取每两条日志数据的相似度,得到相似矩阵R,其中计算相似度采用夹角余弦法;4.2. Obtain the similarity of each two log data according to the matrix X, and obtain the similarity matrix R, wherein the calculation of the similarity adopts the angle cosine method;

4.3、根据相似矩阵R采用传递闭包法获取等价矩阵,采用公式为:R2k=(R2k)2,R2k为传递闭包;4.3. According to the similarity matrix R, use the transitive closure method to obtain the equivalent matrix, and the formula is: R 2k =(R 2k ) 2 , R 2k is the transitive closure;

4.4、根据等价矩阵,取λ∈[0,1],获得日志数据的不同λ值下的聚类结果,根据实际情况判断最符合实际的λ以及聚类结果。4.4. According to the equivalent matrix, take λ∈[0, 1] to obtain the clustering results under different λ values of the log data, and judge the most realistic λ and clustering results according to the actual situation.

作为上述方案的进一步优化,所述关联融合多源日志数据具体为:As a further optimization of the above solution, the association and fusion of multi-source log data is specifically:

将统一格式后的日志数据按照发生时间排列,按照预设时间间隔设置滑动时间窗口,将日志数据划分到不同的滑动时间窗口中,对每个滑动时间窗口中的发生事件,获取事件发生的前提条件和造成的结果,组成每个发生事件的关联规则表单。Arrange the log data in the unified format according to the occurrence time, set the sliding time window according to the preset time interval, divide the log data into different sliding time windows, and obtain the premise of the occurrence of the event for each sliding time window. The conditions and resulting results form the correlation rules form for each occurrence.

本发明的一种电力信息系统多源日志数据处理方法,具备如下有益效果:A method for processing multi-source log data of a power information system of the present invention has the following beneficial effects:

1.本发明的一种电力信息系统多源日志数据处理方法,在数据预处理中,为了去除不在研究范围内的冗余数据,采用模糊聚类算法将日志数据分类,模糊聚类方法将日志数据不确定的划分到类别中,更加符合实际情况。1. A method for processing multi-source log data in a power information system of the present invention, in data preprocessing, in order to remove redundant data that is not within the scope of research, a fuzzy clustering algorithm is used to classify the log data, and the fuzzy clustering method is used to classify the log data. The data is divided into categories indefinitely, which is more in line with the actual situation.

2.本发明的一种电力信息系统多源日志数据处理方法,融合了网络设备日志,安全设备日志和系统日志多种来源的日志数据,使得数据更加完善,便于通过多种来源的日志全面分析电力信息系统的安全情况。2. A method for processing multi-source log data of a power information system of the present invention integrates log data from various sources of network equipment logs, security equipment logs and system logs, making the data more complete and facilitating comprehensive analysis through logs from multiple sources. Security situation of power information system.

附图说明Description of drawings

图1为本发明一种电力信息系统多源日志数据处理方法的整体流程框图;1 is an overall flow chart of a method for processing multi-source log data in a power information system according to the present invention;

图2为本发明一种电力信息系统多源日志数据处理方法中模糊聚类算法的流程框图;2 is a flowchart of a fuzzy clustering algorithm in a method for processing multi-source log data in a power information system according to the present invention;

实施方式Implementation

下面参考附图描述根据本发明实施例的一种电力信息系统多源日志数据处理方法。The following describes a method for processing multi-source log data of a power information system according to an embodiment of the present invention with reference to the accompanying drawings.

如图所示,本发明的一种电力信息系统多源日志数据处理方法,包括:As shown in the figure, a method for processing multi-source log data of a power information system of the present invention includes:

步骤1:采集日志数据,用于获取多种来源不同的日志数据,并将采集的每条日志信息扫描分割成字段序列存储到数据库中,日志数据来源包括网络设备日志,安全设备日志和系统日志;Step 1: Collect log data, which is used to obtain log data from various sources, and scan and segment each log information collected into field sequences and store them in the database. The log data sources include network device logs, security device logs and system logs. ;

其中,采集的日志数据包括Linux主机日志采集模块,Windows主机日志采集模块,安全设备日志采集模块和网络设备日志采集模块;采集Linux主机日志的方法为:在Linux主机群上进行syslog的配置服务,在对应用于采集其日志信息的Windows主机上安装连接软件,利用Syslog服务器中提供的功能将Linux主机群上采集到的日志传输到Windows主机上,把采集传输过来的日志文件以文本文件的方式进行存储;采集Windows的日志信息时,通过系统中的eventquery脚本工具来进行日志的采集;对于安全设备日志采集,选择采用开源的snort系统来进行获取;在网络设备日志采集中,选择使用交换机来作为网络设备进行日志的采集,在windows系统上创建syslog服务器,udp通过端口来接受交换机的日志信息;每种来源的日志数据分别保存到各自对应的数据库中。Among them, the collected log data includes a Linux host log collection module, a Windows host log collection module, a security device log collection module and a network device log collection module; the method for collecting the Linux host log is: perform the syslog configuration service on the Linux host group, Install the connection software on the Windows host that collects log information, use the functions provided in the Syslog server to transfer the logs collected on the Linux host cluster to the Windows host, and transfer the collected and transmitted log files as text files. Storage; when collecting Windows log information, use the eventquery script tool in the system to collect logs; for security device log collection, choose to use the open source snort system to obtain; in network device log collection, choose to use switches to As a network device to collect logs, a syslog server is created on the windows system, and udp receives the log information of the switch through the port; the log data of each source is stored in its corresponding database.

步骤2:数据预处理,用于去除冗余数据获取有效数据,将网络设备日志,安全设备日志和系统日志去除冗余数据并分别存储到对应的数据库中;Step 2: data preprocessing, for removing redundant data to obtain valid data, removing redundant data from network device logs, security device logs and system logs and storing them in corresponding databases respectively;

步骤3:关联融合多源日志数据,根据采集到的网络设备日志,安全设备日志和系统日志数据库中的日志数据建立关联规则库。Step 3: Correlate and integrate multi-source log data, and establish an association rule base according to the collected network device logs, security device logs, and log data in the system log database.

在步骤2中的多源日志数据预处理包括:The multi-source log data preprocessing in step 2 includes:

去除每条日志信息的多余属性数据:每种来源的日志数据,根据预设需要保留的属性字段,通过正则表达式匹配的方式将每条日志信息中的需要保留的属性字段提取出来存储;Remove redundant attribute data of each log information: For each source of log data, according to the preset attribute fields to be retained, the attribute fields to be retained in each log information are extracted and stored by regular expression matching;

在主机系统日志信息中,需要保留的属性包括事件类型,事件ID,事件来源,计算机名,用户,事件描述,日志类型;In the host system log information, the attributes that need to be preserved include event type, event ID, event source, computer name, user, event description, log type;

在安全设备日志中需要的属性:时间节点,事件发生的时间;报警消息(描述了发现了什么漏洞或者攻击);协议;源IP地址,攻击发起点;目标IP地址,攻击的目的地;目标端口;源mac地址;目标mac地址。Attributes required in the security device log: time node, the time when the event occurred; alarm message (describes what vulnerability or attack was found); protocol; source IP address, attack initiation point; target IP address, attack destination; target port; source mac address; destination mac address.

在交换机中需要的属性:时间节点,交换机IP地址,交换机主机,事件详细描述,严重程度描述。Attributes required in the switch: time node, switch IP address, switch host, event detail description, severity description.

去除属性值超范围的日志信息:根据对某一属性的属性值预设的范围,滤除超范围的数据;Remove the log information whose attribute value exceeds the range: filter out the data that exceeds the range according to the preset range of the attribute value of a certain attribute;

将不同来源的日志数据统一格式,根据预设的统一格式中每条日志信息需要的属性,将所有日志数据转换为相同格式;将所有来源的日志数据统一转换为相同的格式保存,格式为{事件编号,事件名称,事件开始时间节点,事件结束时间节点,源IP地址,目标IP地址,源端口号和目标端口号,事件详细描述}。Unify the log data from different sources, and convert all log data into the same format according to the attributes required by each log information in the preset unified format; unify the log data from all sources into the same format and save, the format is { Event number, event name, event start time node, event end time node, source IP address, destination IP address, source port number and destination port number, event detailed description}.

上述去除属性值超范围的日志信息,先将去除多余属性数据后的数据通过模糊聚类方法分类,分类完成后:To remove the log information whose attribute value exceeds the range, first classify the data after removing redundant attribute data by fuzzy clustering method. After the classification is completed:

将主机系统日志按照事件类型模糊分类,保留事件类型为错误,审核失败和警告的日志数据;Fuzzy classification of host system logs according to event types, and keep log data with event types as errors, audit failures and warnings;

将安全设备日志按事件严重程度模糊分类,保留事件严重程度为攻击和可疑的事件;Fuzzy classification of security device logs according to the severity of events, and retention of events with the severity of attacks and suspicious events;

将网络设备日志按照事件严重程度模糊分类,保留严重级别为emergency、alert、critical、error和wamings的事件。Fuzzy classification of network device logs according to event severity, and events with severity levels emergency, alert, critical, error, and wamings are retained.

其中通过模糊聚类方法将日志数据分类,具体为:The log data is classified by fuzzy clustering method, specifically:

将采集的日志数据记为X={x1,x2,x3,.....xn},其中Xi是用保留下的属性对应的属性值组成的向量数据;Record the collected log data as X={x1, x2, x3,.....xn}, where Xi is the vector data composed of the attribute values corresponding to the retained attributes;

根据矩阵X获取每两条日志数据的相似度,得到相似矩阵R,其中计算相似度采用夹角余弦法;Obtain the similarity of each two log data according to the matrix X, and obtain the similarity matrix R, wherein the calculation of the similarity adopts the angle cosine method;

根据相似矩阵R采用传递闭包法获取等价矩阵,采用公式为:R2k=(R2k)2,R2k为传递闭包;According to the similarity matrix R, the equivalent matrix is obtained by the transitive closure method, and the formula is: R 2k =(R 2k ) 2 , R 2k is the transitive closure;

根据等价矩阵,取λ∈[0,1],获得日志数据的不同λ值下的聚类结果,根据实际情况判断最符合实际的λ以及聚类结果。According to the equivalent matrix, take λ∈[0, 1] to obtain the clustering results under different λ values of the log data, and judge the most realistic λ and clustering results according to the actual situation.

先用如下表格表示所有数据:First use the following table to represent all the data:

日志数据log data 属性1attribute 1 属性2property 2 ............ 属性mattribute m 第1条日志数据1st log data 第2条日志数据Article 2 Log Data ............ 第n条日志数据The nth log data

将上述数据用对应的矩阵表示,X={x1,x2,.....xn},其中Xi是用保留下的m个属性对应的属性值组成的向量数据;The above data is represented by a corresponding matrix, X={x1, x2,.....xn}, wherein Xi is the vector data composed of the attribute values corresponding to the retained m attributes;

Figure BDA0002363954440000051
Figure BDA0002363954440000051

对于每条数据即矩阵X中的每一行数据采用夹角余弦法获取每两条数据的相似度,夹角余弦法公式为:For each piece of data, that is, each row of data in the matrix X, the angle cosine method is used to obtain the similarity of each two data. The angle cosine method formula is:

Figure BDA0002363954440000061
Figure BDA0002363954440000061

其中rij表示每两条数据的相似度,k表示第k列即第k个属性;Among them, rij represents the similarity of each two pieces of data, and k represents the kth column, that is, the kth attribute;

获得相似矩阵R后,通过计算R2k,k取1,2..n;直到R2k=(R2k)2,此时R2k则为相似矩阵获取等价矩阵所需的闭包;After obtaining the similarity matrix R, by calculating R 2k , k takes 1, 2..n; until R 2k =(R 2k ) 2 , at this time R 2k is the closure required for the similarity matrix to obtain the equivalent matrix;

获取等价矩阵后,取λ∈[0,1],获得不同λ值下的聚类结果,比较不同聚类结果,判断最符合实际的聚类结果以及相对应的λ值。After obtaining the equivalent matrix, take λ∈[0, 1] to obtain the clustering results under different λ values, compare the different clustering results, and determine the most realistic clustering results and the corresponding λ values.

获得去除冗余数据的日志数据后,将不同来源的数据整合在一起,其中关联融合多源日志数据的方法具体为:After the log data with redundant data removed is obtained, data from different sources is integrated, and the method for associating and fusing multi-source log data is as follows:

将统一格式后的日志数据按照发生时间排列,按照预设时间间隔设置滑动时间窗口,将日志数据划分到不同的滑动时间窗口中,对每个滑动时间窗口中的发生事件,获取事件发生的前提条件和造成的结果,组成每个发生事件的关联规则表单。Arrange the log data in the unified format according to the occurrence time, set the sliding time window according to the preset time interval, divide the log data into different sliding time windows, and obtain the premise of the occurrence of the event for each sliding time window. The conditions and resulting results form the correlation rules form for each occurrence.

获取事件发生的前提条件和造成的结果,具体方法为:寻找频繁发生在同一个滑动时间窗口内的事件类型集合,如果事件A和事件B经常出现在一个滑动时间窗口内,则可以认为事件A和事件B是频繁出现的事件类型,从而推测出它们之间可能具有一定的关联性,事件A和事件B具有因果关系。Obtain the preconditions and results of the occurrence of the event. The specific method is: find the set of event types that frequently occur in the same sliding time window. If event A and event B often appear in a sliding time window, then event A can be considered as event A. and event B are frequently occurring event types, so it is inferred that there may be a certain correlation between them, and event A and event B have a causal relationship.

本发明不局限于上述具体的实施方式,本领域的普通技术人员从上述构思出发,不经过创造性的劳动,所做出的种种变换,均落在本发明的保护范围之内。The present invention is not limited to the above-mentioned specific embodiments, and various transformations made by those of ordinary skill in the art from the above-mentioned concept without creative work all fall within the protection scope of the present invention.

Claims (5)

1. A multi-source log data processing method of a power information system is characterized by comprising the following steps: the method comprises the following steps:
step 1: collecting log data, wherein the log data are used for acquiring log data with different sources, scanning and dividing each piece of collected log information into field sequences and storing the field sequences in a database, and the sources of the log data comprise a network equipment log, a safety equipment log and a system log;
step 2: the data preprocessing is used for removing redundant data to obtain effective data, removing the redundant data from the network equipment log, the safety equipment log and the system log and respectively storing the redundant data in corresponding databases;
and step 3: and (4) associating and fusing multi-source log data, and establishing an association rule base according to the collected network equipment logs, the safety equipment logs and log data in a system log database.
2. The multi-source log data processing method of the power information system according to claim 1, wherein: the multi-source log data preprocessing comprises:
removing redundant attribute data of each piece of log information: according to the log data of each source, extracting and storing the attribute fields needing to be reserved in each log information in a regular expression matching mode according to the preset attribute fields needing to be reserved;
removing log information with property values out of range: filtering out data beyond a range according to a preset range of an attribute value of a certain attribute;
and unifying the formats of the log data from different sources, and converting all the log data into the same format according to the attribute required by each piece of log information in the preset unified format.
3. The multi-source log data processing method of the power information system according to claim 2, characterized in that: the log information with the attribute value out of range is removed, the data with the redundant attribute data removed is classified by a fuzzy clustering method, and after the classification is finished:
carrying out fuzzy classification on the logs of the host system according to event types, and keeping log data of which the event types are errors, auditing failures and warnings;
the safety device logs are classified in a fuzzy mode according to the severity of the events, and the severity of the events is reserved as attacks and suspicious events;
the network device logs are classified according to the event severity in a fuzzy mode, and events with the severity levels of emergency, alert, critic, error and warns are reserved.
4. The multi-source log data processing method of the power information system according to claim 3, characterized in that: the classification by the fuzzy clustering method specifically comprises the following steps:
4.1, recording the collected log data as X ═ { X1, X2, X3,.. times.xn }, wherein xi is vector data composed of attribute values corresponding to the reserved attributes;
4.2, obtaining the similarity of every two log data according to the matrix X to obtain a similarity matrix R, wherein the similarity is calculated by adopting an included angle cosine method;
4.3, obtaining the equivalent matrix by adopting a transmission closed-packet method according to the similar matrix R, wherein the formula is as follows: r2k=(R2k)2,R2kIs a transitive closure;
and 4.4, according to the equivalent matrix, taking lambda belonging to [0, 1], obtaining clustering results of the log data under different lambda values, and judging the lambda and the clustering result which most accord with the reality according to the practical situation.
5. The multi-source log data processing method of the power information system according to claim 1, wherein: the associated and fused multi-source log data specifically comprises the following steps:
arranging the log data with the unified format according to occurrence time, setting sliding time windows according to preset time intervals, dividing the log data into different sliding time windows, and acquiring preconditions and results of occurrence of events for the occurrence of the events in each sliding time window to form an association rule form of each occurrence.
CN202010030016.2A 2020-01-13 2020-01-13 Multi-source log data processing method for power information system Pending CN111274218A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010030016.2A CN111274218A (en) 2020-01-13 2020-01-13 Multi-source log data processing method for power information system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010030016.2A CN111274218A (en) 2020-01-13 2020-01-13 Multi-source log data processing method for power information system

Publications (1)

Publication Number Publication Date
CN111274218A true CN111274218A (en) 2020-06-12

Family

ID=71003028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010030016.2A Pending CN111274218A (en) 2020-01-13 2020-01-13 Multi-source log data processing method for power information system

Country Status (1)

Country Link
CN (1) CN111274218A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112568183A (en) * 2020-12-08 2021-03-30 贵州省种畜禽种质测定中心 Poultry breeding and seed selection system and method based on Internet of things
CN113868182A (en) * 2021-09-28 2021-12-31 歌尔科技有限公司 Data compression method, device, equipment and medium
CN114244539A (en) * 2020-09-08 2022-03-25 中国电信股份有限公司 Web application attack analysis method and device and computer readable storage medium
CN114598597A (en) * 2022-02-24 2022-06-07 烽台科技(北京)有限公司 Multi-source log analysis method and device, computer equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087210A (en) * 2007-05-22 2007-12-12 网御神州科技(北京)有限公司 High-performance Syslog processing and storage method
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN106453417A (en) * 2016-12-05 2017-02-22 国网浙江省电力公司电力科学研究院 Network attack target prediction method based on neighbor similarity
US20170169078A1 (en) * 2015-12-14 2017-06-15 Siemens Aktiengesellschaft Log Mining with Big Data
US20170178026A1 (en) * 2015-12-22 2017-06-22 Sap Se Log normalization in enterprise threat detection
CN107172058A (en) * 2017-06-01 2017-09-15 国家电网公司 It is a kind of that real-time online detecting system is attacked based on the Web that flow data is analyzed

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087210A (en) * 2007-05-22 2007-12-12 网御神州科技(北京)有限公司 High-performance Syslog processing and storage method
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
US20170169078A1 (en) * 2015-12-14 2017-06-15 Siemens Aktiengesellschaft Log Mining with Big Data
US20170178026A1 (en) * 2015-12-22 2017-06-22 Sap Se Log normalization in enterprise threat detection
CN106453417A (en) * 2016-12-05 2017-02-22 国网浙江省电力公司电力科学研究院 Network attack target prediction method based on neighbor similarity
CN107172058A (en) * 2017-06-01 2017-09-15 国家电网公司 It is a kind of that real-time online detecting system is attacked based on the Web that flow data is analyzed

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘自强: "结合模糊推理的多源安全日志事件关联融合技术研究" *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114244539A (en) * 2020-09-08 2022-03-25 中国电信股份有限公司 Web application attack analysis method and device and computer readable storage medium
CN114244539B (en) * 2020-09-08 2023-11-14 中国电信股份有限公司 Web application attack analysis method and device and computer readable storage medium
CN112568183A (en) * 2020-12-08 2021-03-30 贵州省种畜禽种质测定中心 Poultry breeding and seed selection system and method based on Internet of things
CN113868182A (en) * 2021-09-28 2021-12-31 歌尔科技有限公司 Data compression method, device, equipment and medium
CN114598597A (en) * 2022-02-24 2022-06-07 烽台科技(北京)有限公司 Multi-source log analysis method and device, computer equipment and medium
CN114598597B (en) * 2022-02-24 2023-12-01 烽台科技(北京)有限公司 Multisource log analysis method, multisource log analysis device, computer equipment and medium

Similar Documents

Publication Publication Date Title
CN111274218A (en) Multi-source log data processing method for power information system
CN114143020B (en) Rule-based network security event association analysis method and system
CN112114995B (en) Terminal abnormality analysis method, device, equipment and storage medium based on process
CN107835087B (en) Automatic extraction method of alarm rule of safety equipment based on frequent pattern mining
CN105975604B (en) The iterative data processor abnormality detection of one kind distribution and diagnostic method
JP4050497B2 (en) Log information management apparatus and log information management program
CN103761173A (en) Log based computer system fault diagnosis method and device
CN113505048B (en) Unified monitoring platform based on application system portrait and its implementation method
CN105577679A (en) An Abnormal Traffic Detection Method Based on Feature Selection and Density Peak Clustering
CN112261645B (en) Mobile application fingerprint automatic extraction method and system based on grouping and domain division
CN106534146A (en) Safety monitoring system and method
CN113706100B (en) Method and system for real-time detection and identification of IoT terminal equipment in distribution network
CN112039907A (en) Automatic testing method and system based on Internet of things terminal evaluation platform
CN102521378A (en) Real-time intrusion detection method based on data mining
CN118378218B (en) Safety monitoring method for computer host
Zou et al. Improving log-based fault diagnosis by log classification
CN114116733A (en) Data abnormal operation detection and tracing system and method for distribution automation system
KR20070077517A (en) Profile based web application intrusion detection system and method
CN110909380B (en) A kind of abnormal file access behavior monitoring method and device
CN117614712A (en) Security audit method and system based on user portrait and association analysis
US20180295145A1 (en) Multicomputer Digital Data Processing to Provide Information Security Control
CN118300860A (en) Power network anomaly detection system based on machine learning and advanced semantic mapping
CN112363891A (en) Exception reason obtaining method based on fine-grained event and KPIs analysis
CN117973347A (en) Automatic traceability report automatic generation method and system based on automatic template filling technology
CN110768955A (en) Method of Actively Collecting and Aggregating Data Based on Multi-source Intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200612

RJ01 Rejection of invention patent application after publication