CN105024987A - Web service log monitoring method and apparatus - Google Patents
Web service log monitoring method and apparatus Download PDFInfo
- Publication number
- CN105024987A CN105024987A CN201410183369.0A CN201410183369A CN105024987A CN 105024987 A CN105024987 A CN 105024987A CN 201410183369 A CN201410183369 A CN 201410183369A CN 105024987 A CN105024987 A CN 105024987A
- Authority
- CN
- China
- Prior art keywords
- web
- radical
- common trait
- leak
- attack signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a web service log monitoring method and apparatus. The method comprises: obtaining web service log data and types of holes to be monitored; obtaining common characteristic roots corresponding to the types of holes to be monitored, the common characteristic roots being the roots which are contained by at least two web hole attack characteristic character strings corresponding to the types of holes to be monitored; utilizing the common characteristic roots to perform first matching on the web service log data; if the first matching is hit, performing second matching on the web service log data utilizing the at least two web hole attack characteristic character strings corresponding to the common characteristic roots; and finishing processing if the first matching is missed. The web service log monitoring method and apparatus can increase the monitoring efficiency of web service logs.
Description
Technical field
The present invention relates to technical field of network security, refer to a kind of monitoring method and device of web business diary especially.
Background technology
At present, many Internet service system all realize by Web architecture technology.Hacker utilizes WEB system vulnerability, service logic leak, host operating system or bugs of third-party software usually, enter operation system management backstage, and then control store has the database of customer information, steals or revises significant data.From the leak type that hacker attacks event spills cruelly, WEB system vulnerability remains main intrusion feature.Wherein, injection attacks, across station leak attacks, scanning attack, the attack of sensitive document traversal and common upload the major way that leak is hacker attacks.At present, be adopt the modes such as daily record monitoring technology to the precautionary measures that the assault based on WEB system is main.
Web daily record monitoring refers to the feature by analyzing web access daily record, finds hacker attacks event and operation system leak.Compared with other web system preventive means, Web daily record monitoring analysis is the powerful measure that the potential leak of hacker attacks behavior ex-post analysis and operation system finds.Web daily record monitoring flow process mainly comprises Web daily record collection, log integrity (denoising), daily record warehouse-in, log feature analysis and analysis result and presents.Wherein log feature analysis mainly forms daily record monitoring feature storehouse according to the feature of network attack, to each attack signature character string comparison web log recording one by one, if there is the appearance of attack signature character string, then carries out warning display, so that manual examination and verification.
The subject matter of prior art:
In an actual web daily record monitoring system, the artificial combination with the character string of attack signature of summing up out often has thousands of bar, and can constantly increase.Regular traffic system journal amount is huge, and the matching primitives amount of carrying out attack signature character string is very consuming time.So the feature identification of the attack of Web service daily record monitoring system needs attacks character string feature recognition algorithms efficiently.
String matching algorithm main at present mainly contains the AC-BM algorithm of Single Pattern Matching Algorithms-BF algorithm, KMP algorithm, BM algorithm, RK algorithm and multi-mode matching AC algorithm and improvement.Single mode algorithm mainly solves a given attack signature character string, the problem of this feature string of fast finding in daily record.Multimode matching algorithm mainly solves run-down daily record, can mate the problem of multiple attack signature character string.In the environment of web daily record monitoring, tend to adopt multimode matching algorithm, single pass mate attack signature as much as possible and to and alarm.。
Summary of the invention
The technical problem to be solved in the present invention is, provides a kind of monitoring method and device of web business diary, can improve the monitoring efficiency of WEB service daily record.
On the one hand, a kind of monitoring method of web business diary is provided, comprises:
Obtain web business diary data and leak classification to be monitored;
Obtain the common trait radical that described leak classification to be monitored is corresponding, described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises;
Utilize described common trait radical, first time coupling is carried out to described web business diary data;
If described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data.
If described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, the step of described web business diary data being carried out to second time coupling comprises:
If described first time match hit, then record first matching characteristic of described common trait radical in described web business diary data;
Obtain second matching characteristic of described common trait radical relative to described at least two web leak attack signature character strings respectively;
Search the web leak attack signature character string corresponding to the second matching characteristic identical with described first matching characteristic;
Utilize the described web leak attack signature character string found, carry out the comparison of character string full dose with described web business diary data.
Describedly described common trait radical is utilized to be specially the step that described web business diary data carry out first time coupling: to use Cnut---Mo Lisi---Alexandre Desplat KMP algorithm, utilize described common trait radical, first time coupling is carried out to described WEB service daily record data;
If described first time match hit; at least two the web leak attack signature character strings utilizing described common trait radical corresponding comprise the step that described web business diary data carry out second time coupling:
If described first time match hit, then record the KMP of described common trait radical in described WEB service daily record data and mate history;
Obtain described common trait radical respectively and mate history relative to the 2nd KMP of described at least two web leak attack signature character strings;
Search to mate with described first history identical second mate web leak attack signature character string corresponding to history;
The web leak attack signature character string found described in utilization, carries out the comparison of character string full dose with described WEB service daily record data.
Describedly utilize described common trait radical, the step of described web business diary data being carried out to first time coupling comprises:
Denoising is carried out to described WEB service daily record data;
Utilize described common trait radical, first time coupling is carried out to the described WEB service daily record data after denoising.
Described the step that described WEB service daily record data carries out denoising to be comprised:
Remove the filename of the access resources of s-uri-stem journal entry record;
Remove jpg form, swf form or the picture file of gif form or the Visitor Logs of flash file; Or
Remove record s-uri-stem and s-uri-query, cookie field and length thereof.
On the other hand, a kind of monitoring device of web business diary is provided, comprises:
First acquiring unit, obtains web business diary data and leak classification to be monitored;
Second acquisition unit, obtains the common trait radical that described leak classification to be monitored is corresponding, and described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises;
First matching unit, utilizes described common trait radical, carries out first time coupling to described web business diary data;
Second matching unit, if described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data.
Described second matching unit comprises:
Record subelement, if described first time match hit, then record first matching characteristic of described common trait radical in described web business diary data;
Obtain subelement, obtain second matching characteristic of described common trait radical relative to described at least two web leak attack signature character strings respectively;
First searches subelement, searches the web leak attack signature character string corresponding to the second matching characteristic identical with described first matching characteristic;
Second searches subelement, utilizes the described web leak attack signature character string found, carries out the comparison of character string full dose with described web business diary data.
Described first matching unit is specially: use Cnut---Mo Lisi---Alexandre Desplat KMP algorithm, utilize described common trait radical, carries out first time coupling to described WEB service daily record data;
Described second matching unit comprises:
Record subelement, if described first time match hit, then record the KMP of described common trait radical in described WEB service daily record data and mate history;
Obtain subelement, obtain described common trait radical respectively and mate history relative to the 2nd KMP of described at least two web leak attack signature character strings;
First searches subelement, search to mate with described first history identical second mate web leak attack signature character string corresponding to history;
Second searches subelement, and the web leak attack signature character string found described in utilization, carries out the comparison of character string full dose with described WEB service daily record data.
Described first matching unit comprises:
Denoising subelement, carries out denoising to described WEB service daily record data;
Coupling subelement, utilizes described common trait radical, carries out first time coupling to the described WEB service daily record data after denoising.
Described denoising subelement comprises:
First denoising subelement, removes the filename of the access resources of s-uri-stem journal entry record;
Second denoising subelement, removes jpg form, swf form or the picture file of gif form or the Visitor Logs of flash file; Or
3rd denoising subelement, removes record s-uri-stem and s-uri-query, cookie field and length thereof.
The beneficial effect of technique scheme of the present invention is as follows:
In the present invention, when the monitoring to web business diary, common trait radical is first utilized to be that the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprise is searched in daily record data, if do not find common trait radical, then the multimode feature string be associated with this common trait radical will compare no longer further.If find common trait radical, the web leak attack signature character string just utilizing common trait radical corresponding carries out second time coupling.By above-mentioned exclusion process, substantially reduce the number the full dose number of comparisons of feature string, thus realize the quick multimode monitoring to WEB service daily record.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the monitoring method of a kind of web business diary of the present invention;
Fig. 2 is the schematic flow sheet of another embodiment of the monitoring method of a kind of web business diary of the present invention;
Fig. 3 is multimode Rapid matching WEB service daily record monitoring flow chart in application scenarios of the present invention;
Fig. 4 is multimode attack signature string matching flow chart in application scenarios of the present invention;
Fig. 5 is the connection diagram of the monitoring device of web business diary of the present invention;
The connection diagram of the monitoring system of Fig. 6 web business diary of the present invention.
Embodiment
For making the technical problem to be solved in the present invention, technical scheme and advantage clearly, be described in detail below in conjunction with the accompanying drawings and the specific embodiments.
As shown in Figure 1, be the monitoring method of a kind of web business diary of the present invention, comprise:
Step 11, obtains web business diary data and leak classification to be monitored;
Step 12, obtains the common trait radical that described leak classification to be monitored is corresponding, and described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises;
Such as, monitoring leak classification is: third party's leak assembly, and at least two corresponding web leak attack signature character strings are ewebeditor, fckeditor, cuteeditor, and corresponding common trait radical is: editor.Monitoring leak classification is the guessing attack of the back-stage management page, at least two corresponding web leak attack signature character strings are Admin_UpdateSoftNum.asp, admin_user.asp, Admin_UserSetting.asp, and corresponding common trait radical is: admin; Or at least two corresponding web leak attack signature character strings are login.asa, login.asp, login.htm;
Corresponding common trait radical is: login.Monitoring leak classification is: injection attacks, and at least two corresponding web leak attack signature character strings are string %20AnD%201=1, %20AnD%201=2, person %20AnD%200=1, and corresponding common trait radical is: %20AnD%20.
Step 13, utilizes described common trait radical, carries out first time coupling to described web business diary data;
Step 14, if described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data.
Step 15, if the not hit of coupling of described first time, then end process, monitoring result is: from daily record, do not find the leak corresponding to leak classification to be monitored.
Wherein, step 13 comprises:
Step 131, carries out denoising to described WEB service daily record data;
Step 132, utilizes described common trait radical, carries out first time coupling to the described WEB service daily record data after denoising.Be specially: the filename removing the access resources of s-uri-stem journal entry record;
Remove jpg form, swf form or the picture file of gif form or the Visitor Logs of flash file; Or remove record s-uri-stem and s-uri-query, cookie field and length thereof.
In the present invention, when the monitoring to web business diary, common trait radical is first utilized to be that the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprise is searched in daily record data, if do not find common trait radical, then the multimode feature string be associated with this common trait radical will compare no longer further.If find common trait radical, the web leak attack signature character string just utilizing common trait radical corresponding carries out second time coupling.By above-mentioned exclusion process, substantially reduce the number the full dose number of comparisons of feature string, thus realize the quick multimode monitoring to WEB service daily record.
As shown in Figure 2, be an embodiment of the monitoring method of a kind of web business diary of the present invention, comprise:
Step 21, obtains web business diary data and leak classification to be monitored;
Such as, from log database, following WEB daily record data to be monitored is taken out:
#Fields:date time s-sitename s-computername s-ip cs-methodcs-uri-stem cs-uri-query s-port cs-username c-ip cs-versioncs(User-Agent)cs(Cookie)cs(Referer)cs-host sc-status sc-substatussc-win32-status sc-bytes cs-bytes time-taken
2013-01-15 02:09:25 W3SVC1 192.168.228.130 GET/sqlinj/mssql/ewebeditor/test.asp-80-192.168.228.1Mozilla/4.0404064。
Suppose: leak classification to be monitored is: the guessing attack of the back-stage management page and third party's leak assembly.
Step 22, obtains the common trait radical that described leak classification to be monitored is corresponding, and described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises.
Such as, the common trait radical that the guessing attack monitoring classification of the back-stage management page is corresponding is admin and login, and at least two corresponding web leak attack signature character strings are: a_admin.asp, a_admin.aspx, a_admin.jsp, a_admin.php, admin/admin.asp etc.
At least two web leak attack signature character strings corresponding to third party's leak assemblies monitor classification are: ewebeditor, fckeditor, cuteeditor, and corresponding common trait radical is editor.
Step 23, utilizes described common trait radical, carries out first time coupling to described web business diary data; Be specially: use Cnut---Mo Lisi---Alexandre Desplat KMP algorithm, utilize described common trait radical, first time coupling is carried out to described WEB service daily record data.
Step 24, if described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data.Such as, in this embodiment, in web daily record monitoring initial data, do not match admin and login common trait radical, so, other multimode string matchings need not be carried out, save match time.Further, match this business diary and comprise common radical editor.
Step 25, if not hit, then end process, monitoring result is: from daily record, do not find the leak corresponding to leak classification to be monitored.
Wherein, step 24 comprises:
Step 241, if described first time match hit, then record first matching characteristic of described common trait radical in described web business diary data; Be specially: if described first time match hit, then record the KMP of described common trait radical in described WEB service daily record data and mate history; In this embodiment, KMP lookup algorithm mates history recently for { 1010}.First matching characteristic is equal to the coupling history of KMP algorithm.
Step 242, obtains second matching characteristic of described common trait radical relative to described at least two web leak attack signature character strings respectively; Be specially: obtain described common trait radical respectively and mate history relative to the 2nd KMP of described at least two web leak attack signature character strings; Such as, the KMP prefix matching history of editor to ewebeditor, fckeditor, cuteeditor is respectively: { 1010}, { 000}, { 0001}.
Step 243, searches the web leak attack signature character string corresponding to the second matching characteristic identical with described first matching characteristic; Be specially: search to mate with described first history identical second mate web leak attack signature character string corresponding to history; In this embodiment, the nearest coupling history of KMP lookup algorithm is that { 1010}, with { 1010}, { 000}, { 0001} contrasts respectively, determines that the character string that daily record finally comprises is ewebeditor.
Step 244, if found, then utilizes the described web leak attack signature character string found, carries out the comparison of character string full dose with described web business diary data.If full dose comparison result is one_to_one corresponding, then monitoring result is: have the leak corresponding to leak classification to be monitored.If full dose comparison result is not for having one_to_one corresponding, then monitoring result is: not corresponding to leak classification to be monitored leak
Step 245, if do not found, then abort process, monitoring result is: from daily record, do not find the leak corresponding to leak classification to be monitored.
Application scenarios of the present invention is below described.The WEB service daily record monitoring method of a kind of multimode Rapid matching of this application scene description, propose a kind of multimode Rapid matching monitoring method meeting web leak attack signature character string rule, can promote the efficiency of daily record monitoring, quick position is for the attack of web operation system.By carrying out fast monitored to web business diary, thus find injection attacks that hacker commonly uses, across station leak attacks, scanning attack, sensitive document traversal is attacked and common Jboss (the J2EE application server of operation EJB), FCKeditor (one of Web page editor) upload leak.
Multimode fast matching method of the present invention, carries out preliminary treatment to web leak attack signature character string in advance, will have the feature string polymerization of identical radical in groups, and calculates the matching characteristic of radical relative to each feature string in this group.During monitoring WEB daily record, first utilize multimode common trait radical to carry out the matching operation of WEB service daily record, get rid of normal business diary as far as possible.For the WEB log recording of hit common trait radical, each feature string matching characteristic in group is utilized to carry out quick Secondary Match.Only when above-mentioned tagged word multimode matching algorithm can not be carried out, just extract each independently feature string, carry out common single mode Rapid matching.Consider that the log recording of log system 99% is all the experiential fact of normal recordings, the multimode matching algorithm utilizing the present invention to propose, the whole matching efficiency of large quantative attribute character string in web daily record Attack monitoring process can be promoted.
As shown in Figure 3, be multimode Rapid matching WEB service daily record monitoring flow chart, said method comprising the steps of:
Step 1, the denoising of WEB service daily record initial data is put in storage.
Be specially: by log database to be monitored stored in raw data base.The data volume of monitoring is needed in order to reduce the later stage, need to remove the data item obviously not in monitoring range in the data loading stage according to rule, as the filename of the access resources of s-uri-stem journal entry record, remove the Visitor Logs of the picture files such as .jpg .swf .gif or flash file, the features such as field and length thereof such as s-uri-stem and s-uri-query, the cookie of the frequent monitoring of record, to implement quick identifying operation.
Step 2, WEB service daily record Monitoring Rules and the preliminary treatment of attack signature keyword.
Be specially: the attack signature that prior typing Monitoring Rules and rule are correlated with, to carry out injection attacks to WEB service daily record data, to upload leak monitoring across station leak attack, scanning attack, the attack of sensitive document traversal, back-stage management page guessing attack and common Jboss, FCKeditor.Implement multimode Rapid matching and need the matched data precalculating attack signature keyword.Main roadmap is as follows:
1. in normal WEB service system, the daily record of 99% is normal daily record, so in most cases, the daily record data not comprising crucial attack signature is normal business diary.
2. assault record, during as implemented the guessing attack of the back-stage management page, the attack signature keyword of required monitoring has similitude, can divide into groups, be exemplified below a large amount of monitoring feature character string according to total character string feature:
A., in third party's leak assemblies monitor rule, third party's editing component feature critical word of what hacker commonly used exist leak is ewebeditor, fckeditor, cuteeditor, is characterized in common editor feature string.
B., in the guessing attack Monitoring Rules of the back-stage management page, common management backstage conjecture keyword is
../admin/default.asp
../admin/index.asp
../admin/login.asp
../admin/manage.asp
a_admin.asp
a_admin.aspx
a_admin.jsp
a_admin.php
admin/admin.asp
admin/admin_login.asp
admin/admin123.asp
admin/admin123.aspx
admin/admin123.jsp
admin/Default.asp?
admin/ewebeditor/admin_login.asp
admin/index.asp
admin/login.asp
admin/manage.asp
admin_123.asp
admin_admin.asp
admin_admin.jsp
admin_body.asa
admin_body.asp
admin_Default.asp?
admin_del.asp
admin_delete.asp
admin_edit.asp
admin_guanli/
admin_home/
admin_index.asa
admin_index.asp
admin_index.jsp
Admin_jsCreate.asp
admin_login.asa
Admin_Login.asp
admin_login.jsp
Admin_login1.asp
admin_main.asp
admin_pass.asp
admin_soft.asp
admin_soft.aspx
admin_soft.jsp
Admin_SoftCateMenu.Asp
Admin_SoftInfo.asp
Admin_SoftLink.asp
Admin_SoftList.asp
Admin_SubCate.asp
Admin_UpdateSoftNum.asp
admin_user.asp
Admin_UserSetting.asp
admin_yuzhiguo/login.asp
Or
login.asa
login.asp
login.htm
login.html
login.jsp
login/
login/admin.asp
login/Default.asp?
login/index.asp
login/login.asp
login/logout.asp
login/super.asp
login_admin.asp
login_Default.asp?
login_out.asp
login1.asp
login123.asp
login123.aspx
login123.jsp
loginadmin.asp
loginDefault.asp?
loginsuper.asp
loginsys.asp
The feature of its attack signature data is the common trait character strings having admin, login etc.
C., in injection attacks Monitoring Rules, the Partial Feature character string %20AnD%201=1 of required monitoring or %20AnD%201=2 or %20AnD%200=1 also has common %20AnD%20 feature.
In the present invention, in Monitoring Rules and sensitive keys word pretreated stage, utilize the longest public word string monitoring method, the common monitoring feature of a set of keyword is extracted formation radical, and the feature string with common radical is aggregated into one group.At these common radicals of daily record monitoring stage priority monitoring, if the data of unexamined do not have common radical, then need not monitor further again.Otherwise, in this group, carry out the further coupling of key feature string.
Pretreatment stage, also calculates and stores common radical and mate history function with the KMP organizing each attack signature string, it can be used as further matching characteristic value to store in systems in which.When follow-up monitoring process, if daily record data to be monitored comprises common attack signature character string, the nearest 5 step coupling history of record KMP lookup algorithm, mate history with the KMP precomputation of attack signature string each in same group to compare, if do not met, then discharge this attack signature string fast, thus character string comparison need not be carried out again, save monitoring time.That is, only have log recording to be monitored first to comprise common trait character string, it is identical that history is mated in the coupling history of secondly searching at nearest KMP and the KMP preliminary treatment of attack signature string, just carries out the comparison of the alphabet of this attack signature string.Like this, the jumping post historical information that the present invention is searched by length, common trait character string, KMP, reduces the comparison of multimode feature string full dose as far as possible, thus has saved comparison time.
Be exemplified below:
Suppose to need in WEB service daily record, to search the third party's editing component whether having and there is system vulnerability, as assemblies such as ewebeditor, fckeditor, cuteeditor.First, preliminary treatment is carried out to ewebeditor, fckeditor, cuteeditor feature string, acquisition has common trait radical editor, then, calculate and store the KMP prefix matching history of radical editor to ewebeditor, fckeditor, cuteeditor and be respectively: { 1010}, { 000}, { 0001}.These pre-calculated data will be used in the multimode keyword match of following WEB daily record.
Step 3, obtains monitoring journal and preprocessing rule data, carries out multimode Rapid matching.
Be specially: the business diary based on 99% is all the experiential fact of normal daily record, be characterized as to get rid of the coupling that Main Means carries out multimode attack signature keyword.Get daily record to be monitored at every turn, according to Monitoring Rules, monitoring journal is carried out to the coupling of attack signature string.Be different from existing most WEB daily record monitoring system mainly to mate for the purpose of complete characterization string.That is, first utilize pretreated common radical to search in daily record data, if do not find common trait radical, then the multimode feature string that radical common with this is associated will compare no longer further.If find common trait radical, compared with nearest KMP coupling history is mated history with the precomputation KMP of each attack signature character string, if inconsistent, complete character string will not be carried out and compare; If above-mentioned feature all meets, then carry out the complete comparison of feature string.By above-mentioned exclusion process, substantially reduce the number the full dose number of comparisons of feature string, thus realize the quick multimode monitoring to WEB service daily record.
As shown in Figure 4, be multimode attack signature string matching flow chart.Comprise the following steps:
First, from log database, following WEB daily record data to be monitored is taken out:
#Fields:date time s-sitename s-computername s-ip cs-methodcs-uri-stem cs-uri-query s-port cs-username c-ip cs-versioncs(User-Agent)cs(Cookie)cs(Referer)cs-host sc-status sc-substatussc-win32-status sc-bytes cs-bytes time-taken
2013-01-15 02:09:25 W3SVC1 192.168.228.130 GET/sqlinj/mssql/ewebeditor/test.asp-80-192.168.228.1Mozilla/4.0404064。
Then, from rule base, obtain guessing attack Monitoring Rules and third party's leak assemblies monitor rule of the back-stage management page.
The common trait radical that the guessing attack Monitoring Rules of the back-stage management page is corresponding is admin and login, in common trait radical coupling, admin and login common trait radical is not matched in web daily record monitoring initial data, so, other multimode string matchings need not be carried out, save match time.
At least two web leak attack signature character strings of third party's leak assemblies monitor rule correspondence are: ewebeditor, fckeditor, cuteeditor, corresponding common trait radical is editor, that is, ewebeditor, fckeditor, cuteeditor have common trait radical editor.Editor relative to ewebeditor, fckeditor, cuteeditor matching characteristic respectively: Editor → { ewebeditor, { 1010}} → { fckeditor, { 000}} → { fckeditor, { 000}}, that is, the KMP prefix matching history of editor to ewebeditor, fckeditor, cuteeditor is respectively: { 1010}, { 000}, { 0001}.
Then, as above WEB service daily record is scanned, matches this business diary and comprise common radical editor;
Then, { 1010}, with { 1010}, { 000}, { 0001} contrasts respectively, determines that the character string that daily record finally comprises is ewebeditor to utilize KMP lookup algorithm to mate history recently.Thus output monitoring record.This method is mated 3 feature strings and has only been used a single mode KMP Fast Match Algorithm, thus accelerates the monitoring velocity of WEB service daily record.
Step 4, the display of monitoring result.
Be specially: according to user's monitoring requirements, generate daily record monitoring result statistical graph and statistical table, as pie chart, block diagram etc.
As shown in Figure 5, be the monitoring device of a kind of web business diary of the present invention, comprise:
First acquiring unit 41, obtains web business diary data and leak classification to be monitored;
Second acquisition unit 42, obtains the common trait radical that described leak classification to be monitored is corresponding, and described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises;
First matching unit 43, utilizes described common trait radical, carries out first time coupling to described web business diary data;
Second matching unit 44, if described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data.
Abort unit 45, if the not hit of coupling of described first time, then ends process.
Described second matching unit 44 comprises:
Record subelement, if described first time match hit, then record first matching characteristic of described common trait radical in described web business diary data;
Obtain subelement, obtain second matching characteristic of described common trait radical relative to described at least two web leak attack signature character strings respectively;
First searches subelement, searches the web leak attack signature character string corresponding to the second matching characteristic identical with described first matching characteristic;
Second searches subelement, utilizes the described web leak attack signature character string found, carries out the comparison of character string full dose with described web business diary data.
Described first matching unit is specially: use Cnut---Mo Lisi---Alexandre Desplat KMP algorithm, utilize described common trait radical, carries out first time coupling to described WEB service daily record data;
Described second matching unit comprises:
Record subelement, if described first time match hit, then record the KMP of described common trait radical in described WEB service daily record data and mate history;
Obtain subelement, obtain described common trait radical respectively and mate history relative to the 2nd KMP of described at least two web leak attack signature character strings;
First searches subelement, search to mate with described first history identical second mate web leak attack signature character string corresponding to history;
Second searches subelement, and the web leak attack signature character string found described in utilization, carries out the comparison of character string full dose with described WEB service daily record data.
Described first matching unit comprises:
Denoising subelement, carries out denoising to described WEB service daily record data;
Coupling subelement, utilizes described common trait radical, carries out first time coupling to the described WEB service daily record data after denoising.
Described denoising subelement comprises:
First denoising subelement, removes the filename of the access resources of s-uri-stem journal entry record;
Second denoising subelement, removes the Visitor Logs of .jpg .swf .gif picture file or flash file; Or
3rd denoising subelement, removes record s-uri-stem and s-uri-query, cookie field and length thereof.
As shown in Figure 6, below describe multimode Rapid matching WEB service daily record monitoring system, this system is monitored processing logic by user interface, database and daily record and is formed.
Wherein, user interface comprises: WEB daily record data Operating Interface Module, attack signature character string and regular operation interface module, user's monitoring requirements administration interface module, analysis result present interface module;
Database Systems by WEB log database and correlation table, attack signature and rule database and correlation table, abnormal results database is monitored in WEB daily record and correlation table forms;
Daily record monitoring processing logic comprises: WEB daily record data pretreatment module, Monitoring Rules pretreatment module, monitoring business demand rule analysis and generation module, WEB daily record attack signature multimode matching monitoring modular, log analysis result data sorting module form.
Logic connects: WEB daily record data Operating Interface Module, WEB daily record data pretreatment module are connected in turn with WEB log database and correlation table; Attack signature character string is connected with regular operation interface module in turn with regular operation interface module, Monitoring Rules pretreatment module, attack signature character string; User's monitoring requirements administration interface module is connected with generation module with monitoring business demand rule analysis; WEB log database and correlation table, monitoring business demand rule analysis are connected with WEB daily record attack signature multimode matching monitoring modular with generation module; Attack signature is connected with generation module with monitoring business demand rule analysis with rule database and correlation table; WEB daily record monitoring abnormal results database and correlation table, WEB daily record attack signature multimode matching monitoring modular, log analysis result data sorting module, log analysis result data sorting module are connected in turn; Monitoring business demand rule analysis is connected with log analysis result data sorting module with generation module.
Being described in detail as follows of each processing module:
1.WEB daily record data Operating Interface Module: original web business diary data, log integrity denoising keyword are provided.Be equivalent to the acquisition web business diary data of the first above-mentioned acquiring unit.
2.WEB daily record data pretreatment module: according to log integrity rule, remove the noise data in log data.Be equivalent to above-mentioned denoising subelement.
3.WEB log database and correlation table: store the business diary data after noise reduction process.
4. attack signature character string and regular operation interface module: for Input Monitor Connector rule and relevant monitoring Keyword List.Be equivalent to above-mentioned second acquisition unit.
5. Monitoring Rules pretreatment module: according to Monitoring Rules and the attack signature keyword of user's input, process multimode keyword, forms multimode keyword monitoring order and exclusionary rules data.
6. attack signature and rule database and correlation table: store multimode keyword monitoring order and exclusionary rules data that Monitoring Rules pretreatment module formed.
7. user's monitoring requirements administration interface module: input user monitors actual demand and estimates Attack monitoring project.
8. monitor business demand rule analysis and generation module: according to the concrete monitoring project demand of user, dynamically generate multimode keyword monitoring order and exclusionary rules data.
9.WEB daily record attack signature multimode matching monitoring modular: application multimode keyword monitoring order is monitored WEB service daily record one by one with exclusionary rules, and generates monitoring result.Be equivalent to the first above-mentioned matching unit and the second matching unit.
10.WEB daily record monitoring abnormal results database and correlation table: store the log recording of doubtful attack and the network attack Monitoring Rules be suitable for and feature.
11. log analysis result data sorting module: extraction and analysis result from WEB daily record monitoring abnormal results database, and according to daily record monitoring requirements, generate monitoring result display data.
12. analysis results present interface module: monitoring result is shown as suitable figure and list, for monitoring personnel reference.
In prior art, multimode matching algorithm is general multi-keyword matching algorithm, do not investigate the rule of the web leak attack signature character string that hacker commonly uses, optimize accordingly, in existing web business diary monitoring system, the performance of feature critical word coupling can't the requirement of satisfying magnanimity data monitoring, needs the performance further promoting multimode matching.The present invention is directed to the daily record monitoring requirements that hacker attacks WEB service system, devise based on common trait and coupling historical information with get rid of be characterized as main quick multimode attack signature character string monitoring method, compared with prior art, improve the efficiency of WEB service system journal monitoring and monitoring, achieve the performance optimization of operation system daily record monitoring.
The above is the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the prerequisite not departing from principle of the present invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a monitoring method for web business diary, is characterized in that, comprising:
Obtain web business diary data and leak classification to be monitored;
Obtain the common trait radical that described leak classification to be monitored is corresponding, described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises;
Utilize described common trait radical, first time coupling is carried out to described web business diary data;
If described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data;
If the not hit of described first time coupling, then end process.
2. method according to claim 1, is characterized in that,
If described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, the step of described web business diary data being carried out to second time coupling comprises:
If described first time match hit, then record first matching characteristic of described common trait radical in described web business diary data;
Obtain second matching characteristic of described common trait radical relative to described at least two web leak attack signature character strings respectively;
Search the web leak attack signature character string corresponding to the second matching characteristic identical with described first matching characteristic;
Utilize the described web leak attack signature character string found, carry out the comparison of character string full dose with described web business diary data.
3. method according to claim 2, is characterized in that,
Describedly described common trait radical is utilized to be specially the step that described web business diary data carry out first time coupling: to use Cnut---Mo Lisi---Alexandre Desplat KMP algorithm, utilize described common trait radical, first time coupling is carried out to described WEB service daily record data;
If described first time match hit; at least two the web leak attack signature character strings utilizing described common trait radical corresponding comprise the step that described web business diary data carry out second time coupling:
If described first time match hit, then record the KMP of described common trait radical in described WEB service daily record data and mate history;
Obtain described common trait radical respectively and mate history relative to the 2nd KMP of described at least two web leak attack signature character strings;
Search to mate with described first history identical second mate web leak attack signature character string corresponding to history;
The web leak attack signature character string found described in utilization, carries out the comparison of character string full dose with described WEB service daily record data.
4. method according to claim 1, is characterized in that, describedly utilizes described common trait radical, and the step of described web business diary data being carried out to first time coupling comprises:
Denoising is carried out to described WEB service daily record data;
Utilize described common trait radical, first time coupling is carried out to the described WEB service daily record data after denoising.
5. method according to claim 4, is characterized in that, describedly comprises the step that described WEB service daily record data carries out denoising:
Remove the filename of the access resources of s-uri-stem journal entry record;
Remove jpg form, swf form or the picture file of gif form or the Visitor Logs of flash file; Or
Remove record s-uri-stem and s-uri-query, cookie field and length thereof.
6. a monitoring device for web business diary, is characterized in that, comprising:
First acquiring unit, obtains web business diary data and leak classification to be monitored;
Second acquisition unit, obtains the common trait radical that described leak classification to be monitored is corresponding, and described common trait radical is the radical that at least two web leak attack signature character strings corresponding to described leak classification to be monitored all comprises;
First matching unit, utilizes described common trait radical, carries out first time coupling to described web business diary data;
Second matching unit, if described first time match hit, then at least two the web leak attack signature character strings utilizing described common trait radical corresponding, carry out second time coupling to described web business diary data;
Abort unit, if the not hit of coupling of described first time, then ends process.
7. device according to claim 6, is characterized in that, described second matching unit comprises:
Record subelement, if described first time match hit, then record first matching characteristic of described common trait radical in described web business diary data;
Obtain subelement, obtain second matching characteristic of described common trait radical relative to described at least two web leak attack signature character strings respectively;
First searches subelement, searches the web leak attack signature character string corresponding to the second matching characteristic identical with described first matching characteristic;
Second searches subelement, utilizes the described web leak attack signature character string found, carries out the comparison of character string full dose with described web business diary data.
8. device according to claim 7, is characterized in that,
Described first matching unit is specially: use Cnut---Mo Lisi---Alexandre Desplat KMP algorithm, utilize described common trait radical, carries out first time coupling to described WEB service daily record data;
Described second matching unit comprises:
Record subelement, if described first time match hit, then record the KMP of described common trait radical in described WEB service daily record data and mate history;
Obtain subelement, obtain described common trait radical respectively and mate history relative to the 2nd KMP of described at least two web leak attack signature character strings;
First searches subelement, search to mate with described first history identical second mate web leak attack signature character string corresponding to history;
Second searches subelement, and the web leak attack signature character string found described in utilization, carries out the comparison of character string full dose with described WEB service daily record data.
9. device according to claim 6, is characterized in that, described first matching unit comprises:
Denoising subelement, carries out denoising to described WEB service daily record data;
Coupling subelement, utilizes described common trait radical, carries out first time coupling to the described WEB service daily record data after denoising.
10. device according to claim 9, is characterized in that, described denoising subelement comprises:
First denoising subelement, removes the filename of the access resources of s-uri-stem journal entry record;
Second denoising subelement, removes jpg form, swf form or the picture file of gif form or the Visitor Logs of flash file; Or
3rd denoising subelement, removes record s-uri-stem and s-uri-query, cookie field and length thereof.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410183369.0A CN105024987B (en) | 2014-04-30 | 2014-04-30 | A kind of monitoring method and device of web business diaries |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410183369.0A CN105024987B (en) | 2014-04-30 | 2014-04-30 | A kind of monitoring method and device of web business diaries |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105024987A true CN105024987A (en) | 2015-11-04 |
| CN105024987B CN105024987B (en) | 2018-05-22 |
Family
ID=54414698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410183369.0A Active CN105024987B (en) | 2014-04-30 | 2014-04-30 | A kind of monitoring method and device of web business diaries |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105024987B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107623677A (en) * | 2017-08-08 | 2018-01-23 | 国家电网公司 | The determination method and apparatus of Information Security |
| CN110135166A (en) * | 2019-05-08 | 2019-08-16 | 北京国舜科技股份有限公司 | A kind of detection method and system for the attack of service logic loophole |
| CN110753047A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Method for reducing false alarm of vulnerability scanning |
| CN110855676A (en) * | 2019-11-15 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Network attack processing method and device and storage medium |
| CN111818008A (en) * | 2020-05-21 | 2020-10-23 | 云南电网有限责任公司信息中心 | Network data safety exchange method based on Webservice |
| CN114328408A (en) * | 2021-12-10 | 2022-04-12 | 苏州浪潮智能科技有限公司 | Log screening method, system, equipment and medium |
| CN114840853A (en) * | 2021-06-16 | 2022-08-02 | 杨永飞 | Big data-based digital service analysis method and cloud server |
| CN115277230B (en) * | 2022-07-30 | 2023-07-07 | 重庆长安汽车股份有限公司 | Method, device, equipment and storage medium for monitoring server login abnormality |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7411204B2 (en) * | 2002-06-05 | 2008-08-12 | Michael Appleby | Devices, methods, and systems involving castings |
| CN101685502A (en) * | 2008-09-24 | 2010-03-31 | 华为技术有限公司 | Mode matching method and device |
| CN102185930A (en) * | 2011-06-09 | 2011-09-14 | 北京理工大学 | Method for detecting SQL (structured query language) injection vulnerability |
-
2014
- 2014-04-30 CN CN201410183369.0A patent/CN105024987B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7411204B2 (en) * | 2002-06-05 | 2008-08-12 | Michael Appleby | Devices, methods, and systems involving castings |
| CN101685502A (en) * | 2008-09-24 | 2010-03-31 | 华为技术有限公司 | Mode matching method and device |
| CN102185930A (en) * | 2011-06-09 | 2011-09-14 | 北京理工大学 | Method for detecting SQL (structured query language) injection vulnerability |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107623677A (en) * | 2017-08-08 | 2018-01-23 | 国家电网公司 | The determination method and apparatus of Information Security |
| CN107623677B (en) * | 2017-08-08 | 2021-01-01 | 国家电网公司 | Method and device for determining data security |
| CN110135166B (en) * | 2019-05-08 | 2021-03-30 | 北京国舜科技股份有限公司 | Detection method and system for service logic vulnerability attack |
| CN110135166A (en) * | 2019-05-08 | 2019-08-16 | 北京国舜科技股份有限公司 | A kind of detection method and system for the attack of service logic loophole |
| CN110753047A (en) * | 2019-10-16 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Method for reducing false alarm of vulnerability scanning |
| CN110753047B (en) * | 2019-10-16 | 2022-02-11 | 杭州安恒信息技术股份有限公司 | Method for reducing false alarm of vulnerability scanning |
| CN110855676A (en) * | 2019-11-15 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Network attack processing method and device and storage medium |
| CN110855676B (en) * | 2019-11-15 | 2021-08-31 | 腾讯科技(深圳)有限公司 | Network attack processing method and device and storage medium |
| CN111818008A (en) * | 2020-05-21 | 2020-10-23 | 云南电网有限责任公司信息中心 | Network data safety exchange method based on Webservice |
| CN111818008B (en) * | 2020-05-21 | 2022-11-11 | 云南电网有限责任公司信息中心 | Network data safety exchange method based on Webservice |
| CN114840853A (en) * | 2021-06-16 | 2022-08-02 | 杨永飞 | Big data-based digital service analysis method and cloud server |
| CN114328408A (en) * | 2021-12-10 | 2022-04-12 | 苏州浪潮智能科技有限公司 | Log screening method, system, equipment and medium |
| CN114328408B (en) * | 2021-12-10 | 2024-01-16 | 苏州浪潮智能科技有限公司 | Log screening method, system, equipment and medium |
| CN115277230B (en) * | 2022-07-30 | 2023-07-07 | 重庆长安汽车股份有限公司 | Method, device, equipment and storage medium for monitoring server login abnormality |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105024987B (en) | 2018-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105024987A (en) | Web service log monitoring method and apparatus | |
| CN108920954B (en) | Automatic malicious code detection platform and method | |
| CN101807208B (en) | Method for quickly retrieving video fingerprints | |
| CN113656807B (en) | Vulnerability management method, device, equipment and storage medium | |
| CN110569214B (en) | Index construction method and device for log file and electronic equipment | |
| CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
| CN104699737A (en) | Method and system for managing a search | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN104871171B (en) | Distributed mode is found | |
| CN110019640B (en) | Secret-related file checking method and device | |
| Bjelland et al. | Practical use of Approximate Hash Based Matching in digital investigations | |
| US20140280929A1 (en) | Multi-tier message correlation | |
| CN111368867B (en) | File classifying method and system and computer readable storage medium | |
| Khan et al. | Digital forensics and cyber forensics investigation: security challenges, limitations, open issues, and future direction | |
| Khanuja et al. | Role of metadata in forensic analysis of database attacks | |
| CN109614521A (en) | A kind of efficient secret protection subgraph inquiry processing method | |
| CN113886821A (en) | Malicious process identification method and device based on twin network, electronic equipment and storage medium | |
| US10223529B2 (en) | Indexing apparatus and method for search of security monitoring data | |
| CN116471098A (en) | Method, device and storage medium for reconstructing vulnerability exploitation process based on traceability graph | |
| CN110012013A (en) | A kind of virtual platform threat behavior analysis method and system based on KNN | |
| CN107203720B (en) | Risk value calculation method and device | |
| CN112685389B (en) | Data management method, data management device, electronic device, and storage medium | |
| Sumalatha et al. | Data collection and audit logs of digital forensics in cloud | |
| CN114416806A (en) | Method and device for acquiring power safety knowledge data and computer equipment | |
| Sirisang et al. | Analyzing SQL injection statements using common substructure of parse tree |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |