摘要
为了从海量的日志数据中审计分析安全事件,并进行事件溯源,文章提出基于知识图谱驱动的网络安全等级保护日志审计分析模型。该模型将安全、运维、数据分析和等级测评数据融合进行日志数据增益;将服务器、网络设备和安全设备作为本体构建节点;将业务数据流作为连接两个节点的关系,业务数据流的方向作为关系的方向。从安全管理中心、安全计算环境、安全区域边界和安全通信网络4个方面构建相应的网络安全等级保护日志知识图谱,实现网络日志的高效关联和深度挖掘分析,可以不需要对问题进行精确建模而在数据上直接进行分析和处理,适用于进行网络安全日志的大数据分析,为大规模复杂日志审计分析的求解提供了一种有效手段。
In order to audit and analyze security events from massive log data and trace the origin of events, this paper proposes the log audit analysis model of cyberspace security classified protection driven by knowledge map, which integrates security, operation and maintenance, data analysis and evaluation data of classified protection and gains log data. The servers, network devices and security devices are nodes of ontology, the business data flow are the relationships between the two nodes, and the direction of business data flow are the relationship direction. The knowledge map of cyberspace security classified protection log is constructed from four aspects: security management center, secure computing environment, secure area boundary and secure communication network. The efficient association and deep mining analysis of cyberspace log are realized, and the efficiency of audit analysis for cyberspace security abnormal events is improved. So that the data can be analyzed and processed directly without precise modeling. It is suitable for big data analysis of network security log and provides an effective method for solving large scale complex log audit analysis.
作者
陶源
黄涛
李末岩
胡巍
TAO Yuan;HUANG Tao;LI Moyan;HU Wei(The Third Research Institute of Ministry of Public Security,Shanghai 200031,China;Cyber Security Bureau of Ministry of Public Security,Beijing 100741,China;National Engineering Laboratory for Key Technology of Classified Information Security Protection,Beijing 100142,China)
出处
《信息网络安全》
CSCD
北大核心
2020年第1期46-51,共6页
Netinfo Security
基金
国家重点研发计划[2018YFB0803503]。
关键词
知识图谱
网络日志
等级保护
审计分析
knowledge graph
cyberspace log
classified protection
audit analysis