日志服务器建设和应用

设备日志及时、准确地记录网络运行、服务信息,是网络管理人员应该重点关注的信息源。日志服务器利用日志服务器软件,采集网络设备、安全设备、应用服务器等的日志信息,集中存储管理。这些日志信息可以在日常维护管理中人工查阅,也可以利用程序进行处理和准确分析,实现对网络的全面监管。     

基于日志的异常检测技术综述

日志信息是信息系统快速发展中产生的重要信息资源,通过日志的分析,可以进行异常检测、故障诊断和性能诊断等。研究基于日志的异常检测技术,首先对主要使用的基于日志的异常检测框架进行介绍,然后对日志解析、日志异常检测等关键技术进行详细介绍。最后对当前技术进行总结,并对未来研究方向给出建议。     

基于网络环境下对日志系统攻击的机理分析与研究

日志系统的安全对计算机安全来说至关重要,分析了日志系统受到攻击的位置和不同类型。并从日志系统的机密性、完整性和可用性三个方面对日志系统受到攻击的机理进行了详细的分析。最后,对日志系统如何防止受到各种攻击进行了总结。对在网络环境下计算机主机避免其日志系统受到攻击具有较强的指导意义。     

基于网络环境下对日志系统攻击的机理分析与研究

日志系统的安全对计算机安全来说至关重要,分析了日志系统受到攻击的位置和不同类型。并从日志系统的机密性、完整性和可用性三个方面对日志系统受到攻击的机理进行了详细的分析。最后,对日志系统如何防止受到各种攻击进行了总结。对在网络环境下计算机主机避免其日志系统受到攻击具有较强的指导意义。     

路由器日志序列模式挖掘

随着网络技术的发展,人们对网络质量的要求也越来越高,作为网络传榆中重要环节之一的路由器的工作状态的变化直接影响到网络运行质量。从路由器日志中挖掘出的知识既可用于评价网络质量,又可用于改善网络信息服务。本文分析了路由器日志中一些常见信息,采用序列挖掘方法对日志进行了挖掘,并对挖掘结果进行了解释和分析。     

基于Netflow的网络安全大数据可视化分析

近年来网络安全日志数据呈现出爆炸式的增长,但现有的可视化技术难以支持高维度、多粒度的Netflow日志实现完善的可视化分析.因此本文提出了一种全新的网络安全可视化框架设计方案,采用三维柱状图展示Netflow日志的流量时序图,以帮助用户快速了解和掌握网络中的异常时刻.引用信息熵算法针对平行坐标轴的维度数据进行处理,便于用户对多维度图形的理解,利用矩阵图、气泡图和流量时序图进行细节分析,最后利用该系统实现了对DDOS攻击和端口扫描攻击的网络异常案例分析.研究证明本系统丰富的可视化图形以及简单易用的协同交互,能较好的支撑网络安全人员从网络整体运行状态分析,到定位异常时刻、监测网络行为细节的全部过程.     

用Delphi实现对服务器日志空间监控与清理

运用Delphi实现对网络中服务器的日志空间进行监控,并自动对日志文件进行备份与清理。     

基于日志解析的网络数据传输信息安全自动加密系统优化

由于网络运行状态判断不明确,导致网络数据传输信息存在一系列丢失问题,为此结合日志解析技术对网络数据传输信息进行安全自动加密系统的优化.通过加密系统的信息通信网络、接口芯片以及通用接口总线进行优化改装,利用硬件设备采集日志数据和实时网络传输数据,通过日志的解析确定目前网络的运行状态,在该状态下模拟信息数据的传输过程,实现...     

基于注意力机制的半监督日志异常检测方法

日志记载着系统运行时的重要信息，通过日志异常检测可以快速准确地找出系统故障的原因。然而，日志序列存在数据不稳定和数据之间相互依赖等问题。为此，提出了一种新的半监督日志序列异常检测方法。该方法利用双向编码语义解析BERT模型和多层卷积网络分别提取日志信息，得到日志序列之间的上下文相关信息和日志序列的局部相关性，然后使用基于注意力机制的Bi-GRU网络进行日志序列异常检测。在3个数据集上验证了所提方法的性能。与6个基准方法相比，所提方法拥有最优的F1值，同时获得了最高的AUC值0.981 3。实验结果表明，所提方法可以有效处理日志序列的数据不稳定性和数据之间相互依赖的问题。     

一种基于属性哈希的告警日志去重方法

网络安全防护设备产生的告警日志中存在大量重复告警,影响实时的网络威胁态势分析。为解决告警日志的实时准确去重问题,提出了一种基于属性哈希的告警日志去重方法。该方法采用属性哈希实现重复告警的快速检测,并采用哈希表同时解决了大量非重复告警日志的存储问题。在基于Darpa数据集构建的告警日志上进行了实验,结果表明该方法在保证较低时间复杂度的同时,去重准确率可以达到95%以上。     

基于受限玻尔兹曼机的电力信息系统多源日志综合特征提取

为了充分利用电力信息系统中的异构数据源挖掘出电网中存在的安全威胁, 本文提出了基于受限玻尔兹曼机(Restricted Boltzmann Machine, RBM)的多源日志综合特征提取方法, 首先采用受限玻尔兹曼机神经网络对各类日志信息进行规范化编码, 随后采用对比散度快速学习方法优化网络权值, 利用随机梯度上升法最大化对数似然函数对RBM模型进行训练学习, 通过对规范化编码后的日志信息进行处理, 实现了数据降维并得到融合后的综合特征, 有效解决了日志数据异构性带来的问题. 通过在电力信息系统中搭建大数据威胁预警监测实验环境, 并进行了安全日志综合特征提取及算法验证, 实验结果表明, 本文所提出的基于RBM的多源日志综合特征提取方法能用于聚类分析、异常检测等各类安全分析, 在提取电力信息系统中日志特征时有较高的准确率, 进而提高了网络安全态势预测的速度和预测精度.     

SIMS: solution, or part of the problem?

The author evaluates security information management systems, or SIMS, which promise to solve a serious network security problem: log analysis. The idea behind log analysis is that if you can read the log messages in real time, you can figure out what the attacker is doing. And if you can respond fast enough, you can kick him out before he does damage.     

便携式计算机的路由选择设计

该文详细介绍了移动用户与网络连接的过程,设计出了移动主机与网络连接的模型。重点从外地代理访问移动主机、移动主机登录、外地代理与移动主机建立联系方面全面阐述了移动用户的登录和退出过程,安全、快速、便捷的实现了便携式移动主机与网络的连接。     

基于大规模网络日志的模板提取研究

针对直接从大型网络日志中提取网络事件困难的问题,提出了基于大规模网络日志的模板提取方法。该方法可将海量的、原始的网络日志主动转换为日志模板,从而为了解网络事件的根因和预防网络故障的发生提供重要的前期准备。首先分析日志的结构,将日志中的词划分为模板词和参数词两类;然后从3个不同的角度切入,分别对日志进行模板提取研究;最后使用互联网公司中的实际生产数据,采用Rand_index方法来评估3种提取方法的准确有效性。结果表明,在从服务集群中收集来的4种不同消息类型中,基于标签识别树模型提取到的日志模板的平均准确率达到99.57%,高于基于统计模板提取模型和基于在线提取模板模型的准确率。     

基于国产操作系统的网络日志管理系统构建

系统日志信息是分析信息安全状况的重要数据来源,也是在出现信息安全事件后对事件发生路径及事件原因进行定位的关键,因此建立可为各种网络设备、主机设备提供集中日志管理的网络日志系统已经显得越来越重要。从实践出发,提出一种基于国产操作系统建立网络日志管理系统的采集方法。     

Periodic Merging Networks

We consider the problem of merging two sorted sequences on constant degree networks performing compare—exchange operations only. The classical solution to this problem is given by the networks based on Batcher's Odd—Even Merge and Bitonic Merge running in log(2n ) time. Due to the obvious log n lower bound for the runtime, this is time-optimal. We present a new family of merging networks working in a completely different way than the previously known algorithms. They have a novel property of being periodic: this means that for some (small) constant k , each processing unit of the network performs the same operations at steps t and t+k (as long as t+k does not exceed the runtime). The only operations executed are compare—exchange operations, just like in the case of Batcher's networks. The architecture of the networks is very simple and easy to lay out. We show that even for period 3 there is a network in our family merging two n -element sorted sequences in time O(log n ). Since each network of period 2 requires steps to merge such sequences, 3 is the smallest period for which we may achieve a fast runtime. In order to improve constants standing in front of log n we increment the period and tune the construction using additional techniques. We achieve the runtime 9 . . . log_3 n 5.7 . . . log n for a network of period 4, and 2.25 . . . ((k+3)/(k-1+log 3))log n 2.25 . . . log n for a network of period k+3 , for . Due to the periodic design, our networks have small area complexity. For instance, if each processing unit requires O(1) area and a comparator uses a single wire of width O(1) connecting the processing elements, then our networks require area. This compares well with Batcher's networks that require area . Received February 1997, and in revised form September 1997, and in final form February 1998.     

Distributed algorithms for ultrasparse spanners and linear size skeletons

We present efficient algorithms for computing very sparse low distortion spanners in distributed networks and prove some non-trivial lower bounds on the tradeoff between time, sparseness, and distortion. All of our algorithms assume a synchronized distributed network, where relatively short messages may be communicated in each time step. Our first result is a fast distributed algorithm for finding an ${O(2^{{\rm log}^{*} n} {\rm log} n)}We present efficient algorithms for computing very sparse low distortion spanners in distributed networks and prove some non-trivial lower bounds on the tradeoff between time, sparseness, and distortion. All of our algorithms assume a synchronized distributed network, where relatively short messages may be communicated in each time step. Our first result is a fast distributed algorithm for finding an O(2^{log* n} log n){O(2^{{\rm log}^{*} n} {\rm log} n)} -spanner with size O(n). Besides being nearly optimal in time and distortion, this algorithm appears to be the first that constructs an O(n)-size skeleton without requiring unbounded length messages or time proportional to the diameter of the network. Our second result is a new class of efficiently constructible (α, β)-spanners called Fibonacci spanners whose distortion improves with the distance being approximated. At their sparsest Fibonacci spanners can have nearly linear size, namely O(n(loglogn)^f){O(n(\log \log n)^{\phi})} , where f = (1 + ?5)/2{\phi = (1 + \sqrt{5})/2} is the golden ratio. As the distance increases the multiplicative distortion of a Fibonacci spanner passes through four discrete stages, moving from logarithmic to log-logarithmic, then into a period where it is constant, tending to 3, followed by another period tending to 1. On the lower bound side we prove that many recent sequential spanner constructions have no efficient counterparts in distributed networks, even if the desired distortion only needs to be achieved on the average or for a tiny fraction of the vertices. In particular, any distance preservers, purely additive spanners, or spanners with sublinear additive distortion must either be very dense, slow to construct, or have very weak guarantees on distortion.     

Deterministic Rendezvous in Graphs

Two mobile agents having distinct identifiers and located in nodes of an unknown anonymous connected graph, have to meet at some node of the graph. We seek fast deterministic algorithms for this rendezvous problem, under two scenarios: simultaneous startup, when both agents start executing the algorithm at the same time, and arbitrary startup, when starting times of the agents are arbitrarily decided by an adversary. The measure of performance of a rendezvous algorithm is its cost: for a given initial location of agents in a graph, this is the number of steps since the startup of the later agent until rendezvous is achieved. We first show that rendezvous can be completed at cost O(n + log l) on any n-node tree, where l is the smaller of the two identifiers, even with arbitrary startup. This complexity of the cost cannot be improved for some trees, even with simultaneous startup. Efficient rendezvous in trees relies on fast network exploration and cannot be used when the graph contains cycles. We further study the simplest such network, i.e., the ring. We prove that, with simultaneous startup, optimal cost of rendezvous on any ring is Θ(D log l), where D is the initial distance between agents. We also establish bounds on rendezvous cost in rings with arbitrary startup. For arbitrary connected graphs, our main contribution is a deterministic rendezvous algorithm with cost polynomial in n, τ and log l, where τ is the difference between startup times of the agents. We also show a lower bound Ω (n²) on the cost of rendezvous in some family of graphs. If simultaneous startup is assumed, we construct a generic rendezvous algorithm, working for all connected graphs, which is optimal for the class of graphs of bounded degree, if the initial distance between agents is bounded.     

基于日志的网络背景流量模拟仿真

入侵检测系统（IDS）的开发与评估需要一个仿真的网络环境，网络流量模拟仿真技术是其中关键技术之一．在详细分析了网络流量的模拟仿真技术及其相关软件基础上，设计并实现了一种基于日志的网络背景流量模拟仿真软件，解决了入侵检测系统测试中的攻击类型定义和背景流量问题，并使用谊软件模拟真实的网络环境对入侵检测系统进行测试分析，实验结果表明，基于日志的网络背景流量仿真软件能够在日志信息的基础上以不同速度动态回放网络流量仿真数据，并能够对日志数据进行修改．增加了对入侵检测系统测试的灵活性．     

面向多平台的日志远程采集系统研究

日志对于系统的日常运维、审计及入侵检测等具有重要作用,对日志进行远程集中化管理是日志管理的有效手段。由于不同操作系统平台上支持的日志格式不统一,传统上很难将大型网络中不同系统的日志远程采集到集中的日志服务器上。nxlog是一种支持多平台的功能强大的日志采集工具,部署方便,可以在目标系统上持续稳定地收集系统日志,并支持以多种日志格式和传输模式将日志发送到远程日志服务器。同时,Syslog作为一种工业协议,也得到了越来越多的支持。基于nxlog并配合成熟的日志服务器可以构建灵活可靠的系统日志远程采集系统。实际运行结果表明该方案可有效解决大型网络中系统日志远程采集的问题。