Towards Network Threat Analysis System Based On Multi-source Security Logs

With the rapid development of the computer and network technology, the scale of network is increasing, and the network security issues also become increasingly prominent. Varieties of security equipment deployed in the network environment produces large amounts of logs every day, recording the security incidents in the network system. As a true embodiment of the computer network systems, log analysis is critical to maintain the system security and to monitor the situation of the system, log is one of the important data reflecting the status of network security, and the important data source of the current network threat analysis system.In recent years, network attack behavior is showing the new characteristics: increasingly complicated and distributed, an attack process is composed of multiple attack stages, different stages of attack may be carried out in different network nodes, relying on a single event log is too partial, and cannot reflect the whole outline of the attack behavior, it is unable to capture the planned and multistage complex attack behaviors. Network threat analysis based on multi-source logs implements the correlation analysis of logs in all nodes of the network, detects the network threats in multi-level and multi-angle, to find the hidden threat behavior in the system.Firstly in the paper, the background and significance of network threat analysis technology based on multi-source logs is discussed, and the current situation of research at home and abroad is summarized. And then, the related conception of network threats and the threat models is studied, including the concept, classification and common format of the logs and applications, pointing out the important role of the log in the network threat analysis.Secondly, the related technology of the multi-source log analysis is discussed, including multi-source log collecting technology, processing technology and data storage. Furthermore, network threat analysis system is designed and implemented, and experiment is deployed to verify. Finally, the paper summarizes the works above, and points out the further research of network threat analysis system.