Research On Log Ciphertext Retrieval Based On Alarm Correlation

With the rapid popularization of computer science,the number of alarms in IT systems is increasing geometrically,and alarms record the important information of attack behavior.Through alarm analysis,the security administrator can find vulnerabilities and repair them in time.Alarm plays an important role in system protection.Log retrieval model is used for safe storage and effective retrieval of alarm logs.With the rapid accumulation of alarms,the traditional log retrieval model has many deficiencies in storage and retrieval.First of all,the alarm log is the primary target of attackers.Attackers usually tamper with the alarm log to block the relevant information of attack behavior.The traditional log retrieval model cannot guarantee the integrity of the alarm log,resulting in low accuracy of log analysis.Secondly,because the content of alarm is simple and the format of alarm is complex,the retrieval operation of the alarm often extracts a large number of irrelevant alarms,which makes the subsequent alarm analysis inefficient.In order to solve the difficulty of safe storage and ciphertext retrieval of alarms,this paper proposes a log ciphertext retrieval scheme based on alarm correlation.Through threat assessment of attack source address,alarms with higher threat level are extracted,and build a ciphertext index structure.Using alarm correlation to analyze the correlation of the alarm logs,and the alarm logs of the same attack scene are retrieved in association.In order to improve the data security of the alarms,using a distributed storage structure based on block chain to save alarms,and storing the log index structure in the data block to provide ciphertext retrieval of the alarms.a block index library is used to replace the traditional blockchain log retrieval to improve the retrieval speed of alarms.Through experiments,it can be seen that the scheme can ensure the storage security of alarms.Through retrieval,the security administer can obtain the alarms with attack intention.The main research work is as follows:First of all,in order to obtain the alarm log with analysis requirements,this paper defines a calculation formula of source address threat degree.The source address with higher threat level and corresponding alarm log are obtained through threat assessment,and a security index is constructed to provide retrieval of the alarm log.Through the correlation analysis of alarms,alarms belonging to the same attack scenario are extracted to build an index structure to provide the correlation retrieval of attack scenario alarms.Secondly,using a distributed storage system to store alarms,and the metadata consist of the hash and the filename of alarms is stored in the blockchain to protect the important information of alarms,and storing the log index in the block to provide the log cyphertext retrieval.Finally,in order to improve the retrieval efficiency of alarms,using a block index library recording the storage location of the data block replaces the traditional chain query,and the alarm is extracted safely by ciphertext retrieval.The target block can be obtained by querying the block index library,obtaining the filename of alarms from the index structure of the block and verifying the integrity of alarm retrieval results.The experimental analysis shows that the log ciphertext retrieval scheme based on alarm correlation has high retrieval efficiency,and the time consumed in generating data blocks is not increasing rapidly.It is proved that the retrieval scheme can ensure the retrieval security of alarms.The recall rate and accuracy rate of alarm retrieval results are analyzed to prove that the retrieval scheme can be used to retrieve alarms of attack scenarios.