Design And Implementation Of The Audit And Management Center In Log-Based Audit System

As most network systems can generate logs to record their behaviors and correlative network events, auditing these logs can timely detect violences and provide evidences for further investigating as well. "Log-based Audit System" is just brought forward for such background above and aims to construct a distributed log monitoring and security auditing system. It ensures the network's security and stability by collecting, aggregating, analyzing and storing logs. Also, it gives out the warning of hacker attacks and virus infection to meet the demand for network application.As the major part of the Network Security Audit System, Audit and Management Center is mainly used for log data's analysis, stats, search and supplies GUI for users. This paper implements the Center based on J2EE and gives optimal solutions for the three key points of implementation: Firstly, current HTTP stream is a one-way transmission mode with low real-time character and could not get warning information in time. To solve this problem, this paper presents a solution using HTTP combined with TCP sockets as the message transmission mechanism between Client and Server. According to the test, this method increases the difficulty of implementation to some extent, however, it can greatly meet the demand of high-rate transmitting and Real-time. The second, currently most log audit systems use sql database to implement log storage and search, but when handling massive log data, they all seem to be helpless. By analyzing and comparing database with Lucene search technology, this paper brings out the Lucene+SQL mode based on classified users' operation to solve this problem. The "space for time" method combines the advantages of database and Lucene, provides an interesting and practical solution for the research of massive data's storage and research, and gives a clue for further research. The last, data mining is a powerful tool to audit logs. On the base of anatomizing bottlenecks of the classical association rules algorithm-Apriori , this paper improves the performance by reducing the number of the item sets and using the index to avoid to scan the database frequently. The improved algorithm has better efficiency in mining massive logs.