Research And Implementation Of The Network Security Audit System Based On Log Mining

With the popularization of computer applications and the rapid development of computer technology, the number of computer crimes is larger day by day. In the face of the emerging crimes, how to audit and effectively combat computer crime has become a new task. Network security audit system not only could prevent the loss of technical information-sensitive information for example, and monitor the situation of staff browsing the Internet which can resist the invasion of harmful information, but effectively do log mining and retention to combat criminal activities on-line or internal staff as well.Network Security Audit results directly affect our ability to detect the intrusion or abnormality timely and accurately. The traditional security audit technology is studied and compared at first. The core technology of which is adopted in the field of security audit at present is the way of transcendental database. The disadvantage of this approach is that association rules can not be found which exist in the data, and it lack of the way of mining the hidden knowledge contained in data which has the problem of low accuracy, slow detection speed, and poor adaptability. Aiming at these problems, the major research work is as follows:1. A real-time collection of multisource log is designed and implementedFor the inaccurate audit analysis caused by single data source, agents are adopted to achieve distributed data acquisition which organically combined sources of host data and network data. The MyOnEntryWritten function and provider model is designed and applied in the audit log collection, so as to achieve the comprehensiveness and real-time of audit log.2. An overall audit approach is givenAn overall audit approach is designed which combined digging association rules based on log data mainly with traditional priori knowledge and mathematical statistics. On the basis of that, the system can audit the host operation and behavior of network traffic to find abnormal situation and make the appropriate way of responding. Three pattern matching methods of rule base are used to increase the accuracy of audit: sequential patterns, time matching and mathematical statistics.3. The traditional association rule mining algorithm is improvedBy using the new data structure which is represented by son-brother based on tree, it improve the disadvantage of scanning the database frequently in the traditional association rule mining algorithm so as to improve the algorithm efficiency. Beside the support-confidence degree framework, interest degree is introduced as an evaluation threshold to pruning useless rules avoiding generating interferential association rules so as to optimize association rules evaluation criteria. The transaction database converted from original dataset is re-optimized in the actual situation. All of these are used to achieve the automatic generation and updating of audit rules and improve audit efficiency.4. A hierarchical security system is designed and establishedA hierarchical security system is designed from the password protection of outermost user name to the innermost layer of disk log file protection by integrating the applications of MD5 hash function, process guard, SSL and HOOK API, etc. So that it can ensure the authenticity and reliability of audit results and its own security of audit system. At the same time, the system could provide process and memory information performance analysis and early warning report through real-time monitoring of operating system which to a certain extent can guarantee the security of the operating system.5. The network security audit system based on log mining is designed and implementedThrough detailed design and implementation of system, experimental analysis can be found that log mining audit system installed on the LAN server has obvious advantages and strong adaptive ability, while false positives can also achieve the desired results from which indicates that the network security audit system based on improved log mining is feasible and can improve the efficiency and accuracy of the audit.