| With the development of Internet technology,the problem of network security is becoming more and more serious.In order to protect network security,people are constantly developing new technologies.Network forensics is a comprehensive process of collecting network data,identifying intrusion,analyzing data,storing data,judging the reason of intrusion behavior,and enhancing security protection equipment.Through the extraction and analysis of the data in the process of network crime,forensic personnel can investigate and identify the network crime.At present,the main sources of network forensics are network equipment information,network data flow and security product log.In this paper,firewall logs and intrusion detection logs are analyzed.However,it is very difficult to obtain useful information from a large amount of log information manually,and the analyzed data can not reflect the problems in the network.In view of the above problems,this paper is divided into three parts:1.To solve the problem of getting useful information,this paper uses association rule mining algorithm to analyze the log.The association rule mining algorithm can mine the frequent association features in log data without adding too much prior knowledge.It can not only filter out a large amount of redundant data,but also show the relationship between the log data which is valuable for the reconstruction of the event.However,Apriori algorithm has many problems,so this paper uses a matrix based Apriori algorithm.This algorithm solves the problem of excessive number of scanning transaction databases and generating a large number of candidate sets.2.In view of the problem that the forensic personnel can not find the useful information from the data accurately,this paper uses visualization method to solve the problem.The use of visualization technology can bring valuable information more intuitive to forensics,greatly improving the efficiency of the network forensics.At present,the commonly used network security log visualization methods are parallel coordinate axes,radar maps,hash charts and so on.These methods can not be used to analyze the relationship between multiple attributes.they can only have a better display for some kind of event type.In order to solve these problems,this paper use graph database to visualize the frequent itemsets.3.According to the above work,this paper designed and implemented a network security log analysis system of visual evidence.The system uses the improved Apriori algorithm to mine the association rules of the log,and after the excavation is completed,graph database is used to display the results,which is convenient for the further work of the staff. |
PDF Full Text Request