Design And Implementation Of Network Connection Retrieval Engine Aimed At Security Incidents

The regular outbreak of cyber-security incidents seriously jeopardized the security of the network.Network connection log is generated by consecutive data message between session hosts and can clearly describe network conditions.If we can obtain the outbreak of security incidents by retrieving the connection log,we can provide great convenience for network management.Due to the diversity and uniqueness of the security incidents such as network scanning,the standard SQL operators can not completely describe these features,and due to the huge nature of the connection log,the current general retrieval engine cannot meet the retrieval requirements of this article.According to the research on the characteristics of network security incidents,the SQL description of the characteristics of security incidents and the retrieval scheme of the network connection log,this paper finally completes the design and implementation of the network connection retrieval engine for security incidents.The main research contents of this paper include:1.Through the analysis of the characteristics of cyber-security incidents such as network scanning in the connection log,and describing these characteristics by using standard SQL operators or user-defined SQL operators,then we can obtain a series of SQL operators devoted to describing security incidents.This paper finally design and implement a dedicated SQL syntactic analyzer for connection log aimed at security incidents.The purpose of the dedicated SQL syntactic analyzer is to analyze the SQL statements made up of SQL operators,and ultimately obtain the user's retrieval intention.2.Through the analysis of the characteristics of network connection log and the way of converting SQL into MapReduce tasks,this paper design and implement a SQL retrieval execution engine for network connection log based on MapReduce tasks.The function of the SQL retrieval execution engine is to convert the SQL query object that contains the retrieval of the security incident features into a MapReduce-based retrieval program,and then retrieve the connection logs by executing the retrieval program on the Hadoop system to finally obtain the information about the security incident needed for the retrieval request.3.Designed and implemented a prototype system of network connection retrieval engine for security incidents.The prototype system is a normally working and support retrieves the security incidents system that combines a syntactic analyzer with a retrieval execution engine and adds the necessary user interaction module and optimization module.In addition to performing SQL retrieval,this prototype system also supports the functions of cache and multi-user concurrent use.Finally,by testing the prototype system,we prove the correctness and rationality of each module implemented in the prototype system,and prove the feasibility of the retrieval scheme in this paper.