Research And Implementation Of Security Information And Event Management Subsystem Of Security Intelligence System

With the rapid development of modern computer science and technology,we are increasingly inseparable from the network that has a tremendous impact on our lives and productions.The rapid development of the network is accompanied by increasingly serious network security incidents.At this stage,firewalls,intrusion detection systems,and other defense methods commonly used by individuals and enterprises emerge in endlessly.But for operation and maintenance personnel without network security knowledge,the maintenance cost is very high.The log data generated by various servers and network security devices is present explosive increasing.Therefore,traditional network security defense methods and technologies are obviously unable to fully and effectively meet the current needs for practicability and convenient management.In view of the difficulties in collecting and storing massive logs of each company's products,and limited the ability of system caused by few threat-data sources,this thesis effectively collects,analyzes,stores,analyzes,and displays the log data generated by security devices.The main contents of the thesis are displayed as follows:1.The overall design of the Security Information and Event Management(Security Information and Event Management)system.Base on the premise of in-depth understanding of the SIEM system composition,ELK distributed platform technology,capable search engine,graphic display and other technologies,the B/S system architecture based on ELK distributed platform,Logstash and Elasticsearch technology was designed,and the massive log data was collected,analyzed,stored and displayed.2.Detailed design and implementation of ELK distributed platform.The system implements the following modules: the log acquisition module,which is responsible for collecting the logs of all kinds of safety equipment;the log processing module,which is responsible for analyzing the format of log;the log analysis module,which is responsible for analyzing the logs of network security;the log storage module,which is responsible for storing original logs and analysis results;the log display module,which is responsible for the retrieval of original logs and the classification and display of analysis logs.3.The system was tested.This system is mainly used for log collection and automatic processing,so this paper focuses on the performance of the system,mainly on the stress tests of this system.This paper quantifies the goal that the system should achieve,and finally gives the test results of the system.Combined with the acquisition environment in different scenes,the comparison test of the acquisition mode is carried out.In conclusion,this system is divided into data collection layer,data storage layer,data calculation layer and data service layer.It mainly solves the difficult problems of safety data collection,inconvenient data collection and management inconvenience,and makes corresponding correlation analysis to discover security issues in time.Its characteristics include real-time and security visibility,which greatly reduces the cost of user management and maintenance,and effectively analyzes existing data and produces results.This thesis verifies the feasibility of the above key technologies and solutions through practice,and realizes the Security Information and Event Management system based on the ELK distributed platform,which meets the requirements of improving the design and operation capabilities of application software technology,and achieves the expected research objectives.