计算机工程与应用 ›› 2020, Vol. 56 ›› Issue (10): 231-239.DOI: 10.3778/j.issn.1002-8331.1901-0200

• 工程与应用 • 上一篇    下一篇

基于多维时序日志的异常行为可视分析

张文琦,周喜,赵凡,马博   

  1. 1.中国科学院 新疆理化技术研究所,乌鲁木齐 830011
    2.中国科学院大学,北京 100049
    3.新疆民族语音语言信息处理实验室,乌鲁木齐 830011
  • 出版日期:2020-05-15 发布日期:2020-05-13

Visual Analysis of Abnormal Behavior Based on Multidimensional Timing Log

ZHANG Wenqi, ZHOU Xi, ZHAO Fan, MA Bo   

  1. 1.The Xinjiang Technical Institute of Physics & Chemistry, Chinese Academy of Sciences, Urumqi 830011, China
    2.University of Chinese Academy of Sciences, Beijing 100049, China
    3.Xinjiang Laboratory of Minority Speech & Language Information Processing, Urumqi 830011, China
  • Online:2020-05-15 Published:2020-05-13

摘要:

当前许多企业面临着来自内部的信息安全问题,由于核心信息的窃取而造成无法估量的损失。企业内部的监控日志数据记录了员工的操作行为与访问记录,通过对内部监控日志进行有效的分析以及时发现员工的异常行为具有重要的意义。然而现有的关于日志分析的方法不能很好地结合多种用户行为日志进行有效分析,并及时发现异常行为提前进行预警。针对这一问题,基于日志的多维性和时序性,提出了一种新颖的可视化系统MLVis。通过设计多个可视化视图,实现一个交互式的可视分析系统,可以帮助决策者发现异常行为,定位异常员工,并分析异常行为之间的联系。采用ChinaVis2018挑战赛I的数据集进行实验和案例分析,验证了该系统的可行性和有效性。

关键词: 监控日志, 异常行为, 多视图, 可视分析

Abstract:

Many companies have faced internal information security issues at present, the theft of core information causes incalculable losses. The internal monitoring log records the employee’s operational behavior and access records. Therefore, it is of great significance to timely discover the abnormal behavior of employees by effectively analyzing the internal monitoring logs. However, the existing methods of log analysis cannot be combined with a variety of user behavior logs for the effective analysis and timely detection of abnormal behaviors for early warning. In order to solve these problems, a novel visualization system MLVis based on log multidimensionality and temporality is proposed. By designing multiple visual views, implementing an interactive visual analysis system, the system can help decision makers discover anomalous behavior, locate abnormal employees, and analyze the connections between abnormal events. Finally, the data set of ChinaVis2018 Challenge I is used for experiment and case analysis, the results show that the system is feasible and effective.

Key words: monitoring log, abnormal behavior, multiple visual views, visual analysis