Professional Documents
Culture Documents
Research On System Logs Collection and Analysis Model of The Network and Information Security System by Using Multi-Agent Technology
Research On System Logs Collection and Analysis Model of The Network and Information Security System by Using Multi-Agent Technology
Research on system logs collection and analysis model of the network and
information security system by using multi-agent technology
Abstract—In order to realize the full rang of information same time intrusion event, thus resulting in the generation of
security, a variety of network equipment, safe equipment have redundant events, and not conducive to promote of the later
been applied to deal with all aspects of information security network security situational awareness work. Therefore, we
and protection by many enterprise. These devices, systems need to centralized collect the security event and log data
produce a lot of security event log in the network security produced by security equipment, and then generate a fixed
protection, and these event log data format are different, and format data structure for the later maintenance and use of the
different safety equipment may generate the same alerts logs, data.
not only resulting in generating redundant events, but not This paper proposed a method by using the multi-agent
conducive to the next work of network security situational
technology to collect and analysis the log data generated by
awareness. Therefore, this paper proposed a method by using
network devices and security devices by analyzing the status
the multi-agent technology to collect and analysis the log data
generated by network devices and security devices, and then of the network and information security work, and created
generating a fixed-format data structure and building the log the centralized data source to providing services for the later
collection and analysis systems to facilitate the later research of information security and network and network
maintenance and use of data. security situation assessment model by building the central
data source, and do some collection, collation analysis and
Keywords-component; Multi-agent technology; Log collection removing the redundant information from the central data
agent ; log collection and analysis system source.
II. OVERVIEW OF MULTI-AGENT TECHNOLOGY
I. INTRODUCTION Agent is an important concept in the field of computer
Information security management is a complex and science, has been widely used in AI(Artificial Intelligence),
important work. Information security behavior monitoring is distributed computing, CSCW(computer supported
the basis of the information security management work. cooperative work), man-machine interface and other areas of
Network information security behavior monitoring refer to computer science.
collect a variety of network security events and network IA(Intelligent Agent) is a software entities on behalf of
security log data from the safety equipment and information users or other programs to finish a set of autonomy
security systems and proceed data mining and conform the operations, and can acquire the knowledge and express of the
security situation and provide services for the later research user’s goals or aspiration.
of the information security and network trend. IA has autonomy, perception and response capability,
At present, in order to realize the full rang of information initiative, communication ability, persistence, reasoning and
security, a variety of network equipment, safe equipment planning capabilities.
have been applied to deal with all aspects of information IA is a dynamic and distributed directory service, that
security and protection by many enterprise, but these systems can provide function both client and service procedures used.
are variety, monitoring an aspect of information security In case of the user does not has explicitly require, IA can
each other, the security event and log data format produced replace user to do a variety of complex work, such as
by these security equipment are different, and different information filtering, query, management and other functions
safety equipment may produce more than one alarm for the according to the needs of user.
24
Authorized licensed use limited to: Consortium - Algeria (CERIST). Downloaded on November 29,2023 at 09:13:37 UTC from IEEE Xplore. Restrictions apply.
network devices interface via SNMP. Therefore the network
device must start the SNMP service. Routing device must
support the MIB II(RFC 1213)(RFC, Request For Comments,
is a set of scheduled numbered files, the basic internet
communication protocols are detailed in RFC
documents),the switching equipment must support the
MIB(management information base, specified some
variables maintained by network elements, are the
management process query and set information, MIB
provides a collection of all possible managed object data
structure ) II(RFC 1213)and Bridge MIB(RFC 1493).
(2) Safety devices
aˊFirewall system
The firewall system of the log collection and analysis
system must support the network device SNMP MIB, MIB
II(RFC 1213), and start the SNMP service.
bˊIntrusion detection system
The intrusion detection system of the log collection and
analysis system must support the network device SNMP
MIB, MIB(RFC 1213), and start the SNMP service.
(3) Application systems
The application systems must provide a log interface to
Figure 2. The log collection and analysis system
get the log information, running information and business
information.
The log collection and analysis system consists of some
(4)The host systems
log collection agent and log storage system. The log
The log collection and analysis system obtain the
collection agent consist of network device log collection
information from the monitored host via the SNMP service,
agent, safety device log collection agent, application system
include system information, network connections, TCP
log collection agent and the host system log collection agent.
connection, the running program, software installation, CUP
The log storage system consists of central storage and
load, storage devices, system configuration, the Windows
original log database. In order to provide some convenient
network services, the Windows user account information etc.
for the later work of data use and analysis, the log collection
The host SNMP service provide all of the above information
and analysis system also provide some data interface to
must support the MIB II(RFC 1213)and the Host Resources
communicate with other system, such as safety management
MIB(RFC 1514).
system, network security situation awareness system and so
The log collection and analysis system mainly consists of
on.
log collection agents and log storage system. The log storage
The log central storage and original log database are the
system consists of log central storage and the original log
core of the log data collection and analysis behavior and are
database. At first, the log collection agent mainly collect the
the way of log collection of the log collection and analysis
log information of all the network devices, security devices,
system. This log collection method can ensure the affairs of
applications systems and host system, and then format these
data collection finished independently. The log collection
log data information with log format which pre-defined and
and analysis system can collect the raw log and not affected
store to the log central storage. We can directly extract the
by the behind program of analysis, database reading and
data from the log storage system without from the network
writing, and at the same time the behind analysis program
device, safety device, application system and host system for
are not affected by the log collection and analysis system and
the later network security situation assessment work. This
not appear the scene which slow down the speed. On the one
centralized storage logs way can improve the security and
hand can ensure all the log data from the safety device are
facilitate the management of the log. In order to maximize
not lost and the data security can be completely guaranteed;
reduction the original information and provide guarantee for
On the other hand can shorten the time of data collection
accurately extraction of the log information, the original
from the safety management, and also can get the real-time
format log stored in the original log database.
log information.
The log collection and analysis system model is shown in
figure 2: V. CONCLUSION
The main content of this paper is to build the log
collection and analysis system. At first, using the intelligent
agent technology to realize log collection agent, and then
using the log collection agent and some log storage structure
to realize the structure of the log collection and analysis
system.
25
Authorized licensed use limited to: Consortium - Algeria (CERIST). Downloaded on November 29,2023 at 09:13:37 UTC from IEEE Xplore. Restrictions apply.
Through the establishment of the log collection and [2] Shizhongzhi.Intelligent agent and its application[M].Beijing:Science
analysis system, to collect, analysis, integrate the log data press,2000
information from the variety network device, safety device, [3] Shaofengjing,Yuzhongqing.Data mining principles and
algorithms.China WaterPower Press,2003
application systems and host systems and then form the data
[4] Zhangjianpin,Chentianyun,Wanglixing.Research on the IA model for
structure with unified data format, and provide data support network collaborative learning[J]. e-EDUCATION
for the later part of calculate the network security situation RESEARCH,2004 ,(5)
assessment, network security situation assessment and the [5] Tipton HF, Krause M.Information security management
network security situation prediction. handbook[M].Wangweiwei,Yangbo,translation.
[6] Wujunhua,Zhengyu.A mail server log data analysis
REFERENCES methods[J].Journal of Nanjing University of technology, 2003,Vo25
[7] Lvjia.Web log mining application[J].Journal of Chongqiong Normal
[1] Lixiao,Wuzhenghong.The design of blended learning model based on University,2006,Vo23
the agent[J].Guangdong Radio and Television University.2005,Vo14.
26
Authorized licensed use limited to: Consortium - Algeria (CERIST). Downloaded on November 29,2023 at 09:13:37 UTC from IEEE Xplore. Restrictions apply.