System log is one of the most important data sources for cloud security monitoring. But it is a difficult task to utilize the logs due to their various formats. In this paper, we proposed a model named Behavior Rhythm to characterize massive logs and achieve the goal of granular user behavior management and security monitoring. Firstly, we employ the logging IP address and time to construct the Behavior Rhythm, one point in the Behavior Rhythm corresponding to one logging behavior. Logging behaviors at different time of the same user are similar due to their habits and the points will centralize together in the Behavior Rhythm, thus the abnormal behaviors can be detected based on behavior point distribution. Secondly, we propose the concept of Operation and Maintenance Frequency (OMF) to capture the behavior characteristics of normal users, which is efficient in behavior profiling by combined logging time, logging IP address and number of input commands. Finally, we employ PrefixSpan to mine the frequent command sequences used by abnormal users. In turn, we can reconstruct the attack steps, and then design suitable defense policies based on detailed investigation of the attack characteristics. Experimental results based on massive log data collected from the campus network center of Xian Jiaotong University verify that the methods proposed in this paper are efficient in detailed behavior characteristics extraction and security monitoring, which can not only obtain the behavior profiles of normal users, but also extract the detailed commands used by specific attacks, the analysis results lay a solid foundation for cloud security management.
展开▼
