Search

CN-119624411-B - Operation and maintenance command management method and system based on log feedback

CN119624411BCN 119624411 BCN119624411 BCN 119624411BCN-119624411-B

Abstract

The invention discloses an operation and maintenance command management method and system based on log feedback, wherein the method comprises the steps of integrating real-time log feedback information into an auditing process of an operation and maintenance command, combining role identification information of operation and maintenance personnel with event logs, conducting command auditing by adopting a method based on high risk rule chain matching, realizing deeper analysis of current risk conditions, providing higher safety coefficients, combining the role identification information of the operation and maintenance personnel with the event logs, detecting abnormal conditions more effectively, greatly improving the accuracy of risk coefficient analysis, effectively utilizing the information of the log feedback, containing more historical information in a time dimension, having more comprehensive risk assessment capability and higher risk identification capability.

Inventors

  • YU SIYANG
  • HUANG SIJIE
  • LI KENLI
  • CAI YUHUI
  • YANG ZHIBANG
  • DUAN MINGXING
  • YANG SHENGHONG
  • TANG WEI
  • LV TING

Assignees

  • 湖南匡安网络技术有限公司

Dates

Publication Date
20260505
Application Date
20241101

Claims (10)

  1. 1. The operation and maintenance command management method based on log feedback is characterized by comprising the following steps: s1, a management module configures a high-risk rule chain library and a corresponding high-risk processing strategy, distributes roles of operation and maintenance personnel, and performs operation and maintenance approval; s2, the command receiving module completes identity authentication of operation and maintenance personnel, recognizes and receives operation and maintenance commands, and sends the operation and maintenance commands to the command auditing module for processing; s3, commanding the auditing module to match high-risk rule chains, and executing a corresponding risk processing strategy if any high-risk rule chain is matched; s4, the command execution module executes the operation and maintenance command passing the risk audit; s5, the log extraction module monitors server information in real time, generates event logs according to the change content of the server, and sends the event logs to the log analysis module for analysis; s6, the log analysis module analyzes the log within the specified time, extracts the event ID, evaluates the current operation and maintenance risk coefficient and feeds the current operation and maintenance risk coefficient back to the command auditing module in real time.
  2. 2. The operation and maintenance command management method based on log feedback according to claim 1, wherein the high-risk rule chain comprises at least two rule judging nodes, the sequence of the rule judging nodes comprises 1 role judging node roleNode, 1 risk coefficient node riskNode, n event judging nodes eventNode and m command judging nodes commandNode, n and m are non-negative integers, and the policy content of the risk processing policy corresponding to the high-risk rule chain comprises at least one of high-risk command alarming, high-risk command blocking, high-risk command reporting approval and operation and maintenance personnel authority blocking.
  3. 3. The log feedback based operation and maintenance command management method according to claim 2, wherein the rule judging node has the judging logic as follows: judging whether the current operation and maintenance personnel role is a specified role or not by the role; a risk coefficient node, namely judging whether the current risk coefficient is larger than or equal to a specified threshold value; an event judging node judges whether an event log matched with a specified event ID exists in a certain time; and judging whether the node executes the specified command or whether the current command is the specified command within a certain time.
  4. 4. The operation and maintenance command management method based on log feedback according to claim 1, wherein the identity authentication process in step S2 is as follows: s21, reading a key value in the configuration file, checking whether the operation and maintenance program is legal, and if the reading or checking fails, alarming and prompting and ending the operation and maintenance program; s22, reading the authentication file, sending the authentication file and the local key value to the proxy server for verification, and if the reading or the verification fails, alarming and prompting and ending the operation and maintenance program; S23, if the verification result is passed, the operation and maintenance personnel inputs an operation and maintenance account number to log in, and if the account number fails to log in, the operation and maintenance account number is warned and required to be input again.
  5. 5. The operation and maintenance command management method based on log feedback according to claim 1, wherein the high risk rule chain matching process in step S3 is as follows: s31, acquiring all high-risk rule chains matched with the current operation and maintenance roles in the database to a local library; S32, if a new operation and maintenance command exists, matching local high-risk rule chains one by one according to the current risk coefficient, the recently occurring event and the operation and maintenance command; S33, sequentially judging whether all rules on the current high-risk rule chain are met or not, if yes, executing a high-risk processing strategy corresponding to the high-risk rule chain, and ending matching; and S34, if the current high-risk rule chain is not matched, continuing to match the next high-risk rule chain until the last high-risk rule chain is matched.
  6. 6. The method for managing operation and maintenance commands based on log feedback according to claim 1, wherein the process of generating the event log in step S5 includes monitoring the change event of each functional module to be tested in real time based on the probe program and generating the Json format log, wherein the functional modules to be tested include hardware, system, file, driver, service, software, process, network, user and session, and each functional module to be tested includes a series of predefined events which are uniquely identified by event IDs; The process of issuing to the log analysis module for analysis comprises the steps of filtering event logs operated by other operation and maintenance personnel, eliminating repeated event logs and sending the event logs to the log analysis module.
  7. 7. The operation and maintenance command management method based on log feedback according to claim 1, wherein the method for evaluating the current operation and maintenance risk coefficient in step S6 comprises the following steps: s61, receiving an event log from a log extraction module in a certain time; S62, preprocessing the event log, and carrying out feature fusion on character identification information of operation and maintenance personnel and the preprocessed event log information to obtain fusion features; And S63, performing risk coefficient evaluation on the obtained fusion characteristics by using a risk evaluation model.
  8. 8. The method according to claim 7, wherein the risk assessment model in step S63 is one of Convolutional Neural Network, GENERATIVE ADVERSARIAL Network or Long Short Term Memory Network.
  9. 9. A system based on the log feedback-based operation and maintenance command management method according to any of claims 1 to 8, comprising: The system comprises a management module, a command receiving module, a command auditing module, a command executing module, a log extracting module and a log analyzing module, wherein the management module is used for configuring a high risk rule chain library and a corresponding risk processing strategy and distributing roles; the command receiving module is used for login verification and receiving operation and maintenance commands; the command auditing module is used for matching the high-risk rule chain and processing the high-risk condition; the command execution module is used for executing operation and maintenance commands passing through risk auditing; The log extraction module is used for acquiring event logs operated by operation and maintenance personnel in real time; The log analysis module is used for acquiring the recently occurring event and evaluating the risk and feeding back the recently occurring event and evaluating the risk to the command auditing module for judgment.
  10. 10. A computer readable storage medium having stored thereon program instructions of a log feedback based operation and maintenance command management method, the program instructions of the log feedback based operation and maintenance command management being executable by one or more processors to implement the steps of the log feedback based operation and maintenance command management method according to one of claims 1 to 8.

Description

Operation and maintenance command management method and system based on log feedback Technical Field The invention relates to the field of industrial control safety, in particular to an operation and maintenance command management method and system based on log feedback. Background In an industrial control safety system, a server serves as a core component and plays a key role of data processing and control instructions. However, threats from inside pose significant risks to the operational maintenance of the server. Along with acceleration of enterprise digital transformation, ensuring the security and legitimacy of operation and maintenance operation becomes more important, which requires reasonable management of operation and maintenance commands, and establishes a comprehensive risk assessment mechanism to identify and block potential dangerous commands, so as to ensure safe and stable operation of the system. Disclosure of Invention (One) solving the technical problems In order to solve the technical problems, the invention provides an operation and maintenance command management method and system based on log feedback. The real-time log feedback information is integrated into the auditing process of the operation and maintenance command, the current risk situation can be further analyzed, the role identification information of the operation and maintenance personnel is combined with the event log, the abnormal situation can be more effectively detected, in the actual operation and maintenance process, each operation and maintenance role always has a specific responsibility range, and if the operation behavior of a certain operation and maintenance personnel exceeds the responsibility range expected by the role, the possible misoperation or malicious behavior is indicated. The command auditing is carried out by adopting a method based on high risk rule chain matching, so that the information fed back by the log can be effectively utilized, more historical information is contained in the time dimension, and the risk assessment capability is more comprehensive. Based on the application of the technology, the invention can accurately identify the high risk condition in the operation and maintenance process, efficiently and comprehensively carry out risk assessment in the actual operation and maintenance process, and timely block the execution of high risk commands to ensure the stable operation of the system. (II) technical scheme In order to solve the technical problems and achieve the aim of the invention, the invention is realized by the following technical scheme: the operation and maintenance command management method based on log feedback is characterized by comprising the following steps: s1, a management module configures a high-risk rule chain library and a corresponding high-risk processing strategy, distributes roles of operation and maintenance personnel, and performs operation and maintenance approval; s2, the command receiving module completes identity authentication of operation and maintenance personnel, recognizes and receives operation and maintenance commands, and sends the operation and maintenance commands to the command auditing module for processing; s3, commanding the auditing module to match high-risk rule chains, and executing a corresponding risk processing strategy if any high-risk rule chain is matched; s4, the command execution module executes the operation and maintenance command passing the risk audit; s5, the log extraction module monitors server information in real time, generates event logs according to the change content of the server, and sends the event logs to the log analysis module for analysis; s6, the log analysis module analyzes the log within the specified time, extracts the event ID, evaluates the current operation and maintenance risk coefficient and feeds the current operation and maintenance risk coefficient back to the command auditing module in real time. Further, the high risk rule chain comprises at least two rule judging nodes, the sequence of the rule judging nodes comprises 1 role judging node roleNode, 1 risk coefficient node riskNode, n event judging nodes eventNode and m command judging nodes commandNode, n and m are non-negative integers, and the policy content of the risk processing policy corresponding to the high risk rule chain comprises at least one of high risk command alarming, high risk command blocking, high risk command reporting approval and operation and maintenance personnel authority blocking. Further, the rule judging node has the judging logic as follows: judging whether the current operation and maintenance personnel role is a specified role or not by the role; a risk coefficient node, namely judging whether the current risk coefficient is larger than or equal to a specified threshold value; an event judging node judges whether an event log matched with a specified event ID exists in a certain time; and judging whether the node e