基于SQL-on-Hadoop的网络日志分析

doi:10.3969/j.issn.1000-436x.2014.z1.004

摘要/Abstract

摘要：

摘要：当今网络带宽、设备和应用数量急剧扩张，日志管理面临数据量爆炸式增长的挑战。基于SQL-on-Hadoop构建网络日志分析平台，实现千亿级日志存储和高效、灵活查询。利用真实TB 级数据集对多种 Hadoop 列存储格式及压缩算法进行性能测试，并对比Hive和Impala引擎日志扫描及统计查询效率，选用Gzip压缩的Parquet格式可将日志体积压缩80%，且将Impala查询性能提升至5倍。基于该平台已开发6种安全事件响应、攻击检测和预警应用并发挥良好效果。

关键词: 日志分析, 大数据, Hadoop, SQL, 网络安全

Abstract:

With the rapid expansion of network bandwidth,devices and applications,log management is facing the challenge of exploding data volumes.Log analysis platform built on SQL-on-Hadoop is capable of storing and querying hundreds of billions of log entries effectively.Columnar and compressed data formats for Hadoop are benchmarked with real-world multi-TB dataset.Conditional and statistical querying efficiency of Hive and Impala is tested.With gzipped parquet format,log data can be compressed by 80%,and querying with impala is 5 times faster.On this platform,six security incident analysis and detection applications are already deployed.

Key words: og analysis, big data, Hadoop, SQL, network security

章思宇,姜开达,韦建文,罗萱,王海洋. 基于SQL-on-Hadoop的网络日志分析[J]. 通信学报, 2014, 35(Z1): 14-19.

Si-yu ZHANG,Kai-da JIANG,Jian-wen WEI,Xuan LUO,Hai-yang WANG. Network log analysis with SQL-on-Hadoop[J]. Journal on Communications, 2014, 35(Z1): 14-19.

图/表 8

表1

表2

表3

图1

图2

图3

表4

表5

参考文献 11

[1]	OLINER A , GANAPATHI A , XU W . Advances and challenges in log analysis[J]. Communications of the ACM, 2012,55(2): 55-61.
[2]	WEI J , ZHAO Y , JIANG K ,et al. Analysis farm:a cloud-based scalable aggregation and query platform for network log analysis[A]. 2011 International Conference on Cloud and Service Computing[C]. Hong Kong,China, 2011. 354-359.
[3]	RABKIN A , KATZ R H . Chukwa:a system for reliable large-scale log collection[A]. 24th International Conference on Large Installation System Administration[C]. San Jose,CA,USA, 2010. 163-177.
[4]	The apache software foundation.Apache flume[EB/OL]. .
[5]	The apache software foundation.Apache sqoop[EB/OL]. .
[6]	THUSOO A , SARMA J S , JAIN N ,et al. Hive-a petabyte scale data warehouse using hadoop[A]. 26th IEEE International Conference on Data Engineering Long Beach[C]. CA,USA, 2010. 996-1005.
[7]	Cloudera. Impala[EB/OL]. .
[8]	FLORATOU A , MINHAS U F , OZCAN F . SQL-on-Hadoop:full circle back to shared-nothing database architectures[J]. Proceedings of the VLDB Endowment, 2014,7(12): 1295-1306.
[9]	HE Y , LEE R , HUAI Y ,et al. RCFile:a fast and space-efficient data placement structure in MapReduce-based warehouse systems[A]. 27th IEEE International Conference on Data Engineering[C]. Hannover,Germany, 2011. 1199-1208.
[10]	Parquet. Parquet[EB/OL]. .
[11]	姜开达, 李霄, 孙强 . 基于搜索引擎关键词的校园网安全分析[A]. 中国教育和科研计算机网 CERNET 第十九届学术年会[C]. 太原,中国, 2012. 83-87. JIANG K , LEE X , SUN Q . Campus network security analysis with search engine keywords[A]. 19th CERNET Annual Conference[C]. Taiyuan,China, 2012. 83-87.

文件格式	Hive		Impala
文件格式	查询	插入/导入	查询	插入/导入
Text	√	√	√	√
RCFile	√	√	√
ORC	√	√
Parquet	√	√	√	√

格式/压缩	体积/TB	Hive查询/s	Impala查询/s
Text	9.35	1 146.1	662.6
Parquet	6.78	1 106.2	489.7
Parquet / Snappy	3.10	713.9	231.2
Parquet / Gzip	1.73	726.2	134.6
RCFile	9.21	1 044.7	672.3
RCFile / Snappy	3.58	461.2	302.4
ORC	2.42	505.8	—
ORC / Snappy	1.15	357.9	—
ORC / Zlib	0.87	359.4	—

格式/压缩	Hive		Impala
格式/压缩	CPU	磁盘读取/(GB·s^?1)	CPU	磁盘读取/(GB·s^?1)
Text	99.9%	9.8	19.5%	16.9
Parquet	99.9%	8.4	26.0%	17.1
Parquet / Snappy	99.5%	5.5	56.3%	17.3
Parquet / Gzip	98.7%	3.0	99.9%	14.3
RCFile	99.2%	10.6	22.0%	16.8
RCFile / Snappy	99.2%	9.8	44.3%	17.2
ORC	99.3%	5.9	—	—
ORC / Snappy	98.7%	4.0	—	—
ORC / Zlib	98.8%	3.3	—	—

类型	源地址	请求数
SQL注入	1 034	611 136
文件包含/下载	276	42 237
WebShell尝试	297	197 183
路径探测	14 933	1 023 730
扫描器	799	1 037 806

时间	网址	User-Agent	内容尺寸
3/8 11:15	61.160.221.*:88/fuck	Wget/1.10.2(RedHatmodified)	6 772
3/8 11:16	61.160.221.*:88/xz32	Wget/1.10.2(RedHatmodified)	1 351 181
3/9 2:54	61.160.221.*:88/fuck3.sh	Wget/1.10.2(RedHatmodified)	404
3/9 2:54	61.160.221.*:88/fuck	Wget/1.10.2(RedHatmodified)	6 772
3/9 2:55	61.160.221.*:88/sshd8	Wget/1.10.2(RedHatmodified)	1 513 570
3/9 2:57	61.160.221.*:88/ssh.py	Wget/1.10.2(RedHatmodified)	1 324
3/9 2:57	61.160.221.*:88/mafix.tar.gz	Wget/1.10.2(RedHatmodified)	446 713