Log analysis system and log analyis method for security system

Disclosed are a security system and a log analysis method therefor. A log analysis unit determines whether log information having attack content exists in log information stored in a log database, and collects the log information according to attack commands when the log information having the attack content exists in the log information stored in the log database. In addition, the log analysis unit determines whether attack content data of the log information collected according to the attack commands are based on a request from the, and performs HTTP-indicator-based text normalization when the attack content data are based on the request from the web. Then, the log analysis unit performs rule-pattern-based text normalization. Thus, according to one embodiment of the present invention, the amount of analysis can be increased by enabling an operator or a log analyst to recognize a hacking attack in a timely manner when the hacking attack occurs, the accuracy of the analysis can be increased, and a quantitative basis for improving the accuracy of future rules can be provided therethrough.