System　log　is　one　of　the　most　important　data　sources　for　cloud　security　monitoring.　But　it　is　a　difficult　task　to　utilize　the　logs　due　to　their　various　formats.　In　this　paper,　we　proposed　a　model　named　Behavior　Rhythm　to　characterize　massive　logs　and　achieve　the　goal　of　granular　user　behavior　management　and　security　monitoring.　Firstly,　we　employ　the　logging　IP　address　and　time　to　construct　the　Behavior　Rhythm,　one　point　in　the　Behavior　Rhythm　corresponding　to　one　logging　behavior.　Logging　behaviors　at　different　time　of　the　same　user　are　similar　due　to　their　habits　and　the　points　will　centralize　together　in　the　Behavior　Rhythm,　thus　the　abnormal　behaviors　can　be　detected　based　on　behavior　point　distribution.　Secondly,　we　propose　the　concept　of　Operation　and　Maintenance　Frequency　(OMF)　to　capture　the　behavior　characteristics　of　normal　users,　which　is　efficient　in　behavior　profiling　by　combined　logging　time,　logging　IP　address　and　number　of　input　commands.　Finally,　we　employ　PrefixSpan　to　mine　the　frequent　command　sequences　used　by　abnormal　users.　In　turn,　we　can　reconstruct　the　attack　steps,　and　then　design　suitable　defense　policies　based　on　detailed　investigation　of　the　attack　characteristics.　Experimental　results　based　on　massive　log　data　collected　from　the　campus　network　center　of　Xian　Jiaotong　University　verify　that　the　methods　proposed　in　this　paper　are　efficient　in　detailed　behavior　characteristics　extraction　and　security　monitoring,　which　can　not　only　obtain　the　behavior　profiles　of　normal　users,　but　also　extract　the　detailed　commands　used　by　specific　attacks,　the　analysis　results　lay　a　solid　foundation　for　cloud　security　management.