CN111131166A - User behavior prejudging method and related equipment - Google Patents

User behavior prejudging method and related equipment Download PDF

Info

Publication number
CN111131166A
CN111131166A CN201911195955.6A CN201911195955A CN111131166A CN 111131166 A CN111131166 A CN 111131166A CN 201911195955 A CN201911195955 A CN 201911195955A CN 111131166 A CN111131166 A CN 111131166A
Authority
CN
China
Prior art keywords
risk
user
target
risk value
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911195955.6A
Other languages
Chinese (zh)
Other versions
CN111131166B (en
Inventor
张登超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Simplecredit Micro-Lending Co ltd
Original Assignee
Simplecredit Micro-Lending Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Simplecredit Micro-Lending Co ltd filed Critical Simplecredit Micro-Lending Co ltd
Priority to CN201911195955.6A priority Critical patent/CN111131166B/en
Publication of CN111131166A publication Critical patent/CN111131166A/en
Application granted granted Critical
Publication of CN111131166B publication Critical patent/CN111131166B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the invention discloses a user behavior prejudging method and related equipment, wherein the method is applied to the technical field of computers and comprises the following steps: when detecting that a user accesses a specified platform, the server can detect the operation behavior of the user on the specified platform, determine an operation risk value of the user based on the operation behavior, determine a target risk value of the user according to the operation risk value, determine a risk level of the user based on the target risk value, and further add a risk mark matched with the risk level to the user. By adopting the embodiment of the invention, the prejudgment on the user behavior can be efficiently realized.

Description

User behavior prejudging method and related equipment
Technical Field
The invention relates to the technical field of computers, in particular to a user behavior prejudging method and related equipment.
Background
Under the big background of the internet, new challenges are met for the security of Web applications, and the attack mode is endless. Once the Web application is attacked, the service provided by the Web application or the server corresponding to the Web application is affected, and therefore, the attack detection for the Web application is significant.
At present, the attack detection for the Web application mainly detects the user behavior when a user starts to access or attack the Web application, and cannot predict the user behavior, so that the application is protected in advance and in a prospective manner. Therefore, how to implement the prejudgment of the user behavior becomes a problem to be solved urgently.
Disclosure of Invention
The embodiment of the invention provides a user behavior prejudging method and related equipment, which can efficiently realize prejudgment on user behaviors.
In a first aspect, an embodiment of the present invention provides a method for predicting user behavior, where the method includes:
when detecting that a user accesses a specified platform, detecting the operation behavior of the user on the specified platform;
determining an operational risk value for the user based on the operational behavior;
determining a target risk value of the user according to the operation risk value, and determining a risk level of the user based on the target risk value;
adding a risk label to the user that matches the risk rating.
In an embodiment, the specific implementation of determining the operation risk value of the user based on the operation behavior is as follows: analyzing the operation behavior to obtain operation behavior information; determining a target risk detection rule corresponding to the type of the specified platform according to the operation behavior information; judging whether the operation behavior information contains preset key information of the target risk detection rule, wherein the preset key information is associated with a target application; and if so, determining the risk value corresponding to the target risk detection rule as the operation risk value of the user.
In an embodiment, the specific implementation manner of determining the target risk value of the user according to the operation risk value is as follows: detecting whether a historical risk value of the user is stored in a database; if so, determining the sum of the operation risk value and the historical risk value as a target risk value of the user; and if not, determining the operation risk value of the user as the target risk value of the user.
In one embodiment, after the risk label matching the risk level is added to the user, user information of the user may be further obtained, and the user information, the risk label, and the target risk value are stored in a database in an associated manner.
In one embodiment, after storing the user information, the risk flag, and the target risk value in association with one another in a database, an access request of the user for a target application may be further received, where the access request includes user information of the user; acquiring a risk mark matched with the user information from the database; and determining the risk level indicated by the risk mark, and executing an access control strategy matched with the risk level for the user.
In one embodiment, the risk level indicated by the risk flag is a first risk level, a risk value corresponding to the first risk level is greater than or equal to a first risk threshold, and the specific implementation manner of executing the access control policy matching the risk level for the user is as follows: accessing the access request to a honeypot host corresponding to the target application; after the honeypot host is detected to be accessed, acquiring the attack behavior of the user; and repairing the target application based on the attack behavior.
In one embodiment, the risk level indicated by the risk flag is a second risk level, a risk value corresponding to the second risk level is greater than or equal to a second risk threshold and is less than a first risk threshold, and the specific implementation manner of executing the access control policy matching with the risk level for the user is as follows: accessing the access request to the target application, and limiting the access range of the user to the target application according to a first preset limiting strategy; detecting the operation behavior of the user on the specified platform within a first preset time length; and if the user is detected to have the operation behavior of the second risk level within the first preset time, adjusting the risk level of the user from the second risk level to a first risk level.
In a second aspect, an embodiment of the present invention provides a user behavior anticipation device, which includes a module configured to execute the method of the first aspect.
In a third aspect, an embodiment of the present invention provides a server, which includes a processor, a communication interface, and a memory, where the processor, the communication interface, and the memory are connected to each other, where the communication interface is controlled by the processor to send and receive messages, the memory is used to store a computer program that supports the server to execute the above method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
In a fourth aspect, the present invention provides a computer-readable storage medium storing a computer program, the computer program comprising program instructions that, when executed by a processor, cause the processor to perform the method of the first aspect.
In the embodiment of the invention, when the server detects that the user accesses the specified platform, the server can detect the operation behavior of the user on the specified platform, determine the operation risk value of the user based on the operation behavior, determine the target risk value of the user according to the operation risk value, determine the risk level of the user based on the target risk value, and further add a risk mark matched with the risk level to the user. By adopting the mode, the prejudgment on the user behavior can be efficiently realized, and the risk mark is added for the user.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a user behavior anticipation system according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a user behavior prediction method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of another user behavior prediction method according to an embodiment of the present invention;
fig. 4 is a schematic block diagram of a user behavior anticipation apparatus according to an embodiment of the present invention;
fig. 5 is a schematic block diagram of a server according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a user behavior prejudging method which can determine the risk level of a user based on the operation behavior of the user on a specified platform before the user does not access a target application, realize prejudgment on the user behavior and add a risk mark matched with the risk level to the user. Further, when the user accesses the target application subsequently, the risk level indicated by the risk mark added to the user in advance can be determined, and then the access control policy matched with the risk level is executed on the user. In this way, before the user contacts the target application, different access control policies can be executed for users with different risk levels, different access resources are provided, and the target application can be protected in advance and in a prospective manner. The target application can be Web application, the Web application is an application program which can be accessed through Web, and the Web application has the greatest advantage that a user can easily access the application program, and the user only needs to have a browser and does not need to install other software.
In order to better understand the user behavior prediction method disclosed in the embodiment of the present invention, a user behavior prediction system applicable to the embodiment of the present invention is first described below.
Referring to fig. 1, fig. 1 is a schematic diagram of an architecture of a user behavior prediction system according to an embodiment of the present invention. As shown in fig. 1, the user behavior anticipation system includes at least one designated platform 100, a risk processing platform 101 and a target application 102, where the risk processing platform 101 is disposed in front of the target application 102 and is used to perform risk filtering on the target application 102 and protect the target application 102. The specific platform 100 may include one or more of a search engine management platform, a Domain Name System (DNS) management platform, a Domain name and Domain name query Whois management platform, a code hosting platform, an http secure transmission Protocol (HTTPS) certificate management platform, an equipment information management platform, a social information management platform, a history archive information management platform, an Internet Protocol (IP) management platform, and a port management platform, which is not specifically limited in this embodiment of the present invention.
In one embodiment, when detecting that a user accesses any one of the designated platforms 100, the risk processing platform 101 may detect an operation behavior of the user on the designated platform 100, determine an operation risk value of the user based on the operation behavior, determine a target risk value of the user according to the operation risk value, determine a risk level of the user based on the target risk value, and add a risk flag matching the risk level to the user. Further, after the risk processing platform 101 receives an access request of a user for the target application 102, it may be detected whether the user is pre-added with a risk flag, if so, the risk level of the user is determined based on an indication of the pre-added risk flag, and then an access control policy matching the risk level is executed for the user.
It can be understood that the user behavior prediction system described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not constitute a limitation to the technical solution provided in the embodiment of the present invention, and as a person having ordinary skill in the art knows that along with the evolution of the system architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems.
Referring to fig. 2, fig. 2 is a schematic flow chart of a user behavior prediction method according to an embodiment of the present invention, where this embodiment may be executed by a server, and the server may be, for example, a server corresponding to the risk processing platform 101 in fig. 1, as shown in the figure, the user behavior prediction method may include:
s201: when the user is detected to visit the specified platform, the operation behavior of the user on the specified platform is detected.
S202: an operational risk value for the user is determined based on the operational behavior.
The appointed platform is preset by developers according to experimental measurement and calculation data, different risk detection rules can be set for appointed platforms of different types, at least one risk detection rule can be correspondingly set for each type of appointed platform, and each risk detection rule corresponds to one risk value. In an embodiment, when the server detects that the user accesses the specified platform, the server may detect an operation behavior of the user on the specified platform, analyze the operation behavior to obtain operation behavior information, determine a target risk detection rule matched with the operation behavior information from at least one risk detection rule corresponding to the type of the specified platform, and determine a risk value corresponding to the target risk detection rule as an operation risk value of the user.
S203: and determining a target risk value of the user according to the operation risk value, and determining the risk level of the user based on the target risk value.
In one embodiment, the server may detect whether a historical risk value of the user is stored in the database, determine, if yes, a sum of the operation risk value and the historical risk value as a target risk value of the user, and if not, determine the operation risk value of the user as the target risk value of the user.
In one embodiment, the server may previously classify different risk levels based on different risk value ranges, for example, as shown in table 1, a first risk level in table 1 may be understood as a high risk level, and its corresponding risk value is the highest; the second risk level may be understood as a medium risk level, which corresponds to the next highest risk value; the third risk level may be understood as a low risk level, which corresponds to the lowest risk value. In this case, after determining the target risk value of the user according to the operation risk value, the server may determine a risk value range to which the target risk value belongs, and further determine a risk level corresponding to the risk value range as the risk level of the user.
TABLE 1
Risk rating Value of risk r
First risk class r≥1
Second risk level 0.4≤r<1
Third Risk level 0<r<0.4
S204: a risk label matching the risk rating is added to the user.
In one embodiment, different risk markers may be added for different risk levels, and a subsequent server may determine the corresponding risk level by parsing the risk markers.
In one embodiment, after the server adds the risk label matching the risk level to the user, the server may further obtain user information of the user, and store the user information, the risk label, and the target risk value in association with each other in the database. In this way, the subsequent server may obtain the risk label of the user and the target risk value from the database based on the user information of the user, where the target risk value may be used as the historical risk value of the next risk analysis.
In one embodiment, after the server stores the user information, the risk flag and the target risk value association in the database, an access request of the user for the target application may be received, and the user information of the user is included in the access request. Further, the server may obtain a risk label matching the user information from the database, determine a risk level indicated by the risk label, and execute an access control policy matching the risk level for the user. In this way, before the user contacts the target application, different access control policies can be executed for users with different risk levels, different access resources are provided, and the target application can be protected in advance and in a prospective manner.
Or, in another embodiment, after receiving an access request of a user for a target application, the server may detect whether user information of the user exists in the database, and if not, determine the user as a normal visitor, and access the access request to the target application, so that the user normally accesses the target application.
In one embodiment, assuming that the risk level indicated by the risk flag is a first risk level, and the risk value corresponding to the first risk level is greater than a first risk threshold (e.g., "1" in table 1), the specific implementation of the server executing the access control policy matching the risk level for the user includes: and accessing the access request to a honeypot host corresponding to the target application, acquiring the attack behavior of the user after detecting that the access request is accessed to the honeypot host, and repairing the target application based on the attack behavior. The interface functions of the honeypot host and the target application are the same, only no real user data exists, and the attack behavior can include an attack mode, an attack path and the like. In this way, for the user with the first risk level, before the user contacts the target application, the user can be prevented from accessing the real target application, and the safety of the target application is improved. In addition, the attack behavior of the user on the honeypot host can be collected, the target application is repaired based on the attack behavior, and the safety of the target application is further improved.
In one embodiment, assuming that the risk level indicated by the risk flag is a second risk level, and the risk value corresponding to the second risk level is greater than or equal to a second risk threshold (e.g., "0.4" in table 1) and less than the first risk threshold (e.g., "1" in table 1), the specific implementation of the server for executing the access control policy matching the risk level for the user includes: and accessing the access request to a target application, limiting the access range of the user to the target application according to a first preset limiting strategy, detecting the operation behavior of the user on the appointed platform within a first preset time, if the operation behavior of the user with a second risk level is detected within the first preset time, adjusting the risk level of the user from the second risk level to a first risk level, and directly adjusting the risk mark of the user to a risk mark matched with the first risk level in a database.
In another embodiment, if the server detects that the user has an operation behavior of a first risk level within a first preset time period, the risk level of the user is directly adjusted from a second risk level to the first risk level, and the risk label of the user is directly adjusted to a risk label matched with the first risk level in the database.
Or, if it is detected that the user does not have any operation behavior of risk level within the first preset time period, the risk flag stored in association with the user information of the user may be deleted in the database, and subsequently, the user may access the target application as a normal visitor.
In one embodiment, assuming that the risk level indicated by the risk flag is a third risk level, and the risk value corresponding to the third risk level is less than the second risk threshold (e.g., "0.4" in table 1) and greater than 0, the specific implementation of the server executing the access control policy matching the risk level for the user includes: and accessing the access request to the target application, and limiting the access range of the user to the target application according to a second preset limiting strategy.
In an embodiment, after the server accesses the access request to the target application, the operation behavior of the user on the designated platform may be detected within a second preset time period, and if the operation behavior of the user with the first risk level is detected within the second preset time period, the target risk level of the user is adjusted from the third risk level to the first risk level, and the risk flag of the user is directly adjusted to the risk flag matched with the first risk level in the database. Or if the operation behavior of the user with the second risk level is detected within the second preset time, adjusting the target risk level of the user from the third risk level to the second risk level, and adjusting the risk mark of the user to a risk mark matched with the second risk level in the database.
Or, if the server detects that the user does not have any operation behavior of risk level within the second preset time, the risk flag stored in association with the user information of the user may be deleted from the database, and the user may access the target application as a normal visitor subsequently.
In one embodiment, after the server adjusts the target risk level of the user from the third risk level to the second risk level, an access control policy matching the second risk level may be subsequently enforced on the user. Alternatively, after the server adjusts the target risk level of the user from the third risk level to the first risk level, an access control policy matching the first risk level may be subsequently executed on the user.
The first risk threshold > the second risk threshold, the first risk threshold may be 1, for example, and the second risk threshold may be 0.4, for example. The second risk level may be understood as a medium risk level, the third risk level may be understood as a low risk level, and the risk value corresponding to the second risk level is greater than the risk value corresponding to the third risk level, in this case, because the risk value corresponding to the second risk level is greater than the risk value corresponding to the third risk level, the first preset duration set for the second risk level is greater than the second preset duration set for the third risk level, for example, the first preset duration is 15 days, and the second preset duration is 7 days; and limiting the access range of the user to the target application by the first preset limiting strategy set for the second risk level to be smaller than the access range of the user to the target application by the second preset limiting strategy set for the third risk level. For example, a first preset restriction policy restricts an access range of the user to a target application to access a HyperText Markup Language (HTML) page, and functions such as registration and login cannot be operated in addition; correspondingly, the second preset restriction policy restricts the access scope of the user to the target application to login, register, change the password, access various functions of the target application and the like.
It should be understood that the above settings for the first risk threshold, the second risk threshold, the first preset duration, the second preset duration, the first preset limiting policy and the second preset limiting policy are only examples and are not intended to limit the embodiments of the present invention.
In one embodiment, before the server performs step S202 to determine the operational risk value of the user based on the operational behavior, it may be detected whether a target risk flag of the user exists in the database (the risk level indicated by the target risk flag is a first risk level), and if so, without performing step S202, the historical risk value of the user may be determined as the target risk value of the user.
In the embodiment of the invention, when the server detects that the user accesses the specified platform, the server can detect the operation behavior of the user on the specified platform, determine the operation risk value of the user based on the operation behavior, determine the target risk value of the user according to the operation risk value, determine the risk level of the user based on the target risk value, and further add a risk mark matched with the risk level to the user. By adopting the mode, the prejudgment on the user behavior can be efficiently realized, and the risk mark is added for the user.
Referring to fig. 3, fig. 3 is a schematic flow chart of another user behavior prediction method according to an embodiment of the present invention, where this embodiment may be executed by a server, and the server may be, for example, a server corresponding to the risk processing platform 101 in fig. 1, as shown in the figure, the user behavior prediction method may include:
s301: when the user is detected to visit the specified platform, the operation behavior of the user on the specified platform is detected.
S302: analyzing the operation behavior to obtain operation behavior information, and determining a target risk detection rule corresponding to the type of the specified platform according to the operation behavior information.
In one embodiment, the designated platform may include at least one, different risk detection rules may be set for different types of designated platforms, and for each type of designated platform, at least one risk detection rule may be set correspondingly, and each risk detection rule sets a risk value correspondingly. The designated platform may include one or more types of a search engine management platform, a DNS management platform, a domain name and Whois management platform, a code hosting platform, an HTTPS certificate management platform, an equipment information management platform, a social information management platform, a history archive information management platform, an IP management platform, and a port management platform.
Exemplarily, for a search engine management platform, a risk detection rule and a corresponding risk value as shown in table 2 may be set; for the DNS management platform, the risk detection rule and the corresponding risk value shown in table 3 may be set; for the domain name and Whois management platform, the risk detection rules and corresponding risk values shown in table 4 may be set; for the code hosting platform, the risk detection rules and the corresponding risk values as shown in table 5 may be set; for the HTTPS certificate management platform, the set risk detection rule 5 may be: and searching the domain name of the same certificate according to the https certificate information of the target object, wherein the risk value corresponding to the risk detection rule 5 can be set to 0.4. For the device information management platform, the set risk detection rule 6 may be: collecting device information (such as device type, IP address, etc.) of the target object, querying other information of the target object, and setting a risk value corresponding to the risk detection rule 6 to 1; for the social information management platform, the set risk detection rule 7 may be: generating a password required by social engineering attack through information (i.e. social information, such as name, mailbox, employee name, etc. of the target object) published by the target object through social contact, wherein a risk value corresponding to the risk detection rule 7 may be set to 0.2; for the port management platform, the set risk detection rule 8 may be: detecting a host or a server port through TCP/UDP connection of a port of a target object to acquire application information, wherein a risk value corresponding to the risk detection rule 8 can be set to be 0.2; for the IP management platform, the set risk detection rules and the corresponding risk values may be as shown in table 6. The target objects may refer to various enterprises, organizations, and the like.
TABLE 2
Figure BDA0002294074120000091
TABLE 3
Figure BDA0002294074120000092
Figure BDA0002294074120000101
TABLE 4
Figure BDA0002294074120000102
TABLE 5
Figure BDA0002294074120000103
TABLE 6
Figure BDA0002294074120000111
It can be seen that each risk detection rule corresponds to an operation behavior, for example, the operation behavior corresponding to the risk detection rule 1.1 in table 2 is a login interface for querying a target object, and the operation behavior corresponding to the risk detection rule 1.2 is a file or document leaked from the query target object. In this case, the specific implementation manner of the server determining the target risk detection rule corresponding to the type of the specified platform according to the operation behavior information may be as follows: and the server determines a target risk detection rule from at least one risk detection rule corresponding to the type of the specified platform according to the operation behavior information. Exemplarily, it is assumed that the type of the platform specified in step S301 is a search engine management platform, and at least one risk detection rule corresponding to the search engine management platform is shown in table 2. In this case, if the server determines, according to the operation behavior information, that the user inquires the login interface of the target object in the operation behavior of the designated platform, the risk detection rule 1.1 may be determined as the target risk detection rule from at least one risk detection rule corresponding to the search engine management platform.
S303: and judging whether the operation behavior information contains preset key information of the target risk detection rule, wherein the preset key information is associated with the target application.
S304: and if so, determining the risk value corresponding to the target risk detection rule as the operation risk value of the user.
The preset key information is associated with the target application, and the association can be understood as that the preset key information and the target application correspond to the same enterprise or organization. Illustratively, assume that the target risk detection rule is risk detection rule 1.1 in table 2, the target detection rule is a login interface for querying a target object, the login interface for the target object may be a login interface for enterprise a and a login interface for enterprise B, and the company for developing the target application is enterprise a. In this case, the preset key information may refer to a login interface of the enterprise a, and the preset key information and the target application correspond to the same enterprise a, that is, the preset key information is associated with the target application.
Exemplarily, it is assumed that the target risk detection rule is risk detection rule 1.1 in table 2, the preset key information is a login interface of enterprise a, and the company developing the target application is enterprise a. In this case, if the server determines that the operation behavior information includes the login interface of enterprise a of risk detection rule 1.1, 1 corresponding to risk detection rule 1.1 may be determined as the operation risk value of the user.
In an embodiment, if it is detected that the operation behavior information does not include preset key information of the target risk detection rule, the operation risk value of the user may be determined to be 0.
S305: and determining a target risk value of the user according to the operation risk value, determining a risk level of the user based on the target risk value, and adding a risk mark matched with the risk level to the user. For a specific implementation of step S305, reference may be made to the relevant description of step S203 to step S204 in the foregoing embodiment, and details are not described here again.
In the embodiment of the invention, when a server detects that a user accesses a specified platform, the server can detect the operation behavior of the user on the specified platform, analyze the operation behavior to obtain operation behavior information, determine a target risk detection rule corresponding to the type of the specified platform according to the operation behavior information, and determine a risk value corresponding to the target risk detection rule as an operation risk value of the user if the operation behavior information is judged to contain preset key information of the target risk detection rule. Further, a target risk value of the user can be determined according to the operation risk value, a risk level of the user is determined based on the target risk value, and then a risk mark matched with the risk level is added to the user. By adopting the mode, the prejudgment on the user behavior can be efficiently realized, and the risk mark is added for the user.
Embodiments of the present invention further provide a computer storage medium, in which program instructions are stored, and when the program instructions are executed, the computer storage medium is configured to implement the corresponding method described in the above embodiments.
An embodiment of the present invention further provides a user behavior pre-judging device, where the device includes a module configured to execute the method described in fig. 2 or fig. 3, and is configured in a server. Specifically, referring to fig. 4, a schematic block diagram of a user behavior prediction apparatus according to an embodiment of the present invention is provided. The user behavior anticipation device of this embodiment includes:
the detection module 40 is configured to detect an operation behavior of a user on a specified platform when it is detected that the user accesses the specified platform;
a processing module 41 for determining an operational risk value of the user based on the operational behavior;
the processing module 41 is further configured to determine a target risk value of the user according to the operation risk value, and determine a risk level of the user based on the target risk value;
a marking module 42 for adding a risk mark matching the risk level to the user.
In an embodiment, the processing module 41 is specifically configured to analyze the operation behavior to obtain operation behavior information; determining a target risk detection rule corresponding to the type of the specified platform according to the operation behavior information; judging whether the operation behavior information contains preset key information of the target risk detection rule, wherein the preset key information is associated with a target application; and if so, determining the risk value corresponding to the target risk detection rule as the operation risk value of the user.
In an embodiment, the processing module 41 is specifically configured to detect whether a database stores a historical risk value of the user; if so, determining the sum of the operation risk value and the historical risk value as a target risk value of the user; and if not, determining the operation risk value of the user as the target risk value of the user.
In an embodiment, the processing module 41 is further configured to obtain user information of the user, and store the user information, the risk flag, and the target risk value in a database in an associated manner.
In one embodiment, the apparatus further includes a communication module 43, where the communication module 43 is configured to receive an access request of the user for a target application, where the access request includes user information of the user; the processing module 41 is further configured to obtain a risk label matching the user information from the database, determine a risk level indicated by the risk label, and execute an access control policy matching the risk level for the user.
In an embodiment, the risk level indicated by the risk flag is a first risk level, and the processing module 41 is specifically configured to access the access request to a honeypot host corresponding to the target application; after the honeypot host is detected to be accessed, acquiring the attack behavior of the user; and repairing the target application based on the attack behavior.
In an embodiment, the risk level indicated by the risk flag is a second risk level, a risk value corresponding to the second risk level is greater than or equal to a second risk threshold and is smaller than a first risk threshold, and the processing module 41 is specifically configured to access the access request to the target application, and limit an access range of the user to the target application according to a first preset restriction policy; detecting the operation behavior of the user on the specified platform within a first preset time length; and if the user is detected to have the operation behavior of the second risk level within the first preset time, adjusting the risk level of the user from the second risk level to a first risk level.
It should be noted that the functions of each functional module of the user behavior prediction apparatus described in the embodiment of the present invention may be specifically implemented according to the method in the method embodiment described in the foregoing fig. 2 or fig. 3, and a specific implementation process thereof may refer to the description related to the method embodiment in fig. 2 or fig. 3, which is not described herein again.
Referring to fig. 5, fig. 5 is a schematic block diagram of a server according to an embodiment of the present invention, and as shown in fig. 5, the server includes a processor 501, a memory 502, and a communication interface 503. The processor 501, the memory 502 and the communication interface 503 may be connected by a bus or other means, and are illustrated in fig. 5 as being connected by a bus in the embodiment of the present invention. Wherein the communication interface 503 is controlled by the processor for transceiving messages, the memory 502 is for storing a computer program comprising program instructions, and the processor 501 is for executing the program instructions stored by the memory 502. Wherein the processor 501 is configured to call the program instruction to perform: when detecting that a user accesses a specified platform, detecting the operation behavior of the user on the specified platform; determining an operational risk value for the user based on the operational behavior; determining a target risk value of the user according to the operation risk value, and determining a risk level of the user based on the target risk value; adding a risk label to the user that matches the risk rating.
In an embodiment, the processor 501 is specifically configured to analyze the operation behavior to obtain operation behavior information; determining a target risk detection rule corresponding to the type of the specified platform according to the operation behavior information; judging whether the operation behavior information contains preset key information of the target risk detection rule, wherein the preset key information is associated with a target application; and if so, determining the risk value corresponding to the target risk detection rule as the operation risk value of the user.
In an embodiment, the processor 501 is specifically configured to detect whether a database stores a historical risk value of the user; if so, determining the sum of the operation risk value and the historical risk value as a target risk value of the user; and if not, determining the operation risk value of the user as the target risk value of the user.
In one embodiment, the processor 501 is further configured to obtain user information of the user, and store the user information, the risk flag, and the target risk value in a database in an associated manner.
In one embodiment, the processor 501 is further configured to receive an access request of the user for a target application through the communication interface 503, where the access request includes user information of the user; acquiring a risk mark matched with the user information from the database, determining a risk level indicated by the risk mark, and executing an access control strategy matched with the risk level aiming at the user.
In an embodiment, the risk level indicated by the risk flag is a first risk level, and the processor 501 is specifically configured to access the access request to a honeypot host corresponding to the target application; after the honeypot host is detected to be accessed, acquiring the attack behavior of the user; and repairing the target application based on the attack behavior.
In an embodiment, the risk level indicated by the risk flag is a second risk level, a risk value corresponding to the second risk level is greater than or equal to a second risk threshold and is smaller than a first risk threshold, and the processor 501 is specifically configured to access the access request to the target application, and limit an access range of the user to the target application according to a first preset restriction policy; detecting the operation behavior of the user on the specified platform within a first preset time length; and if the user is detected to have the operation behavior of the second risk level within the first preset time, adjusting the risk level of the user from the second risk level to a first risk level.
It should be understood that, in the embodiment of the present invention, the Processor 501 may be a Central Processing Unit (CPU), and the Processor 501 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field-Programmable Gate arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 502 may include both read-only memory and random access memory, and provides instructions and data to the processor 501. A portion of the memory 502 may also include non-volatile random access memory. For example, the memory 502 may also store device type information.
In a specific implementation, the processor 501, the memory 502, and the communication interface 503 described in this embodiment of the present invention may execute the implementation described in the method embodiment shown in fig. 2 or fig. 3 provided in this embodiment of the present invention, or may execute the implementation of the user behavior prediction apparatus described in this embodiment of the present invention, which is not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
While the invention has been described with reference to a number of embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A user behavior anticipation method is characterized by comprising the following steps:
when detecting that a user accesses a specified platform, detecting the operation behavior of the user on the specified platform;
determining an operational risk value for the user based on the operational behavior;
determining a target risk value of the user according to the operation risk value, and determining a risk level of the user based on the target risk value;
adding a risk label to the user that matches the risk rating.
2. The method of claim 1, wherein determining the operational risk value for the user based on the operational behavior comprises:
analyzing the operation behavior to obtain operation behavior information;
determining a target risk detection rule corresponding to the type of the specified platform according to the operation behavior information;
judging whether the operation behavior information contains preset key information of the target risk detection rule, wherein the preset key information is associated with a target application;
and if so, determining the risk value corresponding to the target risk detection rule as the operation risk value of the user.
3. The method of claim 1 or 2, wherein determining the target risk value for the user from the operational risk value comprises:
detecting whether a historical risk value of the user is stored in a database;
if so, determining the sum of the operation risk value and the historical risk value as a target risk value of the user;
and if not, determining the operation risk value of the user as the target risk value of the user.
4. The method of claim 1, wherein after adding a risk label to the user that matches the risk rating, the method further comprises:
and acquiring user information of the user, and storing the user information, the risk mark and the target risk value into a database in a correlation manner.
5. The method of claim 4, wherein after storing the user information, the risk label, and the target risk value association in a database, the method further comprises:
receiving an access request of the user for a target application, wherein the access request comprises user information of the user;
acquiring a risk mark matched with the user information from the database;
and determining the risk level indicated by the risk mark, and executing an access control strategy matched with the risk level for the user.
6. The method of claim 5, wherein the risk level indicated by the risk label is a first risk level, wherein a risk value corresponding to the first risk level is greater than or equal to a first risk threshold, and wherein executing the access control policy for the user that matches the risk level comprises:
accessing the access request to a honeypot host corresponding to the target application;
after the honeypot host is detected to be accessed, acquiring the attack behavior of the user;
and repairing the target application based on the attack behavior.
7. The method of claim 5, wherein the risk level indicated by the risk label is a second risk level, wherein the second risk level corresponds to a risk value that is greater than or equal to a second risk threshold and less than a first risk threshold, and wherein executing, for the user, an access control policy that matches the risk level comprises:
accessing the access request to the target application, and limiting the access range of the user to the target application according to a first preset limiting strategy;
detecting the operation behavior of the user on the specified platform within a first preset time length;
and if the user is detected to have the operation behavior of the second risk level within the first preset time, adjusting the risk level of the user from the second risk level to a first risk level.
8. An apparatus for predicting user behavior, the apparatus comprising:
the detection module is used for detecting the operation behavior of a user on a specified platform when the user is detected to access the specified platform;
a processing module for determining an operational risk value for the user based on the operational behavior;
the processing module is further used for determining a target risk value of the user according to the operation risk value and determining a risk level of the user based on the target risk value;
and the marking module is used for adding a risk mark matched with the risk grade to the user.
9. A server, comprising a processor and a memory, the processor and the memory being interconnected, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which is executed by a processor to implement the method of any one of claims 1-7.
CN201911195955.6A 2019-11-28 2019-11-28 User behavior prejudging method and related equipment Active CN111131166B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911195955.6A CN111131166B (en) 2019-11-28 2019-11-28 User behavior prejudging method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911195955.6A CN111131166B (en) 2019-11-28 2019-11-28 User behavior prejudging method and related equipment

Publications (2)

Publication Number Publication Date
CN111131166A true CN111131166A (en) 2020-05-08
CN111131166B CN111131166B (en) 2022-06-21

Family

ID=70497057

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911195955.6A Active CN111131166B (en) 2019-11-28 2019-11-28 User behavior prejudging method and related equipment

Country Status (1)

Country Link
CN (1) CN111131166B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625784A (en) * 2020-05-29 2020-09-04 重庆小雨点小额贷款有限公司 Anti-debugging method of application, related device and storage medium
CN111859374A (en) * 2020-07-20 2020-10-30 恒安嘉新(北京)科技股份公司 Method, device and system for detecting social engineering attack event

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160224781A1 (en) * 2015-01-30 2016-08-04 International Business Machines Corporation Risk-based credential management
CN109978547A (en) * 2017-12-28 2019-07-05 北京京东尚科信息技术有限公司 Risk behavior control method and system, equipment and storage medium
CN110020862A (en) * 2018-01-10 2019-07-16 中国移动通信有限公司研究院 A kind of business risk appraisal procedure, device and computer readable storage medium
CN110033120A (en) * 2019-03-06 2019-07-19 阿里巴巴集团控股有限公司 For providing the method and device that risk profile energizes service for trade company
CN110198313A (en) * 2019-05-23 2019-09-03 新华三信息安全技术有限公司 A kind of method and device of strategy generating
CN110458401A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Information processing unit, method and storage medium based on block chain

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160224781A1 (en) * 2015-01-30 2016-08-04 International Business Machines Corporation Risk-based credential management
CN109978547A (en) * 2017-12-28 2019-07-05 北京京东尚科信息技术有限公司 Risk behavior control method and system, equipment and storage medium
CN110020862A (en) * 2018-01-10 2019-07-16 中国移动通信有限公司研究院 A kind of business risk appraisal procedure, device and computer readable storage medium
CN110033120A (en) * 2019-03-06 2019-07-19 阿里巴巴集团控股有限公司 For providing the method and device that risk profile energizes service for trade company
CN110198313A (en) * 2019-05-23 2019-09-03 新华三信息安全技术有限公司 A kind of method and device of strategy generating
CN110458401A (en) * 2019-07-05 2019-11-15 深圳壹账通智能科技有限公司 Information processing unit, method and storage medium based on block chain

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625784A (en) * 2020-05-29 2020-09-04 重庆小雨点小额贷款有限公司 Anti-debugging method of application, related device and storage medium
CN111625784B (en) * 2020-05-29 2023-09-12 重庆小雨点小额贷款有限公司 Anti-debugging method of application, related device and storage medium
CN111859374A (en) * 2020-07-20 2020-10-30 恒安嘉新(北京)科技股份公司 Method, device and system for detecting social engineering attack event
CN111859374B (en) * 2020-07-20 2024-03-19 恒安嘉新(北京)科技股份公司 Method, device and system for detecting social engineering attack event

Also Published As

Publication number Publication date
CN111131166B (en) 2022-06-21

Similar Documents

Publication Publication Date Title
AU2012366296B2 (en) Online fraud detection dynamic scoring aggregation systems and methods
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
US8839440B2 (en) Apparatus and method for forecasting security threat level of network
CN110417778B (en) Access request processing method and device
US9147067B2 (en) Security method and apparatus
CN111460445B (en) Sample program malicious degree automatic identification method and device
CN110602029A (en) Method and system for identifying network attack
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
CN108769070A (en) One kind is gone beyond one&#39;s commission leak detection method and device
KR20080044145A (en) Anomaly detection system and method of web application attacks using web log correlation
CN111431753A (en) Asset information updating method, device, equipment and storage medium
US20160381056A1 (en) Systems and methods for categorization of web assets
CN111131166B (en) User behavior prejudging method and related equipment
CN112016078A (en) Method, device, server and storage medium for detecting forbidding of login equipment
CN111666573A (en) Method and device for evaluating vulnerability grade of website system and computer equipment
CN113190839A (en) Web attack protection method and system based on SQL injection
CN113190838A (en) Web attack behavior detection method and system based on expression
CN114866296B (en) Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium
CN105939320A (en) Message processing method and device
CN109547427B (en) Blacklist user identification method and device, computer equipment and storage medium
KR100916324B1 (en) The method, apparatus and system for managing malicious code spreading site using fire wall
CN113014601B (en) Communication detection method, device, equipment and medium
CN111949363A (en) Service access management method, computer equipment, storage medium and system
CN113872959A (en) Risk asset grade judgment and dynamic degradation method, device and equipment
CN109150871B (en) Security detection method and device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant