CN112163198A - Host login security detection method, system, device and storage medium - Google Patents
Host login security detection method, system, device and storage medium Download PDFInfo
- Publication number
- CN112163198A CN112163198A CN202010918943.8A CN202010918943A CN112163198A CN 112163198 A CN112163198 A CN 112163198A CN 202010918943 A CN202010918943 A CN 202010918943A CN 112163198 A CN112163198 A CN 112163198A
- Authority
- CN
- China
- Prior art keywords
- login
- user
- host
- behavior
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 39
- 230000002159 abnormal effect Effects 0.000 claims abstract description 34
- 238000000034 method Methods 0.000 claims abstract description 24
- 230000006399 behavior Effects 0.000 claims description 129
- 238000003062 neural network model Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 3
- UXRDAJMOOGEIAQ-CKOZHMEPSA-N [(8r,9s,10r,13s,14s,17r)-17-acetyl-10,13-dimethyl-16-methylidene-3-oxo-1,2,8,9,11,12,14,15-octahydrocyclopenta[a]phenanthren-17-yl] acetate Chemical compound C1=CC2=CC(=O)CC[C@]2(C)[C@@H]2[C@@H]1[C@@H]1CC(=C)[C@](OC(=O)C)(C(C)=O)[C@@]1(C)CC2 UXRDAJMOOGEIAQ-CKOZHMEPSA-N 0.000 description 11
- 238000004590 computer program Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 101100508818 Mus musculus Inpp5k gene Proteins 0.000 description 2
- 101100366438 Rattus norvegicus Sphkap gene Proteins 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002372 labelling Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Abstract
The invention discloses a method, a system, a device and a storage medium for detecting the login security of a host, wherein the method comprises the following steps: acquiring a host login event and a host operation log; obtaining user login information according to the host login event, and obtaining a user operation link according to the host operation log; generating a user behavior portrait according to the user login information and the user operation link; and determining the host login event as an abnormal login event according to the user behavior portrait, and issuing an abnormal login alarm according to a preset host login alarm strategy. According to the invention, the user behavior portrait is constructed through the host login event and the host operation log, and whether the current host login event is an abnormal login event or not is judged according to the user behavior portrait, so that the local login and remote login bypassing the management system can be safely detected, the accuracy and comprehensiveness of the host login safety detection are improved, the host login safety is ensured, and the method can be widely applied to the technical field of information safety.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a host login security detection method, a system, a device and a storage medium.
Background
The use scenes of the host accounts are various, and the host can be logged in various modes, for example, the host can be directly logged in locally, the host can be logged in remotely through third-party software, the host can be logged in through an account management system instead of being filled in, a user can log in the host for operation as long as the user takes an account password, at the moment, the operating system only records the operation record of the account, and the operator can not be positioned even if certain destructive operation is performed.
Many bastion machines, account management platforms or management service systems on the market currently can track and record the operation of logging in the host through the management system, but the operation of directly logging in the host or remotely logging in the host without authorization by bypassing the management system cannot be tracked and positioned in real time, and if someone bypasses the management system to damage the host, the operation is disastrous to the service system on the host. Therefore, it is necessary to record events that bypass the management system and directly log in the host, and timely notify the administrator of abnormal operations, and block dangerous operations.
The existing host login security detection method has the following defects:
1) only the security detection can be carried out in a mode of logging in the host computer through the management system, and the security detection cannot be carried out on local login and remote login bypassing the management system;
2) the host login event cannot be discriminated according to the authority requirement of user operation;
3) when illegal operation occurs, only the account which is illegally operated can be positioned, and the illegal operation can not be avoided when the account is replaced by the same user.
The noun explains:
SPV: privileged account management system
MDAP: safety big data module
User behavior portrayal: and analyzing the user behavior according to the login behavior and the operation behavior of the user on the host to obtain a user portrait, wherein the user behavior portrait comprises tagged data description of the login behavior and the operation behavior.
Disclosure of Invention
To solve the above technical problems, the present invention aims to: the method, the system, the device and the storage medium for detecting the host login safety are provided, so that the accuracy and the comprehensiveness of the host login safety detection are improved, and the host login safety is guaranteed.
The technical scheme adopted by the invention on one hand is as follows:
a host login security detection method comprises the following steps:
acquiring a host login event and a host operation log;
obtaining user login information according to the host login event, and obtaining a user operation link according to the host operation log;
generating a user behavior portrait according to the user login information and the user operation link;
and determining the host login event as an abnormal login event according to the user behavior image, and issuing an abnormal login alarm according to a preset host login alarm strategy.
Further, the user login information comprises an account ID, an IP of a device to which the account belongs, a login client IP, a login mode, a login port, a login protocol and login time, wherein the login mode comprises local login, remote login and privileged account login.
Further, the step of obtaining a user operation link according to the host operation log specifically includes:
analyzing the host operation log through a big data module to obtain all user operations of the user;
traversing the user operations to obtain a jump sequence among the user operations;
and generating a user operation link according to the user operation and the jump sequence.
Further, the step of generating a user behavior representation according to the user login information and the user operation link specifically includes:
acquiring a source address and a uniform resource identifier of the user operation, judging whether the source address of the current user operation is equal to the uniform resource identifier of the previous user operation in the user operation link, if so, dividing the current user operation and the previous user operation into a user operation behavior, otherwise, reestablishing the user operation behavior;
repeating the steps, dividing the user operation into a plurality of user operation behaviors, and adding a first user behavior label for each user operation behavior;
establishing a user login behavior according to the user login information, and adding a second user behavior tag to the user login behavior;
and generating a user behavior portrait according to the first user behavior label and the second user behavior label.
Further, the step of determining the host login event as an abnormal login event according to the user behavior image, and issuing an abnormal login alarm according to a preset host login alarm policy specifically includes:
inputting the user behavior portrait into a pre-trained neural network model, and identifying to obtain the user authority of the user login behavior and the operation authority of the user operation behavior;
when the user authority is unauthorized, determining that the host login event is an abnormal login event, and issuing an unauthorized login alarm according to a preset host login alarm strategy;
and when the user authority is a first authority and the first authority is lower than the operation authority, determining that the host login event is an abnormal login event, and issuing an unauthorized operation alarm according to a preset host login alarm strategy.
Further, the host login alarm strategy comprises an alarm issuing mode and alarm content, the alarm issuing mode comprises mails and short messages, and the alarm content comprises the user login information, the user authority, the user operation link and the operation authority.
Further, the host login security detection method further comprises the following steps:
and terminating the user operation of the current user, logging out of the host, and storing the account ID of the current user, the IP of the equipment to which the account belongs and the IP of the login client.
The technical scheme adopted by the other aspect of the invention is as follows:
a host login security detection system, comprising:
the data acquisition module is used for acquiring a host login event and a host operation log;
the data processing module is used for obtaining user login information according to the host login event and obtaining a user operation link according to the host operation log;
the user behavior portrait generation module is used for generating a user behavior portrait according to the user login information and the user operation link;
and the alarm issuing module is used for determining the host login event as an abnormal login event according to the user behavior image and issuing an abnormal login alarm according to a preset host login alarm strategy.
The technical scheme adopted by the other aspect of the invention is as follows:
a host login security detection device comprises:
at least one processor;
at least one memory for storing at least one program;
when the at least one program is executed by the at least one processor, the at least one processor is enabled to implement the host login security detection method.
The technical scheme adopted by the other aspect of the invention is as follows:
a computer-readable storage medium, in which a program executable by a processor is stored, the program executable by the processor being configured to perform the above-mentioned host login security detection method when executed by the processor.
The invention has the beneficial effects that: according to the method, the system, the device and the storage medium for detecting the host login safety, the user behavior portrait is constructed through the host login event and the host operation log, and whether the current host login event is an abnormal login event or not is judged according to the user behavior portrait, so that the local login and the remote login bypassing the management system can be safely detected, and the user behavior portrait contains the user operation link, so that the host login safety can be safely detected according to the authority requirement of user operation, the accuracy and the comprehensiveness of the host login safety detection are improved, and the host login safety is guaranteed.
Drawings
FIG. 1 is a flowchart illustrating steps of a method for detecting host login security according to an embodiment of the present invention;
FIG. 2 is a block diagram of a host login security detection system according to an embodiment of the present invention;
fig. 3 is a block diagram of a host login security detection apparatus according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and the specific embodiments. The step numbers in the following embodiments are provided only for convenience of illustration, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art.
In the description of the present invention, the meaning of a plurality is more than two, if there are first and second described for the purpose of distinguishing technical features, but not for indicating or implying relative importance or implicitly indicating the number of indicated technical features or implicitly indicating the precedence of the indicated technical features. Furthermore, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art. The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
Referring to fig. 1, an embodiment of the present invention provides a host login security detection method, including the following steps:
s101, acquiring a host login event and a host operation log;
specifically, the embodiment of the present invention uses an MDAP (secure big data module) to obtain a host login event and a host operation log. The MDAP can collect the log of the account in the host operating system and the operation log through the proxy service in the target server, so that the subsequent analysis can be conveniently carried out to obtain the user log-in behavior and the user operation behavior.
S102, obtaining user login information according to a host login event, and obtaining a user operation link according to a host operation log;
specifically, the user login information includes related information such as a login account, account equipment, a login client and the like; the user operation link is obtained by sequencing according to all the operations of the current user on the host, and can reflect the jump sequence of all the operations of the user on the host, so that the user operation behavior can be analyzed and depicted. The step of obtaining the user operation link of the current user according to the host operation log specifically comprises the following steps:
a1, analyzing the host operation log through a big data module to obtain all user operations of the user;
a2, traversing user operations to obtain a jump sequence among the user operations;
and A3, generating a user operation link according to the user operation and the jump sequence.
Specifically, when a user operation link is constructed, all user operations are obtained by analyzing a host operation log through the MDAP, and then the user operations are traversed to obtain a skip sequence between the user operations, so that the user operation link is formed, wherein the skip sequence can be determined based on a time sequence of the user operations, and can also be determined according to a logical relationship between operation commands of the user operations.
In the embodiment of the invention, the user operation link accurately reflects each step of operation after the user logs in the host, so that whether the user logs in abnormally or not is judged conveniently according to the permission requirement of the operation.
Further as an optional implementation mode, the user login information includes an account ID, a device IP to which the account belongs, a login client IP, a login mode, a login port, a login protocol and a login time, and the login mode includes local login, remote login and privileged account login.
Specifically, the user login information is used for subsequently establishing user login behaviors, and the user login behaviors can be described in a labeling manner according to information such as an account ID, an equipment IP to which the account belongs, a login client IP, a login mode, a login port, a login protocol and login time, so that an accurate and comprehensive user behavior portrait can be obtained.
And S103, generating a user behavior portrait according to the user login information and the user operation link.
Specifically, the user behavior representation of the embodiment of the present invention is obtained by analyzing the user behavior according to the login behavior and the operation behavior of the user in the host, and the user behavior representation includes tagged data description of the login behavior and the operation behavior. The user behavior is like a label containing a user login behavior and labels of a plurality of user operation behaviors, because a user may have a plurality of operation behaviors after logging in a host, each operation behavior is composed of a plurality of user operations, so the user operations in a user operation link need to be divided, and then each operation behavior is marked. Step S103 specifically includes the following steps:
s1031, obtaining a source address and a uniform resource identifier of the user operation, and judging whether the source address of the current user operation is equal to the uniform resource identifier of the last user operation in the user operation link, if so, dividing the current user operation and the last user operation into a user operation behavior, otherwise, reestablishing the user operation behavior;
specifically, when the source address of the current user operation is the same as the uniform resource identifier of the previous user operation, it indicates that the current user operation and the previous user operation in the user operation link are continuous and associated user operations, and thus, the user operation is divided into a user operation behavior; when the source address of the current user operation is different from the uniform resource identifier of the previous user operation, it indicates that the current user operation and the previous user operation in the user operation link are continuous but not associated user operations, and therefore a new user operation behavior needs to be reestablished. In other words, when the source address of the current user operation is different from the uniform resource identifier of the last user operation, it indicates that the user generates a new operation behavior.
S1032, repeating the steps, dividing the user operation into a plurality of user operation behaviors, and adding a first user behavior label for each user operation behavior;
specifically, marking the user operation behavior according to the user operation behavior is to add a user behavior tag, where the first user behavior tag may be "browse", "store", "copy", "delete", "edit", "run", and the like, the specific tagging description is determined according to the specific user operation behavior, and the first user behavior tag is an important basis for determining whether the user has a related operation permission.
S1033, establishing a user login behavior according to the user login information, and adding a second user behavior tag for the user login behavior;
specifically, the second user behavior tag may be a login manner as a tag, may also be a login account ID or a used IP address, and may also be configured by an administrator by using a plurality of login information as tags at the same time, where the second user behavior tag is an important basis for determining whether the user is logged in legally.
And S1034, generating a user behavior portrait according to the first user behavior label and the second user behavior label.
In the embodiment of the invention, the user operation link is divided into a plurality of user operation behaviors according to the source address and the uniform resource identifier, then the user behavior labels are respectively added, and the user behavior labels of the user login behaviors are obtained according to the user login information, so that the labeling description of all behaviors of the user on the host can be obtained, and the accurate user behavior portrait can be obtained.
S104, determining the host login event as an abnormal login event according to the user behavior portrait, and issuing an abnormal login alarm according to a preset host login alarm strategy.
Specifically, the user behavior representation already contains tagged descriptions of all behaviors of the user on the host, so that whether the host login event of the current user is an abnormal login event or not can be quickly analyzed according to the user behavior representation, and then an alarm is issued according to a preset host login alarm strategy. In the embodiment of the invention, the neural network model is adopted to identify the user behavior labels in the user behavior portrait. Step S104 specifically includes the following steps:
s1041, inputting the user behavior portrait into a pre-trained neural network model, and identifying to obtain user authority of user login behavior and operation authority of user operation behavior;
specifically, the neural network model is obtained by training user behavior labels of all users logging in the host within a preset time period, and after the user behavior representation is input into the neural network model, user authority (namely, authority level of the user) can be obtained by identifying a second user behavior label, for example, the user authority can be identified as "unauthorized" or "primary authority" or "secondary authority" according to labels such as account ID, login mode and IP address; the operation authority (i.e. the authority level of the operation requirement) can be obtained by identifying the first user behavior tag, for example, the operation authority can be identified as "secondary authority" according to the "edited" tag, and the operation authority can be identified as "tertiary authority" according to the "running" tag. Particularly, when a plurality of first user behavior tags exist at the same time, the highest required permission level is taken as the operation permission, and for example, the operation permission can be identified as "third-level permission" according to "edit" and "run".
S1042, when the user authority is unauthorized, determining that the host login event is an abnormal login event, and issuing an unauthorized login alarm according to a preset host login alarm strategy;
specifically, when the user authority is 'unauthorized', the host login event can be directly judged to be an abnormal login event, the MDAP sends the relevant information of the host login event and the user behavior portrait to an SPV (privileged account management system), and the SPV sends an unauthorized login alarm according to a pre-configured host login alarm strategy;
s1043, when the user authority is the first authority and the first authority is lower than the operation authority, determining that the host login event is an abnormal login event, and issuing an unauthorized operation alarm according to a preset host login alarm strategy.
Specifically, when the user right is a "primary right" and the operation right is a "secondary right", it indicates that the operation behavior of the user on the host is not authorized, and belongs to high-risk illegal operation, and so on. At this moment, the MDAP also sends the relevant information of the host login event and the user behavior portrait to the SPV, and the SPV sends an unauthorized operation alarm according to a preset host login alarm strategy.
In the embodiment of the invention, the user behavior portrait is identified through the neural network model, and whether login is authorized or not and whether operation is authorized or not can be accurately judged, so that the accuracy and comprehensiveness of host login safety detection are further improved.
Further as an optional implementation manner, the host login alarm policy includes an alarm issuing manner and alarm content, the alarm issuing manner includes a mail and a short message, and the alarm content includes user login information, user permission, a user operation link, and operation permission.
Specifically, the administrator pre-configures a correct short message server and a correct mail server to ensure that short messages and mails can be normally sent; short message and mail notification templates are configured in the global configuration, and the template contents can include detailed contents such as login accounts, equipment, hosts, use protocols, ports, client IP and the like, and can also include information such as user operation links, user rights, operation rights and the like.
As a further optional implementation manner, the host login security detection method further includes the following steps:
and terminating the user operation of the current user, logging out of the host, and storing the account ID of the current user, the IP of the equipment to which the account belongs and the IP of the login client.
Specifically, after the host login event is determined to be an abnormal login event, the user operation of the current user is immediately terminated and the host login is quitted, so that the high-risk operation is blocked in time; meanwhile, the account ID of the current user, the equipment IP of the account and the login client IP can be stored, so that subsequent continuous monitoring is facilitated, and the user is prevented from logging in the host again by changing the account or IP address.
Optionally, when some accounts log in the host, the MDAP sends local login and unauthorized remote login information to the SPV through user login behavior collected by the MDAP, the SPV records the event according to the content sent by the MDAP, and notifies an administrator of the device through a configured host login alarm policy, a short message or an email, when an account login host behavior occurs, checks whether the login is authorized, and prevents data leakage or damage caused by illegal operations; the MDAP analyzes log information such as account local login, unauthorized remote login and authorized login through the SPV by analyzing a system log, analyzes big data information, can accurately generate a user behavior portrait, and informs a host administrator of a risky login event through behavior analysis and a host login alarm event configured by a user, so that the host is prevented from being damaged due to password leakage and the like, and meanwhile, timely response and blocking operation are realized.
The embodiment of the invention provides a host login security detection method, which constructs a user behavior portrait through a host login event and a host operation log, and judges whether the current host login event is an abnormal login event or not according to the user behavior portrait, so that the security detection can be performed on local login and remote login bypassing a management system, and the user behavior portrait contains a user operation link, so that the security detection can be performed on the host login according to the authority requirement of user operation, the accuracy and the comprehensiveness of the host login security detection are improved, and the security of the host login is ensured
Compared with the traditional host login security detection method, the embodiment of the invention has the following advantages:
1) the system can perform security detection on local login and remote login bypassing the management system, and can also discriminate host login events according to the authority requirements of user operation;
2) through MDAP big data analysis, an accurate user behavior portrait is generated, whether a login event is an abnormal event or not can be automatically judged, and when abnormal login or abnormal operation exists, risk blocking can be automatically and timely carried out;
3) the administrator can also configure notification strategies for all login events of the sensitive accounts according to own wishes, and when abnormal behaviors occur, the system informs the administrator of the host in real time to monitor the security of the host account in real time;
4) the login mode alarm notification can be customized, and selectable login modes comprise direct login to a host, unauthorized remote login, authorized remote login through the SPV and SPV user login.
Referring to fig. 2, an embodiment of the present invention provides a host login security detection system, including:
the data acquisition module is used for acquiring a host login event and a host operation log;
the data processing module is used for obtaining user login information according to the host login event and obtaining a user operation link according to the host operation log;
the user behavior portrait generating module is used for generating a user behavior portrait according to the user login information and the user operation link;
and the alarm issuing module is used for determining the host login event as an abnormal login event according to the user behavior portrait and issuing an abnormal login alarm according to a preset host login alarm strategy.
The contents in the above method embodiments are all applicable to the present system embodiment, the functions specifically implemented by the present system embodiment are the same as those in the above method embodiment, and the beneficial effects achieved by the present system embodiment are also the same as those achieved by the above method embodiment.
Referring to fig. 3, an embodiment of the present invention further provides a host login security detection apparatus, including:
at least one processor;
at least one memory for storing at least one program;
when the at least one program is executed by the at least one processor, the at least one processor is enabled to implement the host login security detection method.
The contents in the above method embodiments are all applicable to the present apparatus embodiment, the functions specifically implemented by the present apparatus embodiment are the same as those in the above method embodiments, and the advantageous effects achieved by the present apparatus embodiment are also the same as those achieved by the above method embodiments.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, in which a processor-executable program is stored, and the processor-executable program is used to execute the above-mentioned host login security detection method when being executed by a processor.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The above-described methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the above-described methods may be implemented in any type of computing platform operatively connected to a suitable connection, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein.
A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
The above description is only a preferred embodiment of the present invention, and the present invention is not limited to the above embodiment, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention as long as the technical effects of the present invention are achieved by the same means. The invention is capable of other modifications and variations in its technical solution and/or its implementation, within the scope of protection of the invention.
Claims (10)
1. A host login security detection method is characterized by comprising the following steps:
acquiring a host login event and a host operation log;
obtaining user login information according to the host login event, and obtaining a user operation link according to the host operation log;
generating a user behavior portrait according to the user login information and the user operation link;
and determining the host login event as an abnormal login event according to the user behavior image, and issuing an abnormal login alarm according to a preset host login alarm strategy.
2. The host login security detection method of claim 1, wherein: the user login information comprises an account ID, an IP of a device to which the account belongs, a login client IP, a login mode, a login port, a login protocol and login time, wherein the login mode comprises local login, remote login and privileged account login.
3. The method according to claim 1, wherein the step of obtaining the user operation link according to the host operation log specifically comprises:
analyzing the host operation log through a big data module to obtain all user operations of the user;
traversing the user operations to obtain a jump sequence among the user operations;
and generating a user operation link according to the user operation and the jump sequence.
4. The method as claimed in claim 3, wherein the step of generating a user behavior representation according to the user login information and the user operation link comprises:
acquiring a source address and a uniform resource identifier of the user operation, judging whether the source address of the current user operation is equal to the uniform resource identifier of the previous user operation in the user operation link, if so, dividing the current user operation and the previous user operation into a user operation behavior, otherwise, reestablishing the user operation behavior;
repeating the steps, dividing the user operation into a plurality of user operation behaviors, and adding a first user behavior label for each user operation behavior;
establishing a user login behavior according to the user login information, and adding a second user behavior tag to the user login behavior;
and generating a user behavior portrait according to the first user behavior label and the second user behavior label.
5. The method according to claim 4, wherein the step of determining the host login event as an abnormal login event according to the user behavior image and issuing an abnormal login alarm according to a preset host login alarm policy specifically comprises:
inputting the user behavior portrait into a pre-trained neural network model, and identifying to obtain the user authority of the user login behavior and the operation authority of the user operation behavior;
when the user authority is unauthorized, determining that the host login event is an abnormal login event, and issuing an unauthorized login alarm according to a preset host login alarm strategy;
and when the user authority is a first authority and the first authority is lower than the operation authority, determining that the host login event is an abnormal login event, and issuing an unauthorized operation alarm according to a preset host login alarm strategy.
6. The host login security detection method of claim 5, wherein: the host login alarm strategy comprises an alarm issuing mode and alarm content, the alarm issuing mode comprises mails and short messages, and the alarm content comprises the user login information, the user authority, the user operation link and the operation authority.
7. The host login security detection method of any one of claims 1 to 6, wherein the host login security detection method further comprises the following steps:
and terminating the user operation of the current user, logging out of the host, and storing the account ID of the current user, the IP of the equipment to which the account belongs and the IP of the login client.
8. A host login security detection system, comprising:
the data acquisition module is used for acquiring a host login event and a host operation log;
the data processing module is used for obtaining user login information according to the host login event and obtaining a user operation link according to the host operation log;
the user behavior portrait generation module is used for generating a user behavior portrait according to the user login information and the user operation link;
and the alarm issuing module is used for determining the host login event as an abnormal login event according to the user behavior image and issuing an abnormal login alarm according to a preset host login alarm strategy.
9. A host login security detection device, comprising:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, the at least one program causes the at least one processor to implement a host login security detection method as claimed in any one of claims 1 to 7.
10. A computer readable storage medium having stored therein a program executable by a processor, wherein the program executable by the processor is adapted to perform a host login security detection method as claimed in any one of claims 1 to 7 when executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010918943.8A CN112163198A (en) | 2020-09-04 | 2020-09-04 | Host login security detection method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010918943.8A CN112163198A (en) | 2020-09-04 | 2020-09-04 | Host login security detection method, system, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112163198A true CN112163198A (en) | 2021-01-01 |
Family
ID=73857658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010918943.8A Pending CN112163198A (en) | 2020-09-04 | 2020-09-04 | Host login security detection method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112163198A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377718A (en) * | 2021-05-24 | 2021-09-10 | 石化盈科信息技术有限责任公司 | Log information processing method and device, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6405318B1 (en) * | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
| CN107959673A (en) * | 2017-11-17 | 2018-04-24 | 广东省信息安全测评中心 | Abnormal login detecting method, device, storage medium and computer equipment |
| CN110166529A (en) * | 2019-04-16 | 2019-08-23 | 平安普惠企业管理有限公司 | It keeps logging in state method, apparatus, equipment and storage medium |
| CN111107072A (en) * | 2019-12-11 | 2020-05-05 | 中国科学院信息工程研究所 | Authentication graph embedding-based abnormal login behavior detection method and system |
-
2020
- 2020-09-04 CN CN202010918943.8A patent/CN112163198A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6405318B1 (en) * | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
| CN107959673A (en) * | 2017-11-17 | 2018-04-24 | 广东省信息安全测评中心 | Abnormal login detecting method, device, storage medium and computer equipment |
| CN110166529A (en) * | 2019-04-16 | 2019-08-23 | 平安普惠企业管理有限公司 | It keeps logging in state method, apparatus, equipment and storage medium |
| CN111107072A (en) * | 2019-12-11 | 2020-05-05 | 中国科学院信息工程研究所 | Authentication graph embedding-based abnormal login behavior detection method and system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113377718A (en) * | 2021-05-24 | 2021-09-10 | 石化盈科信息技术有限责任公司 | Log information processing method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11729193B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| CN108848067B (en) | OPC protocol safety protection method for intelligently learning and presetting read-only white list rule | |
| US7810156B2 (en) | Automated evidence gathering | |
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| US10671723B2 (en) | Intrusion detection system enrichment based on system lifecycle | |
| US9697352B1 (en) | Incident response management system and method | |
| US20080183603A1 (en) | Policy enforcement over heterogeneous assets | |
| CN107241229B (en) | Service monitoring method and device based on interface testing tool | |
| US20210297427A1 (en) | Facilitating security orchestration, automation and response (soar) threat investigation using a machine-learning driven mind map approach | |
| CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
| KR100926735B1 (en) | Web source security management system and method | |
| US20190018751A1 (en) | Digital Asset Tracking System And Method | |
| CN105930740B (en) | Source retroactive method, monitoring method, restoring method and system when software file is changed | |
| CN114238036A (en) | Method and device for monitoring abnormity of SAAS (software as a service) platform in real time | |
| CN112163198A (en) | Host login security detection method, system, device and storage medium | |
| CN106407836B (en) | A kind of method and device that the behavior of data illegal modifications detects automatically | |
| CN112650180A (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN110086812B (en) | Safe and controllable internal network safety patrol system and method | |
| CN116382952A (en) | Exception handling method, device and system | |
| CN112688808A (en) | Operation and maintenance management method and system of internet data center and electronic equipment | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN113032744A (en) | Digital watermark all-in-one system | |
| KR101410445B1 (en) | Discrmination system and method for server operation by script | |
| KR101680608B1 (en) | The system which detects a illegal software based on the network type licence circulation structure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |