CN112165488A - Risk assessment method, device and equipment and readable storage medium - Google Patents
Risk assessment method, device and equipment and readable storage medium Download PDFInfo
- Publication number
- CN112165488A CN112165488A CN202011040499.0A CN202011040499A CN112165488A CN 112165488 A CN112165488 A CN 112165488A CN 202011040499 A CN202011040499 A CN 202011040499A CN 112165488 A CN112165488 A CN 112165488A
- Authority
- CN
- China
- Prior art keywords
- risk assessment
- user
- abnormal
- access
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012502 risk assessment Methods 0.000 title claims abstract description 144
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000002159 abnormal effect Effects 0.000 claims abstract description 80
- 230000006399 behavior Effects 0.000 claims abstract description 78
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000011156 evaluation Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012706 support-vector machine Methods 0.000 claims description 12
- 230000003068 static effect Effects 0.000 claims description 11
- 238000007477 logistic regression Methods 0.000 claims description 6
- 238000013209 evaluation strategy Methods 0.000 abstract description 3
- 230000000694 effects Effects 0.000 abstract description 2
- 238000012795 verification Methods 0.000 description 6
- 238000012954 risk control Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000008447 perception Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses a risk assessment method, a risk assessment device, risk assessment equipment and a readable storage medium. The method disclosed by the application comprises the following steps: acquiring flow data generated by a user accessing a target application; the user is authenticated by the authentication server; determining a risk evaluation strategy corresponding to the target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors; and analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result. The method and the device can reduce the difficulty and complexity of the analysis process and improve the efficiency and accuracy of risk assessment. Accordingly, the risk assessment device, the equipment and the readable storage medium provided by the application also have the technical effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a risk assessment method, apparatus, device, and readable storage medium.
Background
At present, in order to improve the security of an intranet, the security of the intranet can be protected by means of a firewall and the like. Meanwhile, data generated by the intranet can be analyzed to evaluate the risk of the intranet. However, when the safety risk is evaluated, more useless data can be collected, so that the difficulty and complexity of data analysis can be increased, and redundant data can bring obstruction to the discovery of system danger, so that the efficiency and accuracy of risk evaluation are low.
Therefore, how to improve the efficiency and accuracy of risk assessment is a problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a risk assessment method, apparatus, device and readable storage medium, so as to improve the efficiency and accuracy of risk assessment. The specific scheme is as follows:
in a first aspect, the present application provides a risk assessment method, comprising:
acquiring flow data generated by a user accessing a target application; the user is authenticated by an authentication server;
determining a risk assessment strategy corresponding to the target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors;
and analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result.
Preferably, the identity authentication server authenticates the identity of the user in a two-factor authentication manner.
Preferably, the identity authentication server authenticates the identity of the user by adopting a two-factor authentication mode, including:
the identity authentication server acquires a static password and a dynamic password input by a user, generates user identity information according to the static password and the dynamic password, and sends the user identity information to the user and the target application.
Preferably, if the risk assessment policy can identify an abnormal login behavior, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including:
extracting an IP address and a time point of the user logging in the target application from the flow data;
and if the IP address and/or the time point are abnormal, generating a risk evaluation result comprising abnormal login behavior.
Preferably, if the risk assessment policy can identify an abnormal device, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including:
extracting a device fingerprint of a user logging in the target application from the flow data;
and if the device fingerprint is not stored in a preset fingerprint database, generating a risk evaluation result comprising abnormal devices.
Preferably, if the risk assessment policy can identify an abnormal access behavior, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including:
extracting an operation mode, an access duration and an access directory of the target application accessed by the user from the flow data;
and if the operation mode, the access duration and/or the access directory do not accord with the historical access record of the user, generating a risk evaluation result comprising abnormal access behaviors.
Preferably, if the risk assessment policy can identify a malicious attack behavior, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including:
and analyzing the flow data by using a logistic regression algorithm, a naive Bayes algorithm, an knn algorithm or an SVM (support vector machine) to obtain a risk assessment result comprising the malicious attack behavior.
In a second aspect, the present application provides a risk assessment device comprising:
the acquisition module is used for acquiring flow data generated by a user accessing a target application; the user is authenticated by an authentication server;
the determining module is used for determining a risk assessment strategy corresponding to the target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors;
and the analysis module is used for analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result.
In a third aspect, the present application provides a risk assessment device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the risk assessment method disclosed in the foregoing.
In a fourth aspect, the present application provides a readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the risk assessment method disclosed above.
According to the scheme, the risk assessment method comprises the following steps: acquiring flow data generated by a user accessing a target application; the user is authenticated by an authentication server; determining a risk assessment strategy corresponding to the target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors; and analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result.
Therefore, in order to improve accuracy and efficiency of risk assessment, the analyzed flow data is generated by a user who has authenticated the identity through the identity authentication server to access the target application, so that the reliability of the flow data is high, the redundant data amount is low, abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors are identified based on the flow data, a credible risk assessment result can be obtained, and the difficulty and the complexity of an analysis process can be reduced due to the low redundant data amount, so that the analysis efficiency can be improved. Therefore, the risk assessment method and the risk assessment system can improve the efficiency and accuracy of risk assessment.
Accordingly, the risk assessment device, the equipment and the readable storage medium provided by the application also have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a risk assessment method disclosed herein;
FIG. 2 is a schematic diagram of an identity authentication process disclosed herein;
FIG. 3 is a schematic illustration of a login process disclosed herein;
FIG. 4 is a schematic diagram illustrating malicious attack types disclosed herein;
FIG. 5 is a schematic view of a risk assessment device disclosed herein;
fig. 6 is a schematic diagram of a risk assessment device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, more useless data can be collected when evaluating the safety risk, so that the difficulty and complexity of data analysis can be increased, and redundant data can bring obstruction to the discovery of system danger, so that the efficiency and accuracy of risk evaluation are lower. Therefore, the risk assessment scheme is provided, and the efficiency and the accuracy of risk assessment can be improved.
Referring to fig. 1, an embodiment of the present application discloses a risk assessment method, including:
s101, acquiring flow data generated by a user accessing a target application; the user is authenticated by the authentication server.
It should be noted that the target application is any one of many applications in the intranet, and users accessing these applications need to be authenticated by the authentication server first. The identity authentication mode can be flexibly selected, such as: single sign-on authentication, two-factor authentication, etc., and the specific implementation of the above authentication method can refer to the related prior art.
In one embodiment, the identity authentication server authenticates the identity of the user using a two-factor authentication approach. The identity authentication server authenticates the identity of the user by adopting a two-factor authentication mode, and the method comprises the following steps: the identity authentication server acquires a static password and a dynamic password input by a user, generates user identity information according to the static password and the dynamic password, and sends the user identity information to the user and the target application. After the identity authentication is finished, when the user accesses the target application, the user identity information is carried, so that the target application can judge whether the user identity information carried by the user is consistent with the user identity information sent by the identity authentication server, and if so, the user can normally access the target application; otherwise, the user cannot access the target application. Traffic data generated by a user accessing a target application is trusted data.
Wherein, the user can send the static password and the dynamic password to the identity authentication server before accessing the target application so as to complete the identity authentication. The user can also access the target application first, and at this time, because the user is not authenticated, the access page is redirected to the authentication server so as to complete the authentication.
S102, determining a risk evaluation strategy corresponding to the target application; the risk assessment policy can identify any one or combination of abnormal login behavior, abnormal device, abnormal access behavior, and malicious attack behavior.
Because the target application is any one of numerous applications in the intranet, and the risk assessment policies corresponding to different target applications may be different, the risk assessment policy corresponding to the target application accessed by the user needs to be determined first, and then the traffic data may be analyzed according to the corresponding policy.
S103, analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result.
Because the risk assessment policy can identify various abnormal situations, and the analysis means corresponding to each abnormal situation is different, if the risk assessment policy can identify abnormal login behavior, the traffic data is analyzed according to the risk assessment policy to obtain a risk assessment result, which includes: extracting an IP address and a time point of a user login target application from the flow data; and if the IP address and/or the time point are abnormal, generating a risk evaluation result comprising abnormal login behaviors. For example: if the IP address of the user login target application is stored in the abnormal IP address library, the IP address is considered to be abnormal; the time point when the user logs in the target application is 2:00-4:00 in the morning, and the user does not access the target application in the historical login record in the period, so that the time point can be considered to be abnormal.
In a specific embodiment, if the risk assessment policy can identify the abnormal device, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including: extracting the device fingerprint of the user login target application from the flow data; and if the device fingerprint is not stored in the preset fingerprint database, generating a risk evaluation result comprising the abnormal device. The device fingerprint of the device used by each user after identity authentication is recorded in the preset fingerprint library, so that if the device fingerprint of the user logging in the target application is not stored in the preset fingerprint library, the device used by the user for logging in currently can be considered as abnormal device.
In a specific embodiment, if the risk assessment policy can identify the abnormal access behavior, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including: extracting an operation mode, access duration and an access directory of a user for accessing a target application from the flow data; and if the operation mode, the access duration and/or the access directory do not accord with the historical access record of the user, generating a risk evaluation result comprising the abnormal access behavior. The operation mode is as follows: switching input lines using Tab keys or a mouse, etc. When the user makes a behavior violating own habits, the user can preliminarily consider that an abnormal access behavior exists. At this time, the user may be further authenticated, such as: and popping up a verification window to allow a user to operate according to the window instruction.
In a specific embodiment, if the risk assessment policy can identify a malicious attack behavior, analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result, including: and analyzing the flow data by using a logistic regression algorithm, a naive Bayes algorithm, an knn algorithm or an SVM (support vector machine) to obtain a risk assessment result comprising the malicious attack behavior. The known characteristics of various malicious attacks can be learned by using a logistic regression algorithm, a naive bayes algorithm, an knn algorithm or an SVM (support vector machine), if the characteristics similar to the characteristics exist in the flow data, the flow data can be considered to have malicious attack behaviors, and the information such as the types of the malicious attack behaviors can be specifically determined.
Therefore, in order to improve accuracy and efficiency of risk assessment, the analyzed flow data is generated by a user who has authenticated the identity through the identity authentication server to access the target application, so that the reliability of the flow data is high, the redundant data amount is low, abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors are identified based on the flow data, a credible risk assessment result can be obtained, and difficulty and complexity of an analysis process can be reduced due to the low redundant data amount, so that the analysis efficiency can be improved. Therefore, the risk assessment method and the risk assessment system can improve the efficiency and accuracy of risk assessment.
The embodiment of the application discloses a risk assessment scheme, which comprises the following steps: and constructing a unified two-factor authentication system and a risk perception part.
1. And constructing a unified two-factor authentication system.
And performing directional proxy by using nginx, and redirecting the access request which is firstly sent to each application by the user to the identity authentication server.
Referring to fig. 2, the identity authentication server provides a GET-mode login interface, the user accesses the GET-mode login interface by using a redirection connection, if the user does not log in, a login page is returned, and the user inputs an account password to log in. If the user is already logged in, an encrypted Token is generated and redirected to an application-provided interface that authenticates the Token, and after decryption and verification, the user logs in to the application. When the user logs in other applications, the token (written in the Cookie) returned by the identity authentication server is carried.
In the identity authentication process, the 1 st element adopted by the system is the content only known by the user, namely a static password; the 2 nd element is that only the user has the token, and the token generates a dynamic password, which is variable and can only be used once. The token can be designed into various types, is convenient for a user to carry, and when the user inputs a password, the static password in memory can be input firstly, and then the dynamic password generated on the token mastered by the user can be input.
Referring to fig. 3, in the user login process, the server and the client may use the same Hash algorithm to calculate a check code with a length of six bits. And if the check codes calculated by the client and the server are the same, the verification is passed.
The user can access all mutually trusted applications only by logging in the identity authentication server once (namely, the two-factor authentication system), so that the access of the user is not disturbed by multiple logins, and the development efficiency can be improved. The unified two-factor authentication system not only provides a universal identity verification framework for developers, but also does not need to worry about identity verification; and the management is simplified, and the burden on account management is reduced. And the account number used by the user is managed in a centralized way, and the access subject is given a unique identity in a system range with a certain boundary.
Different users have different access rights to the respective applications. Such as; user a has read rights only to application a and user B has write rights only to application B. In order to realize the difference of the access authority, the access authority of a certain user to a certain application can be firstly determined, and then the user is associated with the identity information of the user, the application and the corresponding access authority after the user is authenticated, so that the dual control of the access authority and the identity authentication is realized.
2. And (6) risk perception.
And risk control is carried out on the account which is authenticated, and risk assessment is carried out on the account by taking the account as a unit, so that analysis on account data which is not authenticated successfully is avoided.
After the authentication is successful, account risk control can be performed based on the trusted traffic, and the evaluated content includes but is not limited to abnormal login behavior discovery, abnormal device discovery, abnormal access behavior discovery and malicious attack behavior discovery. The above contents can be identified all together or by self combination.
(1) And (3) abnormal discovery:
during the operation of risk control, the first thing to be understood is "abnormal finding". Not because it is simplest, but most of the time, the anomaly discovery is the starting point of the wind control, the anomaly discovery is a very important step, and a large number of systems, algorithms and time for risk control are related to the anomaly discovery.
The method includes the steps that flow data of a certain time dimension are collected, such as login IP, login time, access amount and daily behaviors, and many exceptions can exist, such as sudden attempts to access unauthorized applications in the early morning, too many times of verification request failure in yesterday and the like.
(2) And (3) abnormal equipment identification:
and determining the device fingerprint (such as a UUID, an APP fingerprint, an H5 JS fingerprint and the like) corresponding to the user subjected to identity authentication, and recording the device fingerprint in table 1. If the device fingerprint in the traffic data is not recorded in advance, the device fingerprint in the traffic data is considered to be abnormal, that is, the device is abnormal.
TABLE 1
| Type of information | Device information |
| Model of the device | Huashi MATE 30 |
| Screen resolution | 2436X1125 |
| Operating system | EMUI 10 |
| Operator | Full network communication |
| Time zone | GMT+08:00,Asia/Shanghai |
(3) And (3) identifying the behavior habits of the user:
large websites record user behavior such as user's browsing history, length of stay, speed of password entry, button clicks, etc. We can use these data to prove our authentication of the user. After obtaining the label based on the history of a user, the user is assumed to change own habits very rarely, so that the user can verify more behaviors of the user every time the user makes behaviors violating own habits.
The user's habits are difficult to change and it is necessary to accumulate some data for this user before an accurate label can be given, e.g. TAB or mouse switching the input lines.
For example: and selecting a threshold value to judge whether the user behavior is abnormal. If "login is blocked by 10 consecutive wrong passwords", this value is chosen to distinguish between normal behavior and malicious behavior, and we find the boundary between the two behaviors.
The rough step of selecting a threshold: collecting relevant data as much as possible; observing data distribution; finding out a dividing point for distinguishing a malicious user from a common user from distribution; and selecting a threshold value according to the demarcation point and the influence range.
This threshold may be found for latent security threats, typically latent applications are covert and persistent, and typically exploit some logical vulnerability of existing systems.
Such as: a certain system defines that one IP can only carry out database query operations for N times a day, and a certain application queries the database for N times every day and continues to query for a period of time every day. From the service profile analysis, the application has the following characteristics: the application is usually latent by means of media (such as some kind of APP or system, etc.) and has specific trigger conditions, such as time, or site, data update, etc.; the application usually accesses sensitive data, and usually uses application layer protocols, most of which are HTTP/HTTPS, and few of which use FTP protocol; the application typically only accesses a certain directory or a certain API or interface to obtain data, etc.
Of course, different algorithms are also possible. Such as: a time windowing approach is used. The access records of a user in one day are divided into a plurality of time windows, if the access records of a certain IP occupy the plurality of time windows and the access amount is small, the user is a continuous access user and is possibly a latent application. And adopting a directory marking method. If a user frequently accesses a directory, the directory may query the directory for root directory or other data, and rarely switches access paths, the user may be a latent application for acquiring resources of a certain type. A characteristic analysis method is adopted. If a certain user frequently calls a certain API or data interface for acquiring data and the number of returned data interfaces and the number of returned bytes are relatively stable, the user may be applied to latent data stealing.
(4) And (3) malicious attack discovery: the detection content includes, but is not limited to, WEB security, terminal security, account security, data security, business security, internal threats and violations, etc., see fig. 4 for details.
The method comprises the steps of identifying known characteristics of various malicious attacks by using a logistic regression algorithm, a naive Bayes algorithm, an knn algorithm, an SVM (support vector machine) or other algorithms, and if the flow data has characteristics similar to the characteristics, considering that malicious attack behaviors exist in the flow data, and specifically determining information such as types of the malicious attack behaviors.
In order to improve accuracy and efficiency of risk assessment, the analyzed flow data is generated by a user who has authenticated the identity through an identity authentication server to access a target application, so that the reliability of the flow data is high, the redundant data amount is low, so that abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors are identified based on the flow data, a credible risk assessment result can be obtained, and the difficulty and complexity of an analysis process can be reduced due to the low redundant data amount, so that the analysis efficiency can be improved. Therefore, the risk assessment method and the risk assessment system can improve the efficiency and accuracy of risk assessment. The data source after unified authentication is real and effective, and the individual and overall security situation perception capability can be more effectively and accurately reflected.
In the following, a risk assessment device provided in an embodiment of the present application is introduced, and a risk assessment device described below and a risk assessment method described above may be referred to each other.
Referring to fig. 5, an embodiment of the present application discloses a risk assessment apparatus, including:
an obtaining module 501, configured to obtain traffic data generated by a user accessing a target application; the user is authenticated by the authentication server;
a determining module 502, configured to determine a risk assessment policy corresponding to a target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors;
the analysis module 503 is configured to analyze the traffic data according to the risk assessment policy to obtain a risk assessment result.
In one embodiment, the identity authentication server authenticates the identity of the user using a two-factor authentication approach.
In a specific embodiment, the identity authentication server is specifically configured to:
the identity authentication server acquires a static password and a dynamic password input by a user, generates user identity information according to the static password and the dynamic password, and sends the user identity information to the user and the target application.
In one embodiment, the analysis module is specifically configured to:
if the risk assessment strategy can identify abnormal login behaviors, extracting an IP address and a time point of a user login target application from the flow data; and if the IP address and/or the time point are abnormal, generating a risk evaluation result comprising abnormal login behaviors.
In one embodiment, the analysis module is specifically configured to:
if the risk evaluation strategy can identify abnormal equipment, extracting an equipment fingerprint of a user login target application from the flow data; and if the device fingerprint is not stored in the preset fingerprint database, generating a risk evaluation result comprising the abnormal device.
In one embodiment, the analysis module is specifically configured to:
if the risk assessment strategy can identify the abnormal access behavior, extracting an operation mode, an access duration and an access directory of a user for accessing the target application from the flow data; and if the operation mode, the access duration and/or the access directory do not accord with the historical access record of the user, generating a risk evaluation result comprising the abnormal access behavior.
In one embodiment, the analysis module is specifically configured to:
if the risk assessment strategy can identify the malicious attack behaviors, analyzing the flow data by using a logistic regression algorithm, a naive Bayes algorithm, an knn algorithm or an SVM (support vector machine) to obtain a risk assessment result comprising the malicious attack behaviors.
For more specific working processes of each module and unit in this embodiment, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
Therefore, the embodiment provides a risk assessment device, in order to improve accuracy and efficiency of risk assessment, analyzed traffic data is generated by a user who has authenticated an identity through an identity authentication server to access a target application, so that the reliability of the traffic data is high, the amount of redundant data is low, so that an abnormal login behavior, abnormal equipment, an abnormal access behavior and a malicious attack behavior are identified based on the traffic data, a credible risk assessment result can be obtained, and the difficulty and complexity of an analysis process can be reduced due to the low amount of redundant data, so that the analysis efficiency can be improved. Therefore, the risk assessment method and the risk assessment system can improve the efficiency and accuracy of risk assessment.
In the following, a risk assessment device provided in an embodiment of the present application is introduced, and a risk assessment device described below and a risk assessment method and apparatus described above may be referred to each other.
Referring to fig. 6, an embodiment of the present application discloses a risk assessment apparatus, including:
a memory 601 for storing a computer program;
a processor 602 for executing the computer program to implement the method disclosed in any of the embodiments above.
In the following, a readable storage medium provided by an embodiment of the present application is introduced, and a readable storage medium described below and a risk assessment method, apparatus, and device described above may be referred to each other.
A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the risk assessment method disclosed in the foregoing embodiments. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
References in this application to "first," "second," "third," "fourth," etc., if any, are intended to distinguish between similar elements and not necessarily to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, or apparatus.
It should be noted that the descriptions in this application referring to "first", "second", etc. are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A method of risk assessment, comprising:
acquiring flow data generated by a user accessing a target application; the user is authenticated by an authentication server;
determining a risk assessment strategy corresponding to the target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors;
and analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result.
2. The risk assessment method according to claim 1, wherein the identity authentication server authenticates the identity of the user using a two-factor authentication method.
3. The risk assessment method according to claim 2, wherein the identity authentication server authenticates the identity of the user by adopting a two-factor authentication method, comprising:
the identity authentication server acquires a static password and a dynamic password input by a user, generates user identity information according to the static password and the dynamic password, and sends the user identity information to the user and the target application.
4. The risk assessment method according to claim 1, wherein if the risk assessment policy can identify abnormal login behavior, the analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result comprises:
extracting an IP address and a time point of the user logging in the target application from the flow data;
and if the IP address and/or the time point are abnormal, generating a risk evaluation result comprising abnormal login behavior.
5. The risk assessment method according to claim 1, wherein if the risk assessment policy can identify an abnormal device, the analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result includes:
extracting a device fingerprint of a user logging in the target application from the flow data;
and if the device fingerprint is not stored in a preset fingerprint database, generating a risk evaluation result comprising abnormal devices.
6. The risk assessment method according to claim 1, wherein if the risk assessment policy can identify an abnormal access behavior, the analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result comprises:
extracting an operation mode, an access duration and an access directory of the target application accessed by the user from the flow data;
and if the operation mode, the access duration and/or the access directory do not accord with the historical access record of the user, generating a risk evaluation result comprising abnormal access behaviors.
7. The risk assessment method according to claim 1, wherein if the risk assessment policy can identify a malicious attack behavior, the analyzing the traffic data according to the risk assessment policy to obtain a risk assessment result includes:
and analyzing the flow data by using a logistic regression algorithm, a naive Bayes algorithm, an knn algorithm or an SVM (support vector machine) to obtain a risk assessment result comprising the malicious attack behavior.
8. A risk assessment device, comprising:
the acquisition module is used for acquiring flow data generated by a user accessing a target application; the user is authenticated by an authentication server;
the determining module is used for determining a risk assessment strategy corresponding to the target application; the risk assessment strategy can identify any one or combination of abnormal login behaviors, abnormal equipment, abnormal access behaviors and malicious attack behaviors;
and the analysis module is used for analyzing the flow data according to the risk assessment strategy to obtain a risk assessment result.
9. A risk assessment device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the risk assessment method according to any one of claims 1 to 7.
10. A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the risk assessment method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011040499.0A CN112165488A (en) | 2020-09-28 | 2020-09-28 | Risk assessment method, device and equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011040499.0A CN112165488A (en) | 2020-09-28 | 2020-09-28 | Risk assessment method, device and equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112165488A true CN112165488A (en) | 2021-01-01 |
Family
ID=73861789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011040499.0A Pending CN112165488A (en) | 2020-09-28 | 2020-09-28 | Risk assessment method, device and equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112165488A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112836223A (en) * | 2021-02-01 | 2021-05-25 | 长沙市到家悠享网络科技有限公司 | Data processing method, device and equipment |
| CN113111327A (en) * | 2021-04-27 | 2021-07-13 | 北京赛博云睿智能科技有限公司 | Resource management method and device of PaaS-based service portal management system |
| CN113542238A (en) * | 2021-06-29 | 2021-10-22 | 上海派拉软件股份有限公司 | Risk judgment method and system based on zero trust |
| CN114091042A (en) * | 2022-01-20 | 2022-02-25 | 深圳竹云科技股份有限公司 | Risk early warning method |
| CN114445088A (en) * | 2022-01-13 | 2022-05-06 | 内蒙古蒙商消费金融股份有限公司 | Method and device for judging fraudulent conduct, electronic equipment and storage medium |
| CN114598540A (en) * | 2022-03-18 | 2022-06-07 | 北京启明星辰信息安全技术有限公司 | Access control system, method, device and storage medium |
| CN117369850A (en) * | 2023-10-27 | 2024-01-09 | 全拓科技(杭州)股份有限公司 | Enterprise information security management method and system based on big data |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888255A (en) * | 2012-12-21 | 2014-06-25 | 中国移动通信集团公司 | Identity authentication method, device and system |
| CN105357186A (en) * | 2015-10-10 | 2016-02-24 | 苏州通付盾信息技术有限公司 | Secondary authentication method based on out-of-band authentication and enhanced OTP (One-time Password) mechanism |
| US20180034859A1 (en) * | 2016-07-28 | 2018-02-01 | International Business Machines Corporation | Dynamic Multi-Factor Authentication Challenge Generation |
| CN108712364A (en) * | 2018-03-22 | 2018-10-26 | 西安电子科技大学 | A kind of safety defense system and method for SDN network |
| CN110602120A (en) * | 2019-09-19 | 2019-12-20 | 国网江苏省电力有限公司信息通信分公司 | Network-oriented intrusion data detection method |
| CN111510453A (en) * | 2020-04-15 | 2020-08-07 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
-
2020
- 2020-09-28 CN CN202011040499.0A patent/CN112165488A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103888255A (en) * | 2012-12-21 | 2014-06-25 | 中国移动通信集团公司 | Identity authentication method, device and system |
| CN105357186A (en) * | 2015-10-10 | 2016-02-24 | 苏州通付盾信息技术有限公司 | Secondary authentication method based on out-of-band authentication and enhanced OTP (One-time Password) mechanism |
| US20180034859A1 (en) * | 2016-07-28 | 2018-02-01 | International Business Machines Corporation | Dynamic Multi-Factor Authentication Challenge Generation |
| CN108712364A (en) * | 2018-03-22 | 2018-10-26 | 西安电子科技大学 | A kind of safety defense system and method for SDN network |
| CN110602120A (en) * | 2019-09-19 | 2019-12-20 | 国网江苏省电力有限公司信息通信分公司 | Network-oriented intrusion data detection method |
| CN111510453A (en) * | 2020-04-15 | 2020-08-07 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
Non-Patent Citations (1)
| Title |
|---|
| 周凯, 机械工业出版社 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112836223A (en) * | 2021-02-01 | 2021-05-25 | 长沙市到家悠享网络科技有限公司 | Data processing method, device and equipment |
| CN113111327A (en) * | 2021-04-27 | 2021-07-13 | 北京赛博云睿智能科技有限公司 | Resource management method and device of PaaS-based service portal management system |
| CN113111327B (en) * | 2021-04-27 | 2024-02-13 | 北京赛博云睿智能科技有限公司 | Resource management method and device of PaaS-based service portal management system |
| CN113542238A (en) * | 2021-06-29 | 2021-10-22 | 上海派拉软件股份有限公司 | Risk judgment method and system based on zero trust |
| CN114445088A (en) * | 2022-01-13 | 2022-05-06 | 内蒙古蒙商消费金融股份有限公司 | Method and device for judging fraudulent conduct, electronic equipment and storage medium |
| CN114091042A (en) * | 2022-01-20 | 2022-02-25 | 深圳竹云科技股份有限公司 | Risk early warning method |
| CN114598540A (en) * | 2022-03-18 | 2022-06-07 | 北京启明星辰信息安全技术有限公司 | Access control system, method, device and storage medium |
| CN114598540B (en) * | 2022-03-18 | 2024-03-15 | 北京启明星辰信息安全技术有限公司 | Access control system, method, device and storage medium |
| CN117369850A (en) * | 2023-10-27 | 2024-01-09 | 全拓科技(杭州)股份有限公司 | Enterprise information security management method and system based on big data |
| CN117369850B (en) * | 2023-10-27 | 2024-05-07 | 全拓科技(杭州)股份有限公司 | Enterprise information security management method and system based on big data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112165488A (en) | Risk assessment method, device and equipment and readable storage medium | |
| US11599660B2 (en) | Dynamic policy based on user experience | |
| US11695800B2 (en) | Deceiving attackers accessing network data | |
| US10248782B2 (en) | Systems and methods for access control to web applications and identification of web browsers | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| US20160127417A1 (en) | Systems, methods, and devices for improved cybersecurity | |
| US11616812B2 (en) | Deceiving attackers accessing active directory data | |
| US20110314549A1 (en) | Method and apparatus for periodic context-aware authentication | |
| US10362044B2 (en) | Identifying command and control endpoint used by domain generation algorithm (DGA) malware | |
| US10412109B2 (en) | Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system | |
| US20110314558A1 (en) | Method and apparatus for context-aware authentication | |
| US20210281599A1 (en) | Cyber Security System and Method Using Intelligent Agents | |
| US20120151559A1 (en) | Threat Detection in a Data Processing System | |
| US20160373262A1 (en) | Systems and methods for digital certificate security | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| US10599842B2 (en) | Deceiving attackers in endpoint systems | |
| KR102024142B1 (en) | A access control system for detecting and controlling abnormal users by users’ pattern of server access | |
| US11647037B2 (en) | Penetration tests of systems under test | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| WO2020210976A1 (en) | System and method for detecting anomaly | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Kim et al. | Involvers’ behavior-based modeling in cyber targeted attack | |
| WO2019159809A1 (en) | Access analysis system and access analysis method | |
| US11985147B2 (en) | System and method for detecting a cyberattack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210101 |
|
| RJ01 | Rejection of invention patent application after publication |