CN113836525A

CN113836525A - Method and device for analyzing behavior risk of cloud service provider

Info

Publication number: CN113836525A
Application number: CN202111134753.8A
Authority: CN
Inventors: 刘孝男; 李保珲; 谢丰; 胡华明
Original assignee: China Information Technology Security Evaluation Center
Current assignee: China Information Technology Security Evaluation Center
Priority date: 2021-09-27
Filing date: 2021-09-27
Publication date: 2021-12-24
Anticipated expiration: 2041-09-27
Also published as: CN113836525B

Abstract

The application provides a method and a device for analyzing a cloud service business behavior risk, wherein the method for analyzing the cloud service business behavior risk comprises the following steps: firstly, collecting operation log data of a cloud service provider user; then, processing the operation log data based on a preset audit rule to obtain behavior event data; finally, generating an analysis result according to the behavior event data; and the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not. Therefore, the purpose of accurately finding whether the operation behavior of the cloud service provider has risks or not, effectively avoiding the risks of the operation behavior of the cloud service provider and guaranteeing the safety of the cloud service provider platform is achieved.

Description

Method and device for analyzing behavior risk of cloud service provider

Technical Field

The application relates to the field of cloud services, in particular to a cloud service business behavior risk analysis method and device.

Background

In recent years, with the rapid development of cloud platforms in China, the computing capability of the cloud platforms is stronger and the scale of cloud manufacturers is larger and larger.

Because the behavior users of the cloud service providers have a large amount of management operation behavior interaction, a series of safety risk problems may exist in the process, so that the credibility of the cloud service is reduced, and potential safety hazards are brought to the users using the cloud service.

Disclosure of Invention

In view of this, the present application provides a method and an apparatus for analyzing a cloud service provider behavior risk, which are used to find a cloud service provider operation behavior risk so as to effectively avoid the cloud service provider operation behavior risk, thereby ensuring the security of a cloud service provider platform.

The application provides a cloud service business behavior risk analysis method in a first aspect, which includes:

collecting operation log data of a cloud service provider user;

processing the operation log data based on a preset audit rule to obtain behavior event data;

generating an analysis result according to the behavior event data; and the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not.

Optionally, after the operation log data is processed based on the preset audit rule to obtain the behavior event data, the method further includes:

matching the behavior event data in the behavior portrait of the cloud service provider user to obtain a matching result;

generating an analysis report according to the matching result; wherein the analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal.

Optionally, the collecting operation log data of the cloud service provider user includes:

operation log data of a cloud service provider user are remotely collected through a containment vessel protocol and/or hypertext transfer protocol interface;

and obtaining operation log data of the cloud service provider user in an offline uploading mode.

Optionally, the processing the operated log data based on the preset audit rule to obtain the behavior event data includes:

integrating the operation log data according to a preset audit rule to obtain a data mapping capable of being preprocessed;

and converting the data mapping to obtain behavior event data in a uniform format.

Optionally, the behavior portrait generating method includes:

carrying out behavior identification and classification on historical behavior event data of cloud service provider users to obtain behavior type data of multiple categories;

for each behavior type data, scoring the behavior type data by using a scoring rule corresponding to an auditing rule to obtain a score of the behavior type data;

and generating a behavior representation of the cloud service provider user based on the scores of all the behavior type data.

Optionally, after generating an analysis report according to the matching result, the method further includes:

determining a preset number of abnormal operation behaviors in the analysis report, and generating an abnormal operation behavior label;

and displaying all the abnormal operation behavior labels.

Optionally, the method for analyzing risk of cloud service business behavior further includes:

receiving a retrieval instruction input by an evaluation person;

responding to the retrieval instruction to obtain a tracking log; wherein the trace log is exportable and can be presented graphically; the graph includes abnormal operating behavior.

and receiving and responding to an audit rule management instruction.

and receiving and responding to the behavior portrait management command.

The second aspect of the present application provides an analysis apparatus for risk of cloud service business behavior, including:

the acquisition unit is used for acquiring operation log data of a cloud service provider user;

the processing unit is used for processing the operation log data based on a preset audit rule to obtain behavior event data;

the analysis unit is used for generating an analysis result according to the behavior event data; and the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not.

Optionally, the cloud service business action risk analysis device further includes:

the matching unit is used for matching the behavior event data in the behavior portrait of the cloud service provider user to obtain a matching result;

the generating unit is used for generating an analysis report according to the matching result; wherein the analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal.

Optionally, the collecting unit includes:

the acquisition subunit is used for remotely acquiring operation log data of a cloud service provider user through a containment protocol and/or hypertext transfer protocol interface;

the acquisition unit is used for acquiring the operation log data of the cloud service provider user in an off-line uploading mode.

Optionally, the processing unit includes:

the integration unit is used for integrating the operation log data according to a preset audit rule to obtain a data mapping capable of being preprocessed;

and the conversion unit is used for converting the data mapping to obtain behavior event data in a uniform format.

Optionally, the behavior portrait generation unit includes:

the classification unit is used for identifying and classifying the historical behavior event data of the cloud service provider user to obtain behavior type data of multiple categories;

the scoring unit is used for scoring the behavior type data by using a scoring rule corresponding to an auditing rule aiming at each behavior type data to obtain the score of the behavior type data;

and the behavior portrait generation subunit is used for generating the behavior portrait of the cloud service provider user based on the scores of all the behavior type data.

the determining unit is used for determining the operation behaviors with preset number of operation exceptions in the analysis report and generating an exception operation behavior label;

and the display unit is used for displaying all the abnormal operation behavior labels.

the receiving unit is used for receiving a retrieval instruction input by an evaluation person;

the first response unit is used for responding to the retrieval instruction to obtain a tracking log; wherein the trace log is exportable and can be presented graphically; the graph includes abnormal operating behavior.

and the second response unit is used for receiving and responding to the audit rule management instruction.

and the third response unit is used for receiving and responding to the behavior portrait management instruction.

A third aspect of the present application provides a server comprising:

one or more processors;

a storage device having one or more programs stored thereon;

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method for cloud service business behavior risk analysis of any of the first aspects.

A fourth aspect of the present application provides a computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method for analyzing risk of business activities of a cloud service according to any one of the first aspects.

According to the above scheme, the present application provides a method and an apparatus for analyzing a cloud service business behavior risk, where the method for analyzing a cloud service business behavior risk includes: firstly, collecting operation log data of a cloud service provider user; then, processing the operation log data based on a preset audit rule to obtain behavior event data; finally, generating an analysis result according to the behavior event data; and the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not. Therefore, the purpose of accurately finding whether the operation behavior of the cloud service provider has risks or not, effectively avoiding the risks of the operation behavior of the cloud service provider and guaranteeing the safety of the cloud service provider platform is achieved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

Fig. 1 is a specific flowchart of a method for analyzing risk of a cloud service business behavior provided in an embodiment of the present application;

fig. 2 is a flowchart of a method for processing operation log data according to a preset audit rule to obtain behavior event data according to another embodiment of the present application;

fig. 3 is a specific flowchart of a method for analyzing risk of business activities of a cloud service according to another embodiment of the present application;

FIG. 4 is a flowchart illustrating a method for generating an image according to another embodiment of the present application;

FIG. 5 is a block diagram illustrating an embodiment of the present application;

fig. 6 is a schematic diagram of a functional architecture of an operation behavior auditing system according to another embodiment of the present application;

fig. 7 is a schematic diagram of a system deployment topology according to another embodiment of the present application;

fig. 8 is a schematic view of an apparatus for analyzing risk of business in cloud services according to another embodiment of the present disclosure;

fig. 9 is a schematic diagram of a server for implementing an analysis method for risk of business activities of a cloud service according to another embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that the terms "first", "second", and the like, referred to in this application, are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence of functions performed by these devices, modules or units, but the terms "include", or any other variation thereof are intended to cover a non-exclusive inclusion, so that a process, method, article, or apparatus that includes a series of elements includes not only those elements but also other elements that are not explicitly listed, or includes elements inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

First, it should be noted that, in the existing cloud security architecture system: the method comprises the following steps of (1) business safety, safe operation, data safety, network safety, application safety, host safety and identity management, which belong to the responsibility range of a user; the cloud product safety, the virtualization safety, the hardware safety and the physical safety belong to the responsibility range of a cloud service manufacturer; virtualization safety, hardware safety and physical safety belong to the responsibility range of cloud service providers.

At present, in the auditing process of a cloud service provider, the characteristic analysis and induction are carried out on the operation behaviors with higher risk degree to form a special auditing rule base. Firstly, a series of strategies are formulated aiming at operation behaviors such as account login, object access and the like, so that an assessment worker can be helped to find operation behavior problems existing in a cloud service provider timely and accurately, and some user operation risks of management user behaviors on a cloud platform virtualization layer are objectively analyzed and summarized and reported; secondly, the asset security of the cloud service provider platform is also affected by means of network intrusion, penetration and the like, so that the security protection risk of the cloud service provider platform also needs to be audited from the aspect of network security. Summarizing, the security problem in this aspect is mainly reflected in 5-user operation risk behaviors, decentralized risks of network security device identification, security risks of physical host audit identification and the like, and specific analysis in the category of cloud service business behavior rules includes: managing resource operational security risks and managing agent operational security risks. Managing resource operation security risks including Intrusion Prevention System (IPS) application security risks and physical host security audit risks; the management agent operation safety risks comprise host operation behavior risks, data center operation behavior risks, virtual machine operation behavior risks, network operation behavior risks and storage operation behavior risks.

The IPS application security risk rule is based on a risk log of security equipment such as IPS application or firewall and the like, can identify the type and version of software running on a server, and can assist in identifying the type and version of the software running on a target server and 0day bug possibly existing in the software by matching with Web flow, so that illegal operation behaviors of cloud resources under the condition of intrusion are audited and found. Based on the original IPS risk log, identifying an attack type corresponding to the service, including a vulnerability of 0day software, wherein a target application corresponding to the vulnerability may have a software version with the vulnerability, such as 0day vulnerability of Struts1.0 and Struts2.0 applications, and further breaking through Web Shell user permission by applying the service software. And then the security under the management resources of the cloud service provider is influenced through the penetration of the Web Shell user permission. As shown in table 1, the security type and corresponding description are applied for the Web.

TABLE 1

The physical host operation is a physical bottom-layer service for a cloud service provider, and a general management user cannot directly contact the physical bottom-layer service; the availability and any operation of the physical host can affect the security risk of a virtual machine system on the host, and affect the data leakage and available risk of a business system.

And analyzing the account security, network operation and disk operation on the host based on the physical host security audit log.

And auditing the host auditing safety on the physical layer by using the physical host safety auditing risk log, wherein the auditing event types are shown in a table 2:

TABLE 2

The following two cases are used for analyzing the physical host security audit and IPS combined audit case:

case 1: host security penetration caused by Struts 20 day vulnerability

1. Case phenomena:

a large amount of information of login failure attempts is found in a physical host security audit log of a certain operator environment, and the behavior is abnormal from a virtual machine IP on a host, but the risk of the behavior is not audited by the operator.

2. Analyzing a platform audit log:

1) the auditing platform finds a large number of logs which fail to log in by analyzing the physical security auditing logs and the logs come from the same virtual machine IP address;

2) the auditing platform finds that a large number of addresses simulating normal requests exist on a time axis before login failure by analyzing the log of the IPS application firewall, and the platform analyzes that the Struts2 application exists on a target server;

3) performing joint analysis through the dimension information of the IP address, finding that a large number of URL address requests simulating normal requests exist in the IP address, and simultaneously, a Structure 2 application mark exists on a target virtual server; and auditing the security log by the physical machine to discover that a large amount of abnormal login failure behaviors exist in the IP.

3. And (3) analysis results:

because there is a Struts2 Web application 0day bug on the IP virtual machine, normal request information from the external network IP exists in the IPS log (the Web attack request is forged into a normal request by a simulation means); and analyzing the audit log of the physical host to carry out a large number of login attempts (password blasting and the like) of the IP virtual machine on the physical host. The method is characterized in that the virtual host has the possibility of web vulnerability application of Struts2 and webshell, the virtual host is attacked in a penetration manner, the related behaviors are at risk, and a large number of login attempt (unsuccessful login) attacks are carried out on the current physical host. The whole event influence can let the intranet to permeate the safety and high risk of the physical host.

4. Rule formation:

we can form rules required by the case from the IPS log and the host audit log through case analysis, the host audit log rules are shown in table 3, and the IPS log rules are shown in table 4:

host event type	Operation of	Description of the invention
			USER_LOGIN	Multiple times of failure of source IP login	Triggered when a user logs in and fails multiple times.

TABLE 3

TABLE 4

Case 2: host security penetration caused by uploading function loophole by tomcat application

1. Case phenomena:

a large number of same address requests are found on an IPS log of a certain operator environment, the number of the same address requests is obviously multiple times higher than that of other ordinary address requests, information of multiple attempts of login authentication of a target address server IP is found in a host security audit log, the information comes from the same virtual machine IP on a host, the behavior is abnormal, and the risk of the behavior is not audited by the operator.

2. Analyzing a platform audit log:

1) the IPS log analysis finds that a large number of same http requests exist, the access quantity of the request address is obviously several times higher than that of other addresses, and meanwhile, a Tomcat service application mark exists on the target virtual server;

2) the auditing platform finds a large number of logs which fail to log in by analyzing the physical security auditing logs and the logs come from the same virtual machine IP address;

3) performing joint analysis through IP address dimension information to find that the IP address target server address is a webshell address relative to a jsp service path address; and auditing the security log by the physical machine to discover that a large amount of abnormal login behaviors exist in the IP.

3. And (3) analysis results:

because the Tomcat Web application on the IP virtual machine has an uploading bug and does not carry out suffix verification on the uploaded file, the unsafe jsp webshell file is successfully uploaded; simultaneously, a large number of requests for the jsp service are called to run a webshell command; based on the server shell environment, a large number of login attempts (password blasting and the like) are carried out on a main physical host of the server shell environment, high-risk risks exist in related behaviors, the root permission of the virtual machine is obtained by uploading the jspweshell, and the safety and high-risk permeation to the physical host can be achieved through an intranet.

4. Rule formation:

we can form rules required for the case from the IPS log and the host audit log through case analysis, the host audit log rules are shown in table 5, and the IPS log rules are shown in table 6:

TABLE 5

TABLE 6

Management agent operation of a virtualization layer of a cloud service provider platform is an important auditing analysis target of the auditing device, wherein the auditing operation event types of the cloud service provider comprise: host operation behavior, data center operation behavior, virtual machine operation behavior, network operation behavior, and storage operation behavior.

The host operation behavior rules mainly form operation behavior events in the aspects of user login, authorization, passwords and the like; analyzing the operation behavior risk from multiple dimensions such as time, place, operation target object, behavior result and the like, which is mainly embodied as shown in table 7:

TABLE 7

The data center operation behavior rules mainly form operation behavior events in the aspects of user login, authorization, passwords, data import and export and the like; analyzing the operation behavior risk from multiple dimensions such as time, place, operation target object, behavior result and the like, which is mainly embodied as shown in table 8:

TABLE 8

The virtual machine operation behavior rules mainly form operation behavior events in the aspects of virtual machine cloning, virtual machine deletion, virtual machine starting, closing, snapshot, virtual machine creation and the like by a user; the operation behavior risk is analyzed from multiple dimensions of time, place, operation target object, behavior result and the like, which is mainly reflected as shown in table 9:

TABLE 9

The network operation behavior rules mainly form operation behavior events in the aspects of user configuration in network Access Control Lists (ACLs), network allocation, network recovery and the like; the operational behavior risk is analyzed from multiple dimensions of time, place, operational target object, behavior result, etc., and is mainly embodied as shown in table 10:

watch 10

The storage operation behavior rules mainly form operation behavior events in the aspects of hanging discs, deleting discs, expanding discs, recovering discs, distributing discs and the like by users; the operational behavior risk is analyzed from multiple dimensions, such as time, place, operational target object, behavior result, and the like, which is mainly reflected as shown in table 11:

TABLE 11

Based on the audit rule, the embodiment of the application provides an analysis method for cloud service business behavior risk, as shown in fig. 1, specifically including the following steps:

s101, collecting operation log data of a cloud service provider user.

Optionally, in another embodiment of the present application, an implementation manner of step S101 specifically includes: operation log data of a cloud service provider user are remotely collected through a containment vessel protocol and/or hypertext transfer protocol interface; and obtaining operation log data of the cloud service provider user in an offline uploading mode.

The way of remotely acquiring the operation log data of the cloud service provider user through the Secure Shell (SSH) may be, but is not limited to: the log collector collects source data based on configured log collection configuration data of a target collection server, and specifically comprises three steps of configuring SSH remote server information, newly building remote SSH collection configuration information, and adapting logstack configuration at a background and sending collection end collection data by SSH.

The manner of remotely collecting the operation log data of the cloud service provider user through a hypertext Transfer Protocol (HTTP) interface may be, but is not limited to: and the log collector collects configuration data based on the HTTP address to collect the HTTP source log file. The method specifically comprises the following two steps: configuring HTTP remote address information; the background adapts logstash configuration and locally issues HTTP acquisition end acquisition data.

The method for obtaining the operation log data of the cloud service provider user through the offline uploading mode may be, but is not limited to: and selecting an offline file log collection and configuring a host, a network, a virtual machine, a storage and a data center log directory (logstack). Specifically, the method comprises the following three steps: the offline log is sent to the server last time; newly building remote local service acquisition configuration information, and selecting a corresponding uploaded offline log; the background is matched with logstash configuration and the local acquisition end acquires data.

And S102, processing the operation log data based on a preset audit rule to obtain behavior event data.

Specifically, whether the current condition a is met is judged, and if the condition a is met, the corresponding behavior type and the description information, namely the behavior event data, can be obtained through matching, querying and the like.

The definition of the audit rule is that the source log data collected by the log is used as a base bed, the source log data is preprocessed and analyzed through a collection process and converted into an event object of the operation behavior of the cloud service provider, and the event object model is an audit rule management subsystem. The behavior operation risk is analyzed by distinguishing 1 or more dimension surfaces of the behavior in time, place, compliance agent and behavior result through the integral analysis of normal behavior audit and abnormal behavior, so that whether the behavior operation of the administrator is compliance and safe operation is excavated.

For example: when the condition occurs, [ any user ] executes the [ listing ] operation [ any result ] at [ any place ] in [ 8 pm-6 am ], the condition indicates that the storage operation behavior risk exists at present, the specific behavior type is the hanging disc, and the specific description information is the hanging disc of the user in the non-working time.

Certainly, in a specific implementation process of the present application, the audit rule should also be managed, and therefore, in another embodiment of the present application, an implementation manner of the cloud service business action risk analysis method further includes: and receiving and responding to an audit rule management instruction.

Specifically, the audit rule management instructions may include, but are not limited to: new creation, modification deletion, activation, deactivation, weight setting of audit rules and the like.

The cloud service business user operation behaviors take behavior data after data acquisition and preprocessing as a uniform behavior event as a reference event, and express operation risk behaviors existing in operation event behaviors by different dimensions (time, target, agent, event occurrence result and the like); and defines the relevant rules through an elastic search DSL flexible and expressive query language. Wherein the input format for the definition of risk rules is in the ElasticSearch DSL language and the Elastic SQL 2 rule format.

Examples of risk rule format content are as follows:

example of ElasticDSL statement:

example of ElasticSql statement:

SELECT HISTOGRAM("@timestamp",，interval 5 minute)ti,，userId,，COUNT(*)c FROM openstack_logs3_newGROU PBY ti,，userId HAVING c>3。

optionally, in another embodiment of the present application, an implementation manner of step S102, as shown in fig. 2, includes:

s201, integrating the operation log data according to a preset audit rule to obtain a data mapping capable of being preprocessed.

For the original behavior log of the cloud service provider, the auditing device carries out preprocessing analysis on the management resource behavior and the agent operation behavior 2, and for different management agent operation subclasses, for example: (host operation behavior, data center operation behavior, virtual machine operation behavior, network operation behavior and storage operation behavior) log analysis and preprocessing are carried out on different behaviors of OpenStack, VCenter and Hyper-V platforms.

Wherein, the log of the user logging in the OpenStack log is horizon-access.log; the cloud hard disk use log is a circle-volume log; the log of the use of the cloud host is nova-computer.log; log of network usage is neutron-server.

And S202, converting the data mapping to obtain behavior event data in a unified format.

The uniform format of the behavior event data comprises the following field information:

time, source address IP, source object (mainly referring to operator), target IP, operation target object, event type, operation behavior type, information, operation result, level, and the like.

For example: { "timemap": 15300280101, "sourceIp": 127.0.11.3"," sourceObj ", -" admin 1"," destIP ": 127.0.1", "destObj": virtual machine a "," eventType ": virtual machine behavior", "actionType": virtual machine clone "," msg ":.... The source log msg", "eventLevel": "error", "actionResult": and "}.

Specifically, after behavior event data in a uniform format is obtained, the behavior event data is stored in an ElasticSearch database of the auditing device.

After the risk rule management is operated by a browser, the risk rule management is processed and stored in a database by a server-side audit rule management service; the cloud service business behavior auditing device user manages the operation risk behavior of the cloud service business by adding, deleting, defining and the like the risk rule based on the risk rule management.

And S103, generating an analysis result according to the behavior event data.

And the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not.

It is understood that different cloud service users may have their own operational behaviors, and for this reason, in another embodiment of the present application, an implementation after step S102, as shown in fig. 3, further includes:

s301, matching the behavior event data in the behavior portrait of the cloud service provider user to obtain a matching result.

Wherein, the definition of the behavior portrait includes: identifying the operation behavior portrait by an auditing task to obtain a related agent list; scoring and labeling the operation behavior events of the agent; the scoring rule is based on the auditing rule, and the scoring is carried out within 1-100 minutes according to different risk times; the same auditing rule and different grading rules are processed by a weighted average method.

The data source for establishing the behavior portrait is behavior log data related to user operation behaviors of the cloud service provider, and comprises starting and stopping of a virtual machine, creation of the virtual machine, deletion of the virtual machine, cloning of the virtual machine, snapshot of the virtual machine, restarting of the virtual machine, closing of the virtual machine, login and logout of a cloud platform, change of host configuration, disk allocation, disk deletion, hanging operation, disk expansion, disk recovery, network creation, network allocation, network ACL configuration, network ACL deletion, host user login, host shutdown, host password modification, host user authorization and the like.

Certainly, in a specific implementation process of the present application, the behavior representation may be managed, and therefore, in another embodiment of the present application, an implementation manner of the method for analyzing the risk of the cloud service business further includes: and receiving and responding to the behavior portrait management command.

Specifically, the behavior representation management command may include, but is not limited to: performing operations of creating, deleting, modifying, and changing the user portrait on the behavior portrait; performing operations such as new creation, deletion, modification and the like on the label rule of the behavior portrait; and performing operations such as sword, deletion, modification and the like on the scoring rule of the behavior portrait. And after the audit task is executed, a behavior portrait task is established.

The behavior portrait manager clicks the behavior portrait through a browser, selects an agent (namely a user) identified by the auditing task, performs portrait generation and portrait updating operations on the agent, and performs scoring and tagging data statistical analysis on the agent operation events in the processes of the portrait generation and portrait updating tasks.

Optionally, in another embodiment of the present application, an implementation of the method for generating a representation, as shown in fig. 4, includes:

s401, identifying and classifying historical behavior event data of cloud service provider users to obtain behavior type data of multiple categories.

The historical behavior event data source of the cloud service provider user mainly adopts two modes of cloud platform interface calling and protocol reading. Specifically, a cloud platform interface calling mode is a mode of calling through a cloud platform SDK and an API (application program interface), data such as cloud platform assets, configuration, operation behaviors and the like are read from a vSphere management platform and an OpenStack management platform, and the mode needs a user name and a password of a read-only authority user; the protocol reading mode mainly comprises the steps of obtaining system logs such as cloud platform configuration, operation behaviors and the like from a cloud platform host, a physical host and a virtual machine through a Syslog protocol, and reading data such as system configuration, a network interface, a CPU (Central processing Unit) and load, a memory and a disk from the cloud platform host, the virtual machine, a network and the like through an SNMP protocol.

S402, scoring the behavior type data by using a scoring rule corresponding to the auditing rule aiming at each behavior type data to obtain the score of the behavior type data.

Specifically, the scoring formula may employ, but is not limited to:

the composite mean score is avg (sum (score value × weight)).

And (3) by obtaining the related grading rules of the audit rules, performing weight calculation on the grading value of each rule, summing the weight calculation values of all the grading rules, and finally performing comprehensive averaging calculation.

And S403, generating the behavior portrait of the cloud service provider user based on the scores of all the behavior type data.

Specifically, all rule scores are analyzed and displayed on the manager task portrait through a radar map, and the display contents are as follows: performing audit rule risk analysis based on the log event data; analyzing, processing and obtaining the context of the operation behavior of the risk event; the method mainly comprises the steps of performing portrait analysis based on user operation behaviors; analyzing and displaying the key Top operation behavior labels of the user.

And S302, generating an analysis report according to the matching result.

The analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.

In the practical application process of the application, the audit analysis of the source log data is carried out according to the audit rule, and the source log of the formed audit task has a time zone which is based on the final off-line data; the corresponding behavior risk log can be subjected to rule analysis according to the audit rule; the operating context can be identified on the effective behavior log; and performing risk audit through the operation context and the audit rule.

Similarly, each audit task can be accessed through the cloud platform data, and the safety assessment personnel sets basic information of the cloud platform to be audited, namely operations such as new creation, deletion and modification of the audit task; starting, restarting, stopping and the like of the audit task; persistent storage and retrieval of audit tasks; configuring an audit task, wherein the configured content at least comprises a related rule and an audit object log which are required to be audited by the audit task; the starting time of the tasks can be customized, and the delayed starting of the tasks is supported.

And an audit task device administrator clicks to start an audit task through a browser, the audit task device administrator is handed to a subsystem task center server background task to start, and data analysis and risk rule inspection statistics are carried out in the task execution process.

Optionally, in another embodiment of the present application, after obtaining the analysis report, an implementation manner of the method for analyzing risk of a cloud service business further includes: determining a preset number of abnormal operation behaviors in the analysis report, and generating an abnormal operation behavior label; and all abnormal operation behavior labels are displayed.

Because the audit work needs to be supported by historical evidences, the operation behavior tracing module can provide all cloud platform operation behavior tracing functions for safety assessment personnel, including data center operation behavior, host operation behavior, virtual machine operation behavior, network operation behavior and storage operation behavior tracing. The safety assessment personnel can input the combination of retrieval conditions such as host names, behavior types, cloud administrator names, IP addresses, time periods and the like, and the combination is processed by a special operation behavior tracing engine to trace information such as users, virtual machines, target addresses, hardware equipment and the like. Meanwhile, abnormal behaviors are displayed in a diagram mode, and operation behavior information of a specified host, a virtual machine, an IP and a user is exported. Therefore, in another embodiment of the present application, an implementation manner of the method for analyzing the risk of the cloud service business behavior further includes: receiving and responding to a retrieval instruction input by an evaluation person to obtain a tracking log; wherein the trace log is exportable and can be presented in a graph manner; the chart includes abnormal operating behavior.

The operation behavior tracing should be performed by taking an operation behavior event as data, and comprises the following steps: backtracking data center operation behaviors, host operation behaviors, virtual machine operation behaviors, network operation behaviors and storage operation behaviors; the full-evaluation personnel can input the combination of retrieval conditions such as host names, behavior types, cloud administrator names, IP addresses, time periods and the like; the function of supporting a large amount of data and being capable of fast retrieval; the tracing data export function is realized; and supporting to show abnormal behaviors in a graph mode. The operation behavior tracing management is operated by a browser and then is delivered to a behavior tracing service processing retrieval engine; the cloud service business behavior auditing device user tracing behavior engine performs multi-dimensional combined analysis, tracing and data exporting on related behaviors.

In the practical application process of the application, basic functions such as system configuration, user authority management and the like are provided for safety assessment personnel, and the specific functions are as follows: supporting user account management; role management is supported; supporting data dictionary configuration; password modification is supported, and password complexity verification is supported; the password must be modified for initial login; it is desirable to provide multi-user role-based access control functionality.

The system management of the cloud service provider operation behavior upgrading device is mainly used for the management, use and distribution of functions such as a platform data dictionary, a user account, a role and multi-user role access control for an administrator. The method mainly comprises the following steps: adding, modifying, deleting, forbidding, role distributing and the like of a user account; adding, modifying, deleting, authorizing and the like of roles; newly adding, modifying and deleting a data dictionary, configuring dictionary values and the like; access control authority assignment for multiple users, etc.

A system administrator clicks user account management, role management, data dictionary configuration and access control of multi-user roles through a browser, so that different users can access and control different relevant modules to operate through the roles.

In the practical application process of the application, a big data user portrait technology is adopted to perform long-period data storage and analysis on the operation behaviors of cloud platform users, summarize statistical rules in the behavior data to obtain labels of the operation behavior data of cloud service providers, retrieve the labels in the images, trace historical operation behaviors of the cloud service providers, perform matching analysis on the labels and the historical operation behaviors quickly to generate operation behavior analysis reports, and when the operation behaviors of the users are detected to be abnormal, a device used by the cloud service provider is composed of four modules, namely data acquisition, data storage, data analysis, management and application, and the specific architecture is shown in fig. 5.

The acquisition layer collects log information of OpenStack and vSphere cloud platforms; the data storage layer comprises a MySQL relational database, a non-relational database and a file system; the data analysis engine is composed of a stream and batch processing frame which are relatively mature in the industry, and behavior portrait results of users are stored in relational data; the management and application layer displays the behavior portrait, the evaluation report and the behavior tracing log on one hand, and is responsible for operations of increasing, deleting, changing start and stop and the like of basic configuration and audit tasks of the system on the other hand.

The system adopts a front-end and back-end separation framework, and the front end completes UI function interaction by using a React framework technology; the rear end adopts a Springboot micro-service architecture. The system comprises a main function module, a data acquisition module, a data processing module and a data processing module, wherein the main function module comprises a system management function, an audit task management function, an audit rule management function, a data acquisition configuration management module, an audit task report management module, an administrator behavior portrait module, a behavior log tracing module and the like; interacting with the front end through a unified Restful service gateway. The data storage comprises basic user data and log analysis data; the basic user data is stored in a Mysql relational database, and log analysis data is mainly stored, analyzed and retrieved through an ElasticSearch database.

The unified Restful service gateway is adopted in the micro-service, so that a starting-up effect is achieved in the interaction process of the background micro-service component and the front-end UI, the UI program is prevented from directly interacting with each micro-service subsystem, and the micro-service subsystems can be transversely expanded according to the resource requirements of the micro-service subsystems, so that the high availability of the system is achieved.

The method has the advantages that the elastic search database is adopted to store the behavior risk events, the elastic search meets the requirement of logs with large data volume on the data storage magnitude, meanwhile, the method has remarkable advantages in the aspect of full-text retrieval, and in addition, near-real-time query efficiency can be realized under the condition of large data volume. The operation behavior auditing system functional architecture is shown in fig. 6.

The application is deployed by adopting a Docker mode and is divided into a WEB application server, an APP application server and a DB data server; the WEB application server is mainly used for deploying UI front-end services, unifying gateway services and micro-service registration centers; the APP service is used for deploying system management service, JOB task subsystem, acquisition module, audit service microservice and the like required by the platform; the DB data server to deploy the ElasticSearch database, Mysql database, the Mongo database, and the Kibana visualization analysis module. In particular, as shown in fig. 7.

According to the scheme, the method for analyzing the behavior risk of the cloud service provider comprises the following steps: firstly, collecting operation log data of a cloud service provider user; then, processing the operation log data based on a preset audit rule to obtain behavior event data; finally, generating an analysis result according to the behavior event data; and the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not. Therefore, the purpose of accurately finding whether the operation behavior of the cloud service provider has risks or not, effectively avoiding the risks of the operation behavior of the cloud service provider and guaranteeing the safety of the cloud service provider platform is achieved.

Another embodiment of the present application provides an apparatus for analyzing risk of cloud service business behavior, as shown in fig. 8, specifically including:

the collection unit 801 is configured to collect operation log data of a cloud service provider user.

Optionally, in another embodiment of the present application, an implementation manner of the acquisition unit 801 includes:

and the acquisition subunit is used for remotely acquiring the operation log data of the cloud service provider user through a containment protocol and/or hypertext transfer protocol interface.

For specific working processes of the units disclosed in the above embodiments of the present application, reference may be made to the contents of the corresponding method embodiments, which are not described herein again.

The processing unit 802 is configured to process the operation log data based on a preset audit rule to obtain behavior event data.

Optionally, in another embodiment of the present application, an implementation manner of the processing unit 802 includes:

and the integration unit is used for integrating the operation log data according to a preset audit rule to obtain a data mapping capable of being preprocessed.

For a specific working process of the unit disclosed in the above embodiment of the present application, reference may be made to the content of the corresponding method embodiment, as shown in fig. 2, which is not described herein again.

And the analysis unit 803 is used for generating an analysis result according to the behavior event data. And the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not.

For a specific working process of the unit disclosed in the above embodiment of the present application, reference may be made to the content of the corresponding method embodiment, as shown in fig. 1, which is not described herein again.

Optionally, in another embodiment of the present application, an implementation manner of the apparatus for analyzing risk of a cloud service business further includes:

and the matching unit is used for matching the behavior event data in the behavior portrait of the cloud service provider user to obtain a matching result.

And the generating unit is used for generating an analysis report according to the matching result.

For a specific working process of the unit disclosed in the above embodiment of the present application, reference may be made to the content of the corresponding method embodiment, as shown in fig. 3, which is not described herein again.

Optionally, in another embodiment of the present application, an implementation of the behavior representation generating unit includes:

and the classification unit is used for identifying and classifying the historical behavior event data of the cloud service provider user to obtain behavior type data of a plurality of categories.

And the scoring unit is used for scoring the behavior type data by utilizing the scoring rule corresponding to the auditing rule aiming at each behavior type data to obtain the score of the behavior type data.

For a specific working process of the unit disclosed in the above embodiment of the present application, reference may be made to the content of the corresponding method embodiment, as shown in fig. 4, which is not described herein again.

and the determining unit is used for determining the operation behaviors with the preset number of operation exceptions in the analysis report and generating an abnormal operation behavior label.

the first response unit is used for responding to the retrieval instruction to obtain a tracking log; wherein the trace log is exportable and can be presented in a graph manner; the chart includes abnormal operating behavior.

According to the above scheme, the present application provides an analysis apparatus for risk of cloud service business behavior: firstly, an acquisition unit 801 acquires operation log data of a cloud service provider user; then, the processing unit 802 processes the operation log data based on a preset audit rule to obtain behavior event data; finally, the analysis unit 803 generates an analysis result from the behavior event data; and the behavior analysis result indicates whether the operation behavior of the cloud service user has risk or not. Therefore, the purpose of accurately finding whether the operation behavior of the cloud service provider has risks or not, effectively avoiding the risks of the operation behavior of the cloud service provider and guaranteeing the safety of the cloud service provider platform is achieved.

Another embodiment of the present application provides a server, as shown in fig. 9, including:

one or more processors 901.

Storage 902 having one or more programs stored thereon.

The one or more programs, when executed by the one or more processors 901, cause the one or more processors 901 to implement the method for analyzing risk of behavior of a cloud service business as described in any of the above embodiments.

Another embodiment of the present application provides a computer storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for analyzing risk of business of cloud services according to any one of the above embodiments.

In the above embodiments disclosed in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present disclosure may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part. The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a live broadcast device, or a network device) to execute all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Those skilled in the art can make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A cloud service business behavior risk analysis method is characterized by comprising the following steps:

collecting operation log data of a cloud service provider user;

2. The analysis method according to claim 1, further comprising, after processing the operation log data based on the preset audit rule to obtain the behavior event data:

3. The analysis method of claim 1, wherein the collecting operation log data of the cloud service provider user comprises:

4. The analysis method of claim 1, wherein the processing the operated log data based on the preset audit rule to obtain the behavior event data comprises:

5. The method of claim 2, wherein the behavior portrayal generation method comprises:

6. The analysis method according to claim 2, wherein after generating an analysis report according to the matching result, the method further comprises:

and displaying all the abnormal operation behavior labels.

7. The analytical method of claim 1, further comprising:

receiving a retrieval instruction input by an evaluation person;

8. The analytical method of claim 1, further comprising

And receiving and responding to an audit rule management instruction.

9. The analytical method of claim 2, further comprising

And receiving and responding to the behavior portrait management command.

10. An apparatus for analyzing risk of business activities of a cloud service, comprising: