CA3059709A1 - Risk analysis method, device and computer readable medium - Google Patents
Risk analysis method, device and computer readable medium Download PDFInfo
- Publication number
- CA3059709A1 CA3059709A1 CA3059709A CA3059709A CA3059709A1 CA 3059709 A1 CA3059709 A1 CA 3059709A1 CA 3059709 A CA3059709 A CA 3059709A CA 3059709 A CA3059709 A CA 3059709A CA 3059709 A1 CA3059709 A1 CA 3059709A1
- Authority
- CA
- Canada
- Prior art keywords
- target
- target entity
- behavior
- knowledge map
- entity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012502 risk assessment Methods 0.000 title claims abstract description 52
- 230000006399 behavior Effects 0.000 claims abstract description 183
- 230000002159 abnormal effect Effects 0.000 claims description 39
- 238000012544 monitoring process Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 abstract description 7
- 230000010365 information processing Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 4
- 230000037430 deletion Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010225 co-occurrence analysis Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012776 electronic material Substances 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Human Resources & Organizations (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Economics (AREA)
- Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- Game Theory and Decision Science (AREA)
- Automation & Control Theory (AREA)
- General Business, Economics & Management (AREA)
- Tourism & Hospitality (AREA)
- Quality & Reliability (AREA)
- Operations Research (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Databases & Information Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Debugging And Monitoring (AREA)
Abstract
The present disclosure relates to a risk analysis method, device, electronic design, and computer readable medium. It relates to the field of computer information processing. The method includes: acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior; using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model. The risk analysis method, device, electronic design and computer readable medium involved in the present disclosure can comprehensively consider enterprise security, and can quickly target dangerous behaviors and dangerous targets in the event of a security incident.
Description
RISK ANALYSIS METHOD, DEVICE, ELECTRONIC DESIGN AND COMPUTER
READABLE MEDIUM
Technical Field [0001] The present disclosure relates to the field of computer information processing, and in particular to a risk analysis method, device, electronic design, and computer readable medium.
Background
READABLE MEDIUM
Technical Field [0001] The present disclosure relates to the field of computer information processing, and in particular to a risk analysis method, device, electronic design, and computer readable medium.
Background
[0002] Generally speaking, an enterprise is composed of human resources, funds, markets, as well as machines and devices, materials, information and other elements. At present, enterprise management is becoming more and more important, especially in the current information society; various electronic materials inside the enterprise can be easily stolen by the employees of the enterprise, which may cause great business losses. In order to achieve sustainable and secure development of enterprises, there are many ways to control the information security of enterprises: first, improve the level of science and technology and build a network security system; second, standardize the rules and regulations, and promote employees' awareness of information security; third, refine the supervisory responsibilities of government departments at all levels and strengthen the supervision. However, the above aspects can only constrain the employees from the perspective of ethics and regulations. For some employees with certain special purposes and intentions, the above management methods may have little effect.
Moreover, especially for those who are responsible for network security of an enterprise, some of the irregularities of these employees or traces of illegal operations can be easily removed by them. In this case, information security management within the enterprise is an urgent problem to be solved.
Moreover, especially for those who are responsible for network security of an enterprise, some of the irregularities of these employees or traces of illegal operations can be easily removed by them. In this case, information security management within the enterprise is an urgent problem to be solved.
[0003] Therefore, there is a need for a new risk analysis method, device, electronic design, and computer readable medium.
[0004] The above information disclosed in this Background Art section is only for enhancement of understanding of the background of the present disclosure, and thus it may include information that does not constitute a prior art known to a person of ordinary skill in the art.
Summary
Summary
[0005] In light of the foregoing, the present disclosure provides a risk analysis method, device, electronic design, and computer readable medium, which can comprehensively consider enterprise security and can quickly target dangerous behaviors and dangerous targets in the event of a security incident.
[0006] Other features and advantages of the present disclosure will be apparent from the following detailed description, or learned in part by the practice of implementing the disclosure.
[0007] According to an aspect of the present disclosure, a risk analysis method is provided.
The method comprises: acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior; using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model.
The method comprises: acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior; using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model.
[0008] In an exemplary embodiment of the present disclosure, the method further comprises:
determining the strength of the association relationship on the basis of a frequency of operational behavior between the target entity and the target behavior.
determining the strength of the association relationship on the basis of a frequency of operational behavior between the target entity and the target behavior.
[0009] In an exemplary embodiment of the present disclosure, the target entity comprises any combination of users, devices, and network addresses; and/or the target behavior comprises a plurality of predetermined behaviors of the target entity; and/or the association relationship between the target entity and the target behavior comprises an operational behavior.
[0010] In an exemplary embodiment of the present disclosure, the determining a target entity, a target behavior, and an association relationship between the target entity and the target behavior comprises: extracting a user, a device, and a network address in a monitoring log as the target entity; extracting a predetermined behavior in the monitoring log as the target behavior;
and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
[0011] In an exemplary embodiment of the present disclosure, the determining the strength of the relationship between the target entity and the target behavior comprises: determining the strength of the association relationship on the basis of a frequency of operational behavior between the target entity and the target behavior.
[0012] In an exemplary embodiment of the present disclosure, the using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model further comprises: using the strength of the association relationship as a weight of the edge of the knowledge map model.
[0013] In an exemplary embodiment of the present disclosure, the performing risk analysis for the target entity and the target behavior by using the knowledge map model comprises:
determining a risk value of the target entity through the knowledge map model;
and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
determining a risk value of the target entity through the knowledge map model;
and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
[0014] In an exemplary embodiment of the present disclosure, the determining a risk value of the target entity through the knowledge map model comprises: acquiring a security level for each target behavior in the knowledge map model; determining the risk value of the target entity in the knowledge map model on the basis of the weight of the edge in the knowledge map model, the security level of the target behavior, and the out degree and/or in degree of each target entity in a target entity set in the knowledge map model.
[0015] In an exemplary embodiment of the present disclosure, the risk value of the target entity is calculated through the following risk formula:
ID (Y i) RU) = >8(i)a(i) _______________________________ Ni
ID (Y i) RU) = >8(i)a(i) _______________________________ Ni
[0016] wherein R(j) is the risk value of the target entity Xj, Yi is the i-th target behavior associated with the target entity Xj, BO is the connection strength between the target entity Xj and Yi, a(i) is the security level of the target entity Xj, ID (h) is the out degree and in degree of Yi, and Ni is the number of target entities associated with Yi.
[0017] In an exemplary embodiment of the present disclosure, the determining an abnormal target entity through the knowledge map model comprises: determining the target entity with a risk value greater than a threshold; determining a set of associated entities of the target entity;
determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
[0018] In an exemplary embodiment of the present disclosure, the determining an abnormal target behavior through the knowledge map model comprises: determining the abnormal target entity; determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model; determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
[0019] According to another aspect of the present disclosure, a risk analysis device is provided. The device comprises: an extraction module, which is used for acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior; a model module, which is used for using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and an analysis model, which is used for performing risk analysis for the target entity and the target behavior by using the knowledge map model.
[0020] According to another aspect of the present disclosure, an electronic device is provided. The electronic device comprises: one or more processors; a storage device for storing one or more programs; one or more programs are executed by the one or more processors such that the one or more processors implement the method according to the descriptions above.
[0021] According to another aspect of the present disclosure, a computer readable medium is provided, and the computer readable medium has stored thereon a computer program, wherein the program is executed by a processor to implement the method according to the descriptions above.
[0022] The risk analysis method, device, electronic design, and computer readable medium disclosed in the present disclosure can comprehensively consider enterprise security and can quickly target dangerous behaviors and dangerous targets in the event of a security incident.
[0023] It should be understood that the above general description and the following detailed description are merely exemplary and are not intended to limit the disclosure.
Brief Description of the Drawings
Brief Description of the Drawings
[0024] The above and other objects, features, and advantages of the present invention will become more apparent from the aspects of the description. The drawings described below are only some of the embodiments of the present disclosure, and a person skilled in the art can obtain other drawings based on these drawings without any inventive skills.
[0025] FIG. 1 is a system block diagram of a risk analysis method and device according to an exemplary embodiment of the present disclosure.
[0026] FIG. 2 is a flow chart of a risk analysis method according to an exemplary embodiment of the present disclosure.
[0027] FIG. 3 is a schematic diagram of a risk analysis method according to an exemplary embodiment of the present disclosure.
[0028] FIG. 4 is a schematic diagram of a risk analysis method according to another exemplary embodiment of the present disclosure.
[0029] FIG. 5 is a block diagram of a risk analysis device according to another exemplary embodiment of the present disclosure.
[0030] FIG. 6 is a block diagram of an electronic device according to another exemplary embodiment of the present disclosure.
[0031] FIG. 7 is a schematic diagram showing a computer readable storage medium according to another exemplary embodiment of the present disclosure.
Detailed Description
Detailed Description
[0032] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. However, these exemplary embodiments can be embodied in many forms and it should not be construed that the present invention is limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete,. The same reference numerals in the drawings denote the same or similar parts, and repeated description thereof will be omitted.
[0033] Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details will be set forth; however, one skilled in the art will appreciate that the technical solution of the present disclosure may be practiced without one or more of the specific details, or other methods, components, devices, steps, etc. may be employed. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring the aspects of the present disclosure.
[0034] The block diagrams shown in the figures are merely functional entities and do not necessarily have to correspond to physically separate entities. That is, these functional entities may be implemented in software, or implemented in one or more hardware modules or integrated circuits. These functional entities may be implemented in different networks and/or processor devices and/or microcontroller devices.
[0035] The flowcharts shown in the figures are merely illustrative, and not all of the contents and operations/steps are necessarily included therein, and are not necessarily performed in the order described. For example, some operations/steps can be separated, while some operations/steps can be combined or partially combined. Therefore, the order of actual execution may change according to actual conditions.
[0036] It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components are not limited by these terms. These terms are used to distinguish one component from another. Thus, a first component discussed below could be termed a second component without departing from the teachings of the present disclosure. The term "and/or" as used herein includes any and all combinations of one or more of the listed items.
[0037] It will be understood by a person skilled in the art that the drawings are only a schematic diagram of the exemplary embodiments, and the modules or processes in the drawings are not necessarily required to implement the present disclosure, and therefore are not intended to limit the scope of the present disclosure.
[0038] FIG. 1 is a system block diagram of a risk analysis method and device according to an exemplary embodiment of the present disclosure.
[0039] As shown in FIG. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used to provide a medium for communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various types of connections, such as wired, wireless communication links, fiber optic cables, and the like.
[0040] A user can use the terminal devices 101, 102, 103 to perform various information interactions through the network 104 to receive or transmit messages and the like. Various communication client applications can be installed on the terminal devices 101, 102, and 103, for example, shopping applications, web browser applications, search applications, instant messaging tools, email clients, social platform software, and the like.
[0041] The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop portable computers, desktop computers, and the like.
[0042] The server 105 may be a data server for monitoring the terminal devices 101, 102, 103, and the server 105 may acquire logs of various operations or data services performed by the user using the terminal devices 101, 102, 103. The server 105 can perform data analysis and the like on the obtained log information, and feedback the processing results (abnormal terminal device, abnormal operation behavior, and the like) to the terminal devices.
[0043] The server 105 may, for example, acquire a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
the server 105 may, for example, use the target entity and the target behavior as nodes and associate the relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; the server 105 can perform risk analysis of the target entity and the target behavior, for example, by using the knowledge map model, in which the target entity includes a user, a device, and a network address; and/or the target behavior includes a plurality of predetermined behaviors of the target entity; and/or the relationship between the target entity and the target behavior includes an operational behavior.
the server 105 may, for example, use the target entity and the target behavior as nodes and associate the relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; the server 105 can perform risk analysis of the target entity and the target behavior, for example, by using the knowledge map model, in which the target entity includes a user, a device, and a network address; and/or the target behavior includes a plurality of predetermined behaviors of the target entity; and/or the relationship between the target entity and the target behavior includes an operational behavior.
[0044] The server 105 can be a physical server and can also be composed, for example, of multiple servers. A portion of the server 105 can be used, for example, as a risk analysis system in the present disclosure for performing a risk analysis of the target entity and the target behavior through the knowledge map model; in addition, a portion of the server 105 can also be used, for example, as a data system for responding to data access requests by a user terminal.
[0045] It should be noted that the risk analysis method provided by the embodiments of the present disclosure may be performed by the server 105. Accordingly, a risk analysis device can be disposed in the server 105. The requesting end that provides the user with a data operation or a data request is generally located in the terminal devices 101, 102, 103.
[0046] According to the risk analysis method and device of the present disclosure, the risk analysis of the target entity and the target behavior through the knowledge map model can comprehensively consider the enterprise security, and can also quickly target dangerous behaviors and dangerous targets when a security event occurs.
[0047] FIG. 2 is a flow chart of a risk analysis method according to an exemplary embodiment of the present disclosure. The risk analysis method 20 includes at least steps S202 to S206.
[0048] As shown in FIG. 2, in S202, a target entity, a target behavior, and an association relationship between the target entity and the target behavior are acquired.
The target entity includes any combination of users, devices, and network addresses.
The target entity includes any combination of users, devices, and network addresses.
[0049] In this case, the target entity is an individual in the enterprise that performs a target behavior, and the target entity may include a user, a device, and a network address.
[0050] In this embodiment, the target behavior is a set of behaviors performed by the target entity in the enterprise and having a security risk, and the target behavior includes multiple predetermined behaviors of the target entity; and specifically, for example, uploading data, downloading data, and viewing data may be performed.
[0051] The association relationship between the target entity and the target behavior includes an operational behavior. An association relationship is a connection between a target entity and its target behavior.
[0052] In one embodiment, the step of determining the target entity, the target behavior, and the association relationship between the target entity and the target behavior includes: extracting a user, a device, and a network address in a monitoring log as the target entity; extracting a predetermined behavior in the monitoring log as the target behavior; and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
[0053] In one embodiment, for example, the target entity A is an XX user;
the target behavior B is a data downloading behavior; the target behavior C is a data deletion behavior. If the XX user has the data downloading behavior, it is determined that the target entity A has an association relationship with the target behavior B. On the other hand, if the XX user has no data deletion behavior, it is determined that there is no association relationship between the target entity A and the target behavior C.
the target behavior B is a data downloading behavior; the target behavior C is a data deletion behavior. If the XX user has the data downloading behavior, it is determined that the target entity A has an association relationship with the target behavior B. On the other hand, if the XX user has no data deletion behavior, it is determined that there is no association relationship between the target entity A and the target behavior C.
[0054] In S204, the target entity and the target behavior are used as nodes, and the association relationship between the target entity and the target behavior is used as an edge to create a knowledge map model.
[0055] In one embodiment, the method further includes: determining the strength of the association relationship between the target entity and the target behavior.
Specifically, the strength of the association relationship may be determined, for example, by the frequency of operational behavior between the target entity and the target behavior. In addition, the strength of the association relationship is taken as the weight of the edge of the knowledge map model.
Specifically, the strength of the association relationship may be determined, for example, by the frequency of operational behavior between the target entity and the target behavior. In addition, the strength of the association relationship is taken as the weight of the edge of the knowledge map model.
[0056] In one embodiment, the frequency of operation for a predetermined time may be the strength 0 of the association relationship. For example, when the XX user has data downloading behavior within one day, the association relationship between the target entity A and the target behavior B may be determined as, for example, when the number of XX user data downloading behaviors is 10, the strength of the association relationship 0 = 10.
[0057] In one embodiment, a knowledge map is the combination of the theory and method of applied mathematics, graphics, information visualization technology, information science and the like, and the citation analysis of metrology and co-occurrence analysis methods, wherein visualized map is used to visually display the core structure of the discipline, the development history, the frontier domain and the overall knowledge architecture. It is a modern theory that achieves the purpose of multidisciplinary integration.
[0058] The knowledge map may include a variety of nodes:
[0059] Among them, entity: refers to something that is distinguishable and independent.
[0060] Concept: refers to a collection of entities with the same characteristics.
[0061] Attribute: points from an entity to its attribute value. Different attribute types correspond to edges of different types of attributes.
[0062] Relationship: on the knowledge map, the relationship is a function that maps kk graph nodes (entities, semantic classes, attribute values) to the respective Boolean values.
[0063] A general representation of a knowledge map is that nodes are collections of entities in the knowledge base, which contain 1E1 different entities; edges are collections of relationships in the knowledge base, which contain R1 different relationships.
[0064] In one embodiment, based on the above definitions, the target entity and the target behavior can be used as nodes to create a knowledge map; for example, as shown in FIG. 3, there are nodes of two attributes in the knowledge map model, which are the target entity node and the target behavior node, and the edge that connects the target entity node and the target behavior node is the association relationship. As shown in FIG. 3, the white node in the knowledge map model may be, for example, a target entity node, and the black node may be, for example, a target behavior node.
[0065] In an embodiment, as shown in FIG. 3, in the knowledge map model, the target entity node and the target behavior node are connected by an edge; a target entity node and another target entity node are not directly connected; a target behavior node and another target behavior node are also not directly connected. Such settings in the knowledge map model are in line with the actual situation; for example, the target entity A is the XX user, the target behavior B is the data download behavior, the target behavior C is the data deletion behavior, the target entity D is the XX computer, and the XX user and the XX computer can be related to each other via the data download behavior. The data download behavior and the data deletion behavior cannot directly relate to each other; they need the target entity nodes for association.
[0066] In S206, a risk analysis of the target entity or the target behavior is performed on the basis of the knowledge map model.
[0067] In one embodiment, the step of performing risk analysis of the target entity and the target behavior through the knowledge map model comprises: determining a risk value of the target entity through the knowledge map model; and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
[0068] In this case, the step of determining a risk value of the target entity through the knowledge map model comprises: acquiring a security level for each target behavior in the knowledge map model; determining the risk value of the target entity in the knowledge map model on the basis of the weight of the edge in the knowledge map model, the security level of the target behavior, and the out degree and/or in degree of each target entity in a target entity set in the knowledge map model.
[0069] In this case, the step of determining an abnormal target entity through the knowledge map model comprises: determining the target entity with a risk value greater than a threshold;
determining a set of associated entities of the target entity; and determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
determining a set of associated entities of the target entity; and determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
[0070] In this case, the step of determining an abnormal target behavior through the knowledge map model comprises: determining the abnormal target entity;
determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model; and determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model; and determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
[0071] In one embodiment, the monitoring log data may also be acquired periodically in the form of a timed task to construct the knowledge map model for risk analysis.
100721 According to the risk analysis method provided by the present disclosure, the target entity and the target behavior are taken as nodes, and the association relationship between the target entity and the target behavior is taken as an edge to jointly form a knowledge map model.
The manner in which the risk analysis of the target entity and the target behavior is performed on the basis of the knowledge map model can comprehensively consider enterprise security, and can also quickly target dangerous behaviors and dangerous targets in the event of a security incident.
[0073] It should be understood that the present disclosure describes how to make and use particular examples, but the principles of the present disclosure are not limited to the details of the examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
[0074] FIG. 4 is a schematic diagram of a risk analysis method according to another exemplary embodiment of the present disclosure. The risk analysis method 40 shown in FIG. 4 is a detailed description of S206 "performing risk analysis of the target entity and the target behavior through the knowledge map model" in the risk analysis method 20 as shown in FIG. 2.
[0075] As shown in FIG. 4, in S402, the risk value of the target entity is determined by the knowledge map model, for example, through the following steps: acquiring a security level for each target behavior in the knowledge map model; and determining the risk value of the target entity in the knowledge map model on the basis of the weight of the edge in the knowledge map model, the security level of the target behavior, and the out degree and/or in degree of each target entity in a target entity set in the knowledge map model.
[0076] In one embodiment, for each target entity Xj in the knowledge map model, its risk value can be calculated by the following formula:
ID (Y i) RU) = Et9 (0 a (i) _____________________________ Ni [0077] where:
[0078] R(j) is the risk value of Xj, [0079] Yi is the i-th target behavior associated with the target entity Xj, ID function for its in degree [0080] Ni is the number of target entities associated with this security behavior [0081] 0(i) is the connection strength between the target entity Xj and Yi [0082] a(i) is the risk level of the i-th security risk [0083] In S404, an abnormal target entity is determined by the knowledge map model, for example, through the following steps: determining the target entity with a risk value greater than a threshold; determining a set of associated entities of the target entity;
and determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
[0084] In an embodiment, the threshold may be, for example, an empirical threshold T set by experience, for each target entity Xj of R(j) > T, determining an associated entity set SR of the target entity. In this embodiment, the target entity in the set of associated entities is a set of target entities associated with the target behavior with the abnormal target entity:
{R(k)lj! = k, X1 Xk}
[0085] It is the risk value of multiple target entities Xk connected to Xj.
If R(j) satisfies the following condition:
> max(Rk) [0086] R(j) would be marked as the abnormal target entity.
[0087] If the risk value of the target entity is not greater than the risk value of each of the target entities in the set of associated entities, the target entity will not be marked.
[0088] In one embodiment, a security event is defined as a set of target behaviors of a target entity that exceeds the range of security risk it can assume; for example, after determining an abnormal target entity, the abnormal target entity can be considered as triggering a security event.
[0089] In S406, an abnormal target behavior is determined by the knowledge map model, for example, through the steps of determining the abnormal target entity;
determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model; and determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
[0090] For the abnormal target entity R(j), the impact of all target behaviors on R(j) can be calculated according to the following formula:
I D (Y i) R (j) = E0 (i)a (i) __________________________ Ni [0091] In addition, the target behavior that has the greatest impact on its security risk can be marked.
[0092] According to the risk analysis method of the present disclosure, the knowledge map technology is used to provide a quantitative reference value for the security risk value of the enterprise target entity.
[0093] According to the risk analysis method of the present disclosure, when a security event occurs, the target entity by which the security event is triggered can be marked.
[0094] According to the risk analysis method of the present disclosure, when a security event occurs, it is possible to trace the security behavior of the enterprise target entity that triggers the security event.
[0095] A person skilled in the art will appreciate that all or part of the steps to implement the above described embodiments can be implemented as a computer program executed by a CPU.
The above described functions defined by the above methods provided by the present disclosure can be executed when the computer program is executed by the CPU. The program may be stored in a computer readable storage medium, which may be a read only memory, a magnetic disk or an optical disk, or the like.
[0096] Further, it should be noted that the drawings described above are merely illustrative of the processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It is easy to understand that the processing shown in the above figures does not indicate or limit the chronological order of these processes. In addition, it is also easy to understand that these processes may be performed synchronously or asynchronously, for example, in a plurality of modules.
[0097] The following is a device embodiment of the present disclosure, which may be used to implement the method embodiments of the present disclosure. For details not disclosed in the device embodiments, please refer to the method embodiments of the present disclosure.
[0098] FIG. 5 is a block diagram of a risk analysis device according to one exemplary embodiment of the present disclosure. A risk analysis device 50 includes an extraction module 502, a model module 504, and an analysis module 506.
[0099] The extraction module 502 is used for acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
more specifically, including: extracting a user, a device, and a network address in a monitoring log as the target entity; extracting a predetermined behavior in the monitoring log as the target behavior; and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
[0100] The model module 504 is used for using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model. In the knowledge map model, the target entity node and the target behavior node are connected by the edge, a target entity node and another target entity node are not directly connected; also, a target behavior node and another target behavior node are not directly connected.
[0101] The analysis module 506 is used for performing risk analysis for the target entity and the target behavior by using the knowledge map model; more specifically, including:
determining a risk value of the target entity through the knowledge map model;
and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
[0102] According to the risk analysis device provided by the present disclosure, the target entity and the target behavior are taken as nodes, and the association relationship between the target entity and the target behavior is taken as an edge to jointly form a knowledge map model.
The manner in which the risk analysis of the target entity and the target behavior is performed on the basis of the knowledge map model can comprehensively consider enterprise security, and can also quickly target dangerous behaviors and dangerous targets in the event of a security incident.
[0103] FIG. 6 is a block diagram of an electronic device according to another exemplary embodiment of the present disclosure.
[0104] An electronic device 200 according to such an embodiment of the present disclosure is described below with reference to FIG. 6. The electronic device 200 shown in FIG. 6 is merely an example and should not impose any limitation on the function and scope of the embodiments of the present disclosure.
[0105] As shown in FIG. 6, the electronic device 200 is embodied in the form of a general purpose computing device. The components of the electronic device 200 may include, but are not limited to, at least one processing unit 210, at least one storage unit 220, a bus 230 connecting different system components (including the storage unit 220 and the processing unit 210), a display unit 240, and the like.
[0106] The storage unit stores program code, which may be executed by the processing unit 210, such that the processing unit 210 performs the steps according to various exemplary embodiments of the present disclosure described in the electronic protocol flow processing method above in the present disclosure. For example, the processing unit 210 can perform the steps as shown in FIG. 2, FIG. 4, etc.
[0107] The storage unit 220 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 2201 and/or a cache storage unit 2202, and may further include a read only storage unit (ROM) 2203.
[0108] The storage unit 220 may also include a program/utility 2204 having a set (at least one) of the program modules 2205, including but not limited to: an operating system, one or more applications, other program modules, and programs data; each of these examples or some combination may include an implementation of a network environment.
[0109] The bus 230 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of a variety of bus structures.
[0110] The electronic device 200 can communicate with one or more external devices 300 (for example, a keyboard, pointing device, a Bluetooth device, and the like) and can also communicate with one or more devices that enable the user to interact with the electronic device 200, and/or with any device (for example, a router, a modem, and the like) that enables the electronic device 200 to communicate with one or more other computing devices.
This communication can take place via an input/output (I/0) interface 250. In addition, the electronic device 200 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) via a network adapter 260. The network adapter 260 can communicate with other modules of electronic device 200 via the bus 230. It should be understood that although not shown in the figures, other hardware and/or software modules may also be utilized in conjunction with electronic device 200, including but not limited to: a microcode, a device driver, a redundant processing unit, an external disk drive array, a RAID system, a tape drive, a data backup storage system, and the like.
101111 Through the description of the above embodiments, a person skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software or by software in combination with necessary hardware. Therefore, the technical solution according to an embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, or the like) or on a network. A
number of instructions may be included to cause a computing device (which may be a personal computer, a server, a network device, or the like) to perform the methods described above in accordance with embodiments of the present disclosure.
[0112] FIG. 7 is a schematic diagram showing a computer readable storage medium according to another exemplary embodiment of the present disclosure.
[0113] In reference to FIG. 7, a program product 400 for implementing the above method is shown. It may be a portable compact disk read only memory (CD-ROM) and includes program code and can be run on a terminal device such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, the readable storage medium may be any tangible medium that contains or stores a program that can be used by or in connection with an instruction execution system, apparatus, or device.
[0114] The program product can employ any combination of one or more readable media.
The readable medium can be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the above. More specific examples (non-exhaustive lists) of readable storage media include:
electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM
or flash memory), optical fibers, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0115] The computer readable storage medium can include a data signal that can be transmitted in a baseband or as part of a carrier, in which readable program code is carried. Such propagated data signals can take a variety of forms including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable storage medium can also be any readable medium other than a readable storage medium that can transmit, propagate or transport a program for use by or in connection with an instruction execution system, apparatus or device. Program code embodied on a readable storage medium may be transmitted by any suitable medium, including but not limited to wireless, wireline, optical cable, RF, etc., or any suitable combination of the foregoing.
[0116] The program code for performing the operations of the present disclosure may be written by any combination of one or more programming languages, including an object oriented programming language, such as Java, C++, etc., also including conventional procedural programming languages, such as the "C" language or a similar programming language. The program code can execute entirely on a user computing device, partially on a user device, as a stand-alone software package, partly on a user computing device, partly on a remote computing device, or entirely on a remote computing device or server. In the case of a remote computing device, the remote computing device can be connected to the user computing device via any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, connect via the Internet via the service provided by an Internet service provider).
[0117] The computer readable medium carries one or more programs that, when executed by one of the devices, can cause the computer readable medium to perform the following functions:
acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior; using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model.
[0118] It will be understood by a person skilled in the art that the above various modules may be distributed in the device according to the description of the embodiments, or may be correspondingly changed in one or more devices different from the embodiment.
The modules of the above embodiments may be combined into one module, or may be further split into multiple sub-modules.
[0119] Through the description of the above embodiments, a person skilled in the art can easily understand that the exemplary embodiments described herein may be implemented by software, or may be implemented by software in combination with necessary hardware.
Therefore, the technical solution according to an embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, and the like) or on a network, including several instructions, such that the method according to an embodiment of the present disclosure is performed by a computing device (which may be a personal computer, a server, a mobile terminal, a network device, and the like).
[0120] The exemplary embodiments of the present disclosure have been specifically shown and described above. It should be understood that the present disclosure is not limited to the detailed structures, arrangements, or implementations described herein;
rather, the present invention should encompass various modifications and equivalents of the present invention as defined in the claims.
100721 According to the risk analysis method provided by the present disclosure, the target entity and the target behavior are taken as nodes, and the association relationship between the target entity and the target behavior is taken as an edge to jointly form a knowledge map model.
The manner in which the risk analysis of the target entity and the target behavior is performed on the basis of the knowledge map model can comprehensively consider enterprise security, and can also quickly target dangerous behaviors and dangerous targets in the event of a security incident.
[0073] It should be understood that the present disclosure describes how to make and use particular examples, but the principles of the present disclosure are not limited to the details of the examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
[0074] FIG. 4 is a schematic diagram of a risk analysis method according to another exemplary embodiment of the present disclosure. The risk analysis method 40 shown in FIG. 4 is a detailed description of S206 "performing risk analysis of the target entity and the target behavior through the knowledge map model" in the risk analysis method 20 as shown in FIG. 2.
[0075] As shown in FIG. 4, in S402, the risk value of the target entity is determined by the knowledge map model, for example, through the following steps: acquiring a security level for each target behavior in the knowledge map model; and determining the risk value of the target entity in the knowledge map model on the basis of the weight of the edge in the knowledge map model, the security level of the target behavior, and the out degree and/or in degree of each target entity in a target entity set in the knowledge map model.
[0076] In one embodiment, for each target entity Xj in the knowledge map model, its risk value can be calculated by the following formula:
ID (Y i) RU) = Et9 (0 a (i) _____________________________ Ni [0077] where:
[0078] R(j) is the risk value of Xj, [0079] Yi is the i-th target behavior associated with the target entity Xj, ID function for its in degree [0080] Ni is the number of target entities associated with this security behavior [0081] 0(i) is the connection strength between the target entity Xj and Yi [0082] a(i) is the risk level of the i-th security risk [0083] In S404, an abnormal target entity is determined by the knowledge map model, for example, through the following steps: determining the target entity with a risk value greater than a threshold; determining a set of associated entities of the target entity;
and determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
[0084] In an embodiment, the threshold may be, for example, an empirical threshold T set by experience, for each target entity Xj of R(j) > T, determining an associated entity set SR of the target entity. In this embodiment, the target entity in the set of associated entities is a set of target entities associated with the target behavior with the abnormal target entity:
{R(k)lj! = k, X1 Xk}
[0085] It is the risk value of multiple target entities Xk connected to Xj.
If R(j) satisfies the following condition:
> max(Rk) [0086] R(j) would be marked as the abnormal target entity.
[0087] If the risk value of the target entity is not greater than the risk value of each of the target entities in the set of associated entities, the target entity will not be marked.
[0088] In one embodiment, a security event is defined as a set of target behaviors of a target entity that exceeds the range of security risk it can assume; for example, after determining an abnormal target entity, the abnormal target entity can be considered as triggering a security event.
[0089] In S406, an abnormal target behavior is determined by the knowledge map model, for example, through the steps of determining the abnormal target entity;
determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model; and determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
[0090] For the abnormal target entity R(j), the impact of all target behaviors on R(j) can be calculated according to the following formula:
I D (Y i) R (j) = E0 (i)a (i) __________________________ Ni [0091] In addition, the target behavior that has the greatest impact on its security risk can be marked.
[0092] According to the risk analysis method of the present disclosure, the knowledge map technology is used to provide a quantitative reference value for the security risk value of the enterprise target entity.
[0093] According to the risk analysis method of the present disclosure, when a security event occurs, the target entity by which the security event is triggered can be marked.
[0094] According to the risk analysis method of the present disclosure, when a security event occurs, it is possible to trace the security behavior of the enterprise target entity that triggers the security event.
[0095] A person skilled in the art will appreciate that all or part of the steps to implement the above described embodiments can be implemented as a computer program executed by a CPU.
The above described functions defined by the above methods provided by the present disclosure can be executed when the computer program is executed by the CPU. The program may be stored in a computer readable storage medium, which may be a read only memory, a magnetic disk or an optical disk, or the like.
[0096] Further, it should be noted that the drawings described above are merely illustrative of the processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It is easy to understand that the processing shown in the above figures does not indicate or limit the chronological order of these processes. In addition, it is also easy to understand that these processes may be performed synchronously or asynchronously, for example, in a plurality of modules.
[0097] The following is a device embodiment of the present disclosure, which may be used to implement the method embodiments of the present disclosure. For details not disclosed in the device embodiments, please refer to the method embodiments of the present disclosure.
[0098] FIG. 5 is a block diagram of a risk analysis device according to one exemplary embodiment of the present disclosure. A risk analysis device 50 includes an extraction module 502, a model module 504, and an analysis module 506.
[0099] The extraction module 502 is used for acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
more specifically, including: extracting a user, a device, and a network address in a monitoring log as the target entity; extracting a predetermined behavior in the monitoring log as the target behavior; and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
[0100] The model module 504 is used for using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model. In the knowledge map model, the target entity node and the target behavior node are connected by the edge, a target entity node and another target entity node are not directly connected; also, a target behavior node and another target behavior node are not directly connected.
[0101] The analysis module 506 is used for performing risk analysis for the target entity and the target behavior by using the knowledge map model; more specifically, including:
determining a risk value of the target entity through the knowledge map model;
and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
[0102] According to the risk analysis device provided by the present disclosure, the target entity and the target behavior are taken as nodes, and the association relationship between the target entity and the target behavior is taken as an edge to jointly form a knowledge map model.
The manner in which the risk analysis of the target entity and the target behavior is performed on the basis of the knowledge map model can comprehensively consider enterprise security, and can also quickly target dangerous behaviors and dangerous targets in the event of a security incident.
[0103] FIG. 6 is a block diagram of an electronic device according to another exemplary embodiment of the present disclosure.
[0104] An electronic device 200 according to such an embodiment of the present disclosure is described below with reference to FIG. 6. The electronic device 200 shown in FIG. 6 is merely an example and should not impose any limitation on the function and scope of the embodiments of the present disclosure.
[0105] As shown in FIG. 6, the electronic device 200 is embodied in the form of a general purpose computing device. The components of the electronic device 200 may include, but are not limited to, at least one processing unit 210, at least one storage unit 220, a bus 230 connecting different system components (including the storage unit 220 and the processing unit 210), a display unit 240, and the like.
[0106] The storage unit stores program code, which may be executed by the processing unit 210, such that the processing unit 210 performs the steps according to various exemplary embodiments of the present disclosure described in the electronic protocol flow processing method above in the present disclosure. For example, the processing unit 210 can perform the steps as shown in FIG. 2, FIG. 4, etc.
[0107] The storage unit 220 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 2201 and/or a cache storage unit 2202, and may further include a read only storage unit (ROM) 2203.
[0108] The storage unit 220 may also include a program/utility 2204 having a set (at least one) of the program modules 2205, including but not limited to: an operating system, one or more applications, other program modules, and programs data; each of these examples or some combination may include an implementation of a network environment.
[0109] The bus 230 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of a variety of bus structures.
[0110] The electronic device 200 can communicate with one or more external devices 300 (for example, a keyboard, pointing device, a Bluetooth device, and the like) and can also communicate with one or more devices that enable the user to interact with the electronic device 200, and/or with any device (for example, a router, a modem, and the like) that enables the electronic device 200 to communicate with one or more other computing devices.
This communication can take place via an input/output (I/0) interface 250. In addition, the electronic device 200 may also communicate with one or more networks (for example, a local area network (LAN), a wide area network (WAN), and/or a public network, such as the Internet) via a network adapter 260. The network adapter 260 can communicate with other modules of electronic device 200 via the bus 230. It should be understood that although not shown in the figures, other hardware and/or software modules may also be utilized in conjunction with electronic device 200, including but not limited to: a microcode, a device driver, a redundant processing unit, an external disk drive array, a RAID system, a tape drive, a data backup storage system, and the like.
101111 Through the description of the above embodiments, a person skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software or by software in combination with necessary hardware. Therefore, the technical solution according to an embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, or the like) or on a network. A
number of instructions may be included to cause a computing device (which may be a personal computer, a server, a network device, or the like) to perform the methods described above in accordance with embodiments of the present disclosure.
[0112] FIG. 7 is a schematic diagram showing a computer readable storage medium according to another exemplary embodiment of the present disclosure.
[0113] In reference to FIG. 7, a program product 400 for implementing the above method is shown. It may be a portable compact disk read only memory (CD-ROM) and includes program code and can be run on a terminal device such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, the readable storage medium may be any tangible medium that contains or stores a program that can be used by or in connection with an instruction execution system, apparatus, or device.
[0114] The program product can employ any combination of one or more readable media.
The readable medium can be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the above. More specific examples (non-exhaustive lists) of readable storage media include:
electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM
or flash memory), optical fibers, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0115] The computer readable storage medium can include a data signal that can be transmitted in a baseband or as part of a carrier, in which readable program code is carried. Such propagated data signals can take a variety of forms including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. The readable storage medium can also be any readable medium other than a readable storage medium that can transmit, propagate or transport a program for use by or in connection with an instruction execution system, apparatus or device. Program code embodied on a readable storage medium may be transmitted by any suitable medium, including but not limited to wireless, wireline, optical cable, RF, etc., or any suitable combination of the foregoing.
[0116] The program code for performing the operations of the present disclosure may be written by any combination of one or more programming languages, including an object oriented programming language, such as Java, C++, etc., also including conventional procedural programming languages, such as the "C" language or a similar programming language. The program code can execute entirely on a user computing device, partially on a user device, as a stand-alone software package, partly on a user computing device, partly on a remote computing device, or entirely on a remote computing device or server. In the case of a remote computing device, the remote computing device can be connected to the user computing device via any kind of network, including a local area network (LAN) or a wide area network (WAN), or can be connected to an external computing device (for example, connect via the Internet via the service provided by an Internet service provider).
[0117] The computer readable medium carries one or more programs that, when executed by one of the devices, can cause the computer readable medium to perform the following functions:
acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior; using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model.
[0118] It will be understood by a person skilled in the art that the above various modules may be distributed in the device according to the description of the embodiments, or may be correspondingly changed in one or more devices different from the embodiment.
The modules of the above embodiments may be combined into one module, or may be further split into multiple sub-modules.
[0119] Through the description of the above embodiments, a person skilled in the art can easily understand that the exemplary embodiments described herein may be implemented by software, or may be implemented by software in combination with necessary hardware.
Therefore, the technical solution according to an embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, and the like) or on a network, including several instructions, such that the method according to an embodiment of the present disclosure is performed by a computing device (which may be a personal computer, a server, a mobile terminal, a network device, and the like).
[0120] The exemplary embodiments of the present disclosure have been specifically shown and described above. It should be understood that the present disclosure is not limited to the detailed structures, arrangements, or implementations described herein;
rather, the present invention should encompass various modifications and equivalents of the present invention as defined in the claims.
Claims (12)
1. A risk analysis method, characterized in that the method comprises:
acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model.
acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and performing risk analysis for the target entity and the target behavior by using the knowledge map model.
2. The method according to claim 1, characterized in that the method further comprises:
determining a strength of the association relationship on the basis of a frequency of operational behavior between the target entity and the target behavior, and using the strength of the association relationship as a weight of the edge of the knowledge map model.
determining a strength of the association relationship on the basis of a frequency of operational behavior between the target entity and the target behavior, and using the strength of the association relationship as a weight of the edge of the knowledge map model.
3. The method according to claim 1, characterized in that the target entity comprises any combination of users, devices, and network addresses;
and/or the target behavior comprises a plurality of predetermined behaviors of the target entity;
and/or the association relationship between the target entity and the target behavior comprises an operational behavior.
and/or the target behavior comprises a plurality of predetermined behaviors of the target entity;
and/or the association relationship between the target entity and the target behavior comprises an operational behavior.
4. The method according to claim 3, characterized in that the acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior comprises:
extracting a user, a device, and a network address in a monitoring log as the target entity;
extracting a predetermined behavior in the monitoring log as the target behavior; and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
extracting a user, a device, and a network address in a monitoring log as the target entity;
extracting a predetermined behavior in the monitoring log as the target behavior; and extracting an operational behavior between the target entity and the target behavior in the monitoring log as the association relationship.
5. The method according to claim 1, characterized in that the performing risk analysis for the target entity and the target behavior by using the knowledge map model comprises:
determining a risk value of the target entity through the knowledge map model;
and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
determining a risk value of the target entity through the knowledge map model;
and/or determining an abnormal target entity through the knowledge map model; and/or determining an abnormal target behavior through the knowledge map model.
6. The method according to claim 2, characterized in that the determining a risk value of the target entity through the knowledge map model comprises:
acquiring a security level for each target behavior in the knowledge map model;
determining the risk value of the target entity in the knowledge map model on the basis of the weight of the edge in the knowledge map model, the security level of the target behavior, and the out degree and/or in degree of each target entity in a target entity set in the knowledge map model.
acquiring a security level for each target behavior in the knowledge map model;
determining the risk value of the target entity in the knowledge map model on the basis of the weight of the edge in the knowledge map model, the security level of the target behavior, and the out degree and/or in degree of each target entity in a target entity set in the knowledge map model.
7. The method according to claim 6, characterized by calculating the risk value of the target entity through the following risk formula:
wherein R(i) is the risk value of the target entity Xj, Yi is the i-th target behavior associated with the target entity Xj, .theta.(i) is the connection strength between the target entity Xj and Yi, .alpha.(i) is the security level of the target entity Xj, ID (Yi) is the out degree and in degree of Yi, and Ni is the number of target entities associated with Yi.
wherein R(i) is the risk value of the target entity Xj, Yi is the i-th target behavior associated with the target entity Xj, .theta.(i) is the connection strength between the target entity Xj and Yi, .alpha.(i) is the security level of the target entity Xj, ID (Yi) is the out degree and in degree of Yi, and Ni is the number of target entities associated with Yi.
8. The method according to claim 6, characterized in that the determining an abnormal target entity through the knowledge map model comprises:
determining the target entity with a risk value greater than a threshold;
determining a set of associated entities of the target entity;
determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
determining the target entity with a risk value greater than a threshold;
determining a set of associated entities of the target entity;
determining the target entity to be an abnormal target entity, if the risk value of the target entity is greater than the risk values of every target entity in the set of associated entities.
9. The method according to claim 8, characterized in that the determining an abnormal target behavior through the knowledge map model comprises:
determining the abnormal target entity;
determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model;
determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
determining the abnormal target entity;
determining risk values of every target behavior associated with the abnormal target entity through the knowledge map model;
determining a target behavior corresponding to the maximum risk value to be the abnormal target behavior.
10. A risk analysis device, characterized in that the device comprises:
an extraction module, which is used for acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
a model module, which is used for using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and an analysis model, which is used for performing risk analysis for the target entity and the target behavior by using the knowledge map model.
an extraction module, which is used for acquiring a target entity, a target behavior, and an association relationship between the target entity and the target behavior;
a model module, which is used for using the target entity and the target behavior as nodes and using the association relationship between the target entity and the target behavior as an edge to jointly form a knowledge map model; and an analysis model, which is used for performing risk analysis for the target entity and the target behavior by using the knowledge map model.
11. An electronic device, characterized in that the device comprises:
one or more processors;
a storage device for storing one or more programs;
one or more programs are executed by the one or more processors such that the one or more processors implement the method according to any one of claims 1 to 10.
one or more processors;
a storage device for storing one or more programs;
one or more programs are executed by the one or more processors such that the one or more processors implement the method according to any one of claims 1 to 10.
12. A computer readable medium having stored thereon a computer program, wherein the program is executed by a processor to implement the method according to any one of claims 1 to 10.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811236573.9 | 2018-10-23 | ||
| CN201811236573.9A CN109460664B (en) | 2018-10-23 | 2018-10-23 | Risk analysis method and device, electronic equipment and computer readable medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA3059709A1 true CA3059709A1 (en) | 2020-04-23 |
Family
ID=65608212
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA3059709A Pending CA3059709A1 (en) | 2018-10-23 | 2019-10-22 | Risk analysis method, device and computer readable medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN109460664B (en) |
| CA (1) | CA3059709A1 (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112256887A (en) * | 2020-10-28 | 2021-01-22 | 福建亿榕信息技术有限公司 | Intelligent supply chain management method based on knowledge graph |
| CN112785320A (en) * | 2021-02-01 | 2021-05-11 | 北京互金新融科技有限公司 | Credit risk determination method and device, storage medium and electronic equipment |
| CN113536319A (en) * | 2021-07-07 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN115203689A (en) * | 2022-07-25 | 2022-10-18 | 天津市汇通智慧科技发展有限公司 | Data security sharing method and system |
| CN115659307A (en) * | 2022-10-18 | 2023-01-31 | 国家工业信息安全发展研究中心 | Safety protection method, device, equipment and medium for field industrial control terminal equipment |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110111110A (en) * | 2019-04-01 | 2019-08-09 | 北京三快在线科技有限公司 | The method and apparatus of knowledge based map detection fraud, storage medium |
| CN110209835B (en) * | 2019-05-09 | 2021-09-10 | 四川九洲电器集团有限责任公司 | Anomaly detection method and device, computer storage medium and electronic equipment |
| CN112053021A (en) * | 2019-06-05 | 2020-12-08 | 国网信息通信产业集团有限公司 | Feature coding method and device for enterprise operation management risk identification |
| CN112351441B (en) * | 2019-08-06 | 2023-08-15 | 中国移动通信集团广东有限公司 | Data processing method and device and electronic equipment |
| CN110933101B (en) * | 2019-12-10 | 2022-11-04 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
| CN111178615B (en) * | 2019-12-24 | 2023-10-27 | 成都数联铭品科技有限公司 | Method and system for constructing enterprise risk identification model |
| CN113313333A (en) * | 2020-02-26 | 2021-08-27 | 阿里巴巴集团控股有限公司 | Risk judgment method, device and medium for relational network topology |
| CN111292008A (en) * | 2020-03-03 | 2020-06-16 | 电子科技大学 | Privacy protection data release risk assessment method based on knowledge graph |
| CN111949803B (en) * | 2020-08-21 | 2024-05-28 | 深圳供电局有限公司 | Knowledge graph-based network abnormal user detection method, device and equipment |
| CN112256889B (en) * | 2020-11-06 | 2024-04-12 | 奇安信科技集团股份有限公司 | Knowledge graph construction method, device, equipment and medium for security entity |
| CN113722576A (en) * | 2021-05-07 | 2021-11-30 | 北京达佳互联信息技术有限公司 | Network security information processing method, query method and related device |
| CN115048533B (en) * | 2022-06-21 | 2023-06-27 | 四维创智(北京)科技发展有限公司 | Knowledge graph construction method and device, electronic equipment and readable storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519032B (en) * | 2013-09-30 | 2019-02-01 | 深圳市腾讯计算机系统有限公司 | A kind of security strategy and system of internet account number |
| US20170124464A1 (en) * | 2015-10-28 | 2017-05-04 | Fractal Industries, Inc. | Rapid predictive analysis of very large data sets using the distributed computational graph |
| US20170178139A1 (en) * | 2015-12-18 | 2017-06-22 | Aci Worldwide Corp. | Analysis of Transaction Information Using Graphs |
| CN108228706A (en) * | 2017-11-23 | 2018-06-29 | 中国银联股份有限公司 | For identifying the method and apparatus of abnormal transaction corporations |
-
2018
- 2018-10-23 CN CN201811236573.9A patent/CN109460664B/en active Active
-
2019
- 2019-10-22 CA CA3059709A patent/CA3059709A1/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112256887A (en) * | 2020-10-28 | 2021-01-22 | 福建亿榕信息技术有限公司 | Intelligent supply chain management method based on knowledge graph |
| CN112256887B (en) * | 2020-10-28 | 2022-06-24 | 福建亿榕信息技术有限公司 | Intelligent supply chain management method based on knowledge graph |
| CN112785320A (en) * | 2021-02-01 | 2021-05-11 | 北京互金新融科技有限公司 | Credit risk determination method and device, storage medium and electronic equipment |
| CN112785320B (en) * | 2021-02-01 | 2023-09-19 | 北京互金新融科技有限公司 | Credit risk determination method and device, storage medium and electronic equipment |
| CN113536319A (en) * | 2021-07-07 | 2021-10-22 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN113536319B (en) * | 2021-07-07 | 2022-12-13 | 上海浦东发展银行股份有限公司 | Interface risk prediction method and device, computer equipment and storage medium |
| CN115203689A (en) * | 2022-07-25 | 2022-10-18 | 天津市汇通智慧科技发展有限公司 | Data security sharing method and system |
| CN115659307A (en) * | 2022-10-18 | 2023-01-31 | 国家工业信息安全发展研究中心 | Safety protection method, device, equipment and medium for field industrial control terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109460664B (en) | 2022-05-03 |
| CN109460664A (en) | 2019-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA3059709A1 (en) | Risk analysis method, device and computer readable medium | |
| US9350747B2 (en) | Methods and systems for malware analysis | |
| US20170004205A1 (en) | Utilizing semantic hierarchies to process free-form text | |
| US9652368B2 (en) | Using linked data to determine package quality | |
| US11546380B2 (en) | System and method for creation and implementation of data processing workflows using a distributed computational graph | |
| CN111611514B (en) | Page display method and device based on user login information and electronic equipment | |
| WO2022121227A1 (en) | Data storage method and apparatus, query method, electronic device, and readable medium | |
| CN114254389A (en) | Message desensitization method, device, electronic equipment and medium | |
| US11263224B2 (en) | Identifying and scoring data values | |
| US11687598B2 (en) | Determining associations between services and computing assets based on alias term identification | |
| US20210158406A1 (en) | Machine learning-based product and service design generator | |
| WO2022265803A1 (en) | Likelihood assessment for security incident alerts | |
| US9973410B2 (en) | Notifying original state listeners of events in a domain model | |
| US20200192778A1 (en) | Real-time collaboration dynamic logging level control | |
| US9286348B2 (en) | Dynamic search system | |
| JP2022189805A (en) | Computer-implemented method, information processing system and computer program (performance monitoring in anomaly detection domain for it environment) | |
| CN110795424B (en) | Characteristic engineering variable data request processing method and device and electronic equipment | |
| US11200289B2 (en) | Centralized data sharing program | |
| US11403577B2 (en) | Assisting and automating workflows using structured log events | |
| CN112016081B (en) | Method, device, medium and electronic equipment for realizing identifier mapping | |
| US20230027897A1 (en) | Rapid development of user intent and analytic specification in complex data spaces | |
| US20230394164A1 (en) | Dynamic user dashboard based on artificial intelligence techniques | |
| US20230177256A1 (en) | Role-Based Cross Data Source Actionable Conversation Summarizer | |
| WO2023205349A1 (en) | Method, apparatus, system, and non-transitory computer readable medium for identifying and prioritizing network security events | |
| CN111159010A (en) | Defect collecting method, defect reporting method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |
|
| EEER | Examination request |
Effective date: 20220916 |