CN106534212A - Adaptive safety protection method and system based on user behaviors and data states - Google Patents
Adaptive safety protection method and system based on user behaviors and data states Download PDFInfo
- Publication number
- CN106534212A CN106534212A CN201611249727.9A CN201611249727A CN106534212A CN 106534212 A CN106534212 A CN 106534212A CN 201611249727 A CN201611249727 A CN 201611249727A CN 106534212 A CN106534212 A CN 106534212A
- Authority
- CN
- China
- Prior art keywords
- behavior
- self adaptation
- normal behaviour
- data
- user behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006399 behavior Effects 0.000 title claims abstract description 176
- 230000003044 adaptive effect Effects 0.000 title claims abstract description 40
- 238000000034 method Methods 0.000 title claims abstract description 14
- 230000006978 adaptation Effects 0.000 claims description 61
- 238000001514 detection method Methods 0.000 claims description 33
- 230000005856 abnormality Effects 0.000 claims description 13
- 230000015572 biosynthetic process Effects 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 3
- 238000011524 similarity measure Methods 0.000 claims description 3
- 235000013399 edible fruits Nutrition 0.000 claims description 2
- 238000012360 testing method Methods 0.000 claims description 2
- 206010022000 influenza Diseases 0.000 claims 1
- 230000006870 function Effects 0.000 abstract description 8
- 238000012544 monitoring process Methods 0.000 abstract description 2
- 230000002159 abnormal effect Effects 0.000 description 7
- 238000012423 maintenance Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000002547 anomalous effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000035807 sensation Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an adaptive safety protection method and system based on user behaviors and data states, which implement safety protection on data by combining two aspects of the user behaviors and the data states. The system can achieve functions of predicting, defending, monitoring and backtracking the user behaviors by a dynamic learning method, and forms an adaptive safety protection solution. The protection system comprises a plurality of safety network sensors connected with a safety server; the safety network sensors are arranged on a network segment where a web server and a database server are combined; network equipment is arranged on the network segment; the network equipment is connected with the safety server by a firewall; and the firewall is connected with a client. The adaptive safety protection method and system disclosed by the invention combine two aspects of the user behaviors and the data states, and more comprehensively protect safety of enterprise data assets.
Description
Technical field
The present invention relates to information security field, and in particular to a kind of based on user behavior and the adaptive security of data mode
Means of defence and system, combine the security protection of two aspects of user behavior and data mode.
Background technology
As the fast development of information technology, substantial amounts of data are constantly transferred to network environment, tissue is increasingly relied on
Information technology carrys out supporting business operation.Data gradually form the important information assets for tissue, while also becoming some juridical-persons
Member's malicious attack or the key object stolen.Once tissue significant data leak, the tissue may be caused it is great even
The economic loss that cannot be made up is lost with fame.Therefore, the safety for how ensureing tissue data is current weight urgently to be resolved hurrily
Want problem.
Traditional data protection mode mainly includes accessing restriction, encryption, authentication etc., exists and is looked for by manual method
Go out questionable conduct, and the shortcomings of real-time online detects intrusion behavior cannot be realized, and be the safe machine to put prevention first
System.
At present, many researchs are devoted to intruding detection system, from user behavior angle, by catching and analyzing user
The data variation that behavior is closely related judges whether the user behavior is abnormal.But, the system lacks the consideration to data mode,
Can not more fully protective tissue data.In addition, some security systems are needed manually to tactful configuration definition, renewal, maintenance etc.
Complete, waste the substantial amounts of time, lack the adaptivity changed to application scenarios.
The content of the invention
Present invention aims to above-mentioned the problems of the prior art, there is provided a kind of to be based on user behavior and data shape
The adaptive security means of defence of state and system, improve the accuracy of user behavior detection with reference to abnormality detection and misuse detection.
To achieve these goals, adaptive security means of defence bag of the present invention based on user behavior and data mode
Include:
A. the user behavior event under normal condition is received by network sensor;
B. each user behavior event is divided into into different recognition units and template(-let);
C. by recognition unit and template(-let) are classified and collected, according to Similarity Measure, just forming self adaptation
Often the configuration item of behavior profile, obtains self adaptation normal behaviour profile;Wherein user behavior includes visit of the user to data/file
Time, number of times, the reading and writing to data, modification, deletion action etc. is asked, data mode includes data/file type, size, sensitivity
Property, creation time, modification time, update time, erasing time etc.;By the historical data and current data of user behavior, build
Vertical user's normal behaviour model, predict Changing Pattern and the trend of Future Data, and following with the model tentative data
Feature;
D. extract personal behavior model;
D-1) real-time user behavior is contrasted and is matched with misuse rule base, carried out misuse detection;
Described misuse rule base is to be analyzed according to the feature to known users Deviant Behavior, forms corresponding rule
Then, collect the data base to be formed, and misapply rule base and can automatically update;
D-2) real-time user behavior is contrasted and is matched with self adaptation normal behaviour profile, carried out abnormality detection;
Self adaptation normal behaviour profile is responded accordingly automatically according to the strategy being previously set, and is realized to data
Protection;
E. self adaptation normal behaviour contoured profile is connected with protection equipment in network sensor.
The configuration item of each self adaptation normal behaviour profile supports the description value of respective performance comprising multiple descriptions;Self adaptation
Normal behaviour profile is formed by calculating self adaptation normal behaviour outline frame using judgement of stability, judgement of stability is front carried out
Whether the time exceedes the percentage ratio of reservation threshold, in this way, then judges that the configuration item or attribute are stable, in the normal row of self adaptation
It is stable in the judgement of stability of profile, there is one in configuration item and attribute, then it is assumed that self adaptation normal behaviour frame contour
Frame is stable.
Real-time user behavior is contrasted and matched with misuse rule base first in described step d, if it does,
Then think that the behavior is Deviant Behavior really, then self adaptation normal behaviour profile is carried out accordingly according to the strategy being previously set
Response;If it does not match, thinking that the behavior is questionable conduct, need to carry out abnormality detection, i.e., with self adaptation normal behaviour wheel
Exterior feature is contrasted and is matched, if deviation exceedes setting threshold values, then it is assumed that there is Deviant Behavior;If testing result is confirmed as normally
Behavior, then be added to the rule in self adaptation normal behaviour profile, self adaptation normal behaviour profile be updated, work as detection
Result when being defined as Deviant Behavior, then the rule is added in misuse rule base, is updated to misapplying rule base.
In described step d, misuse detection all carries out alarm prompt to the behavior for detecting every time, and system carries out phase
The response answered, for undetected behavior, then carries out abnormality detection, needs to be detected to determine whether as abnormal row again
For.
For the Deviant Behavior for determining, system can be worked out audit log to the behavior, be realized the monitor in real time to the behavior
With backtracking.
Described protection equipment is web server or database server, and network sensor is that http sensors and sql are passed
Sensor;Http sensor collection clients are sent to the http request of web server, and sql sensor collections access data base's clothes
The sql requests of business device;The http request and sql requests send event after being processed by http sensors and sql sensors respectively
To security server.
The present invention includes being connected with security server based on the adaptive security guard system of user behavior and data mode
Multiple secure network sensors, described secure network sensor is arranged at web server and database server combines
The network segment, the network segment is provided with the network equipment, and the described network equipment is connected with security server Jing fire walls, fire wall connection
Client.
Pass through Ethernet between described security server and individual secure network sensor or band outer network connects.
Compared with prior art, adaptive security means of defence of the present invention based on user behavior and data mode is from user
Two aspects of behavior and data mode carry out security protection, more comprehensively protect the safety of business data assets.The present invention
Self adaptation normal behaviour profile can realize the prediction to user behavior, defence, monitoring and back track function, and to abnormal use
Family behavior automatically generates protectiving scheme.Present invention incorporates abnormality detection and misuse detection are detected to user behavior, it is comprehensive
The advantage of two kinds of detection methods, improves the accuracy of unusual checking, arranges the scene and correspondence of various Deviant Behavioies
Security protection scheme, by the process of dynamic learning, realization is automatically performed tactful configuration definition, renewal, maintenance, with adaptive
Ying Xing.
Compared with prior art, the present invention is combined based on the adaptive security guard system of user behavior and data mode
Two aspects of user behavior and data mode set up self adaptation normal behaviour profile, realize the comprehensive protection to data, self adaptation
Property be primarily referred to as the prediction that can realize to Future Data behavior by the method for dynamic learning, when the real-time behavior of user and prediction
When inconsistent, then questionable conduct regarded as, and this event is recorded, and automatically generate new preventive means to avoid not
Carry out the generation of similar case, the function with Initiative Defense.Additionally, the network sensor of the present invention be not attached to client with
Web server or between database server, therefore network sensor do not affect to communicate between client and web server
Promptness.
Description of the drawings
The flow chart of Fig. 1 adaptive security means of defences of the present invention;
The structural representation of Fig. 2 adaptive security guard systems of the present invention;
The signal transmission schematic diagram of Fig. 3 inventive network sensors;
In accompanying drawing:100. adaptive security guard systems;110. security server;120. band outer networks;130. networks are passed
Sensor;140. fire wall;150. the network equipment;160.web server;170. database server;180. client;
230.http sensor;240.sql sensor.
Specific embodiment
The present invention is described in further detail below in conjunction with the accompanying drawings.
Referring to Fig. 1, the present invention is comprised the following steps based on the adaptive security means of defence of user behavior and data mode:
A. obtain user behavior event:It is primarily referred to as receiving user behavior thing under normal condition by network sensor 130
Part;
B. process user behavior event:It is primarily referred to as the event of reception carrying out lexical analysis and syntactic analysiss, will be every
Individual event is divided into different recognition units and template(-let);
C. the formation of self adaptation normal behaviour profile, by recognition unit and template(-let) are classified and are collected, root
According to Similarity Measure, template(-let) is classified, form the configuration item of self adaptation normal behaviour profile.The profile is comprising multiple
Configuration item (item), each configuration item support respective description value (property) comprising multiple description performances.Here needs
Illustrate, system needs to carry out the adaptive frame profile judgement of stability, and only stable adaptive frame profile is
User's normally performed activity pattern can be met, and judgement of stability is mainly by calculating whether the formation time of adaptive frame surpasses
Cross reservation threshold and obtain percentage ratio, if it is, then it is assumed that the configuration item or attribute are stable.In self adaptation normal behaviour profile
Judgement of stability in, have one to be stable in configuration item and attribute, then it is assumed that adaptive frame profile be it is stable, and
The profile has the forecast function of user behavior, main historical data and current data by user behavior, is just setting up user
Normal behavior model, predicts Changing Pattern and the trend of Future Data, and with following feature of the model tentative data, it is right to realize
The forecast function of user behavior.
The foundation of self adaptation normal behaviour profile considers two aspects of user behavior and data mode, wherein user behavior
Including user to the access time of data/file, number of times, the reading and writing to data, modification, deletion action etc., data mode includes
Data/file type, size, sensitivity, creation time, modification time, renewal time, erasing time etc..By user behavior
Historical data and current data, set up user's normal behaviour model, the Changing Pattern of analyses and prediction Future Data and trend.
Self adaptation normal behaviour profile of the present invention can be responded accordingly automatically according to the strategy being previously set, real
The defence of existing abnormal user behavior, so that protect the safety of significant data.
D. extract the real-time behavior model of user;
D-1) user real-time behavior is contrasted and is matched with misuse rule base, misuse detection is carried out to user behavior;
Misuse rule base forms corresponding rule, is aggregated into according to being analyzed to known user's abnormal behavior
One storehouse, and system misuse rule base can automatically update.
D-2) the real-time behavior of user is contrasted and is matched with self adaptation normal behaviour profile, will the real-time row of user
It is to be contrasted with normal users model or its predictive behavior, abnormality detection is carried out to user behavior;
Misuse judges:Mainly contrasted and matched with misuse rule base according to user behavior, if it does, then explanation
The behavior is Deviant Behavior.It is abnormal to judge:With the unmatched user behavior of misuse rule base, abnormality detection is carried out, will the row
It is to be contrasted with adaptive frame profile, if both deviations exceed the threshold value of setting, then it is assumed that there is Deviant Behavior.
Here it should be noted that when abnormal/misuse judges because user's normal behaviour pattern is not unalterable
, the operation/access rule of user may change, therefore self adaptation normal behaviour profile need it is in good time be updated,
If the results verification for detecting is normal behaviour, the rule is added in self adaptation normal behaviour profile, to self adaptation
Normal behaviour profile is updated and maintenance;However, when the result of detection is defined as Deviant Behavior, then rule is added to misuse
In rule base, the renewal to misapplying rule base is realized with this, this dynamic learning process for the system.
When the result for detecting is defined as Deviant Behavior, then self adaptation normal behaviour profile is set in advance automatically according to manager
The strategy set is responded accordingly, realizes the protection to data.In this module, it should be noted that misuse detection because
It is high for accuracy, therefore the behavior detected to which every time in strategy setting all carries out alarm prompt, and system carries out phase
The response answered, for undetected behavior, then carries out abnormality detection, needs to be detected to determine whether as abnormal row again
For.For abnormal behavior is defined as, system can realize the monitor in real time to the behavior with backtracking work(the formulation audit log
Energy.
E. self adaptation normal behaviour contoured profile is connected with protection equipment in network sensor, protection equipment can be with
It is web server 160 or database server 170, network sensor 130 can be http sensors 230 or sql sensors
240。
Referring to Fig. 2, adaptive security guard system of the present invention 100 is by multiple secure network sensor 130-1,130-2 ...
130-m is connected composition with security server 110, between secure network sensor 130-1,130-2 ... 130-m and server 110
Can be attached by Ethernet, it is also possible to connected by band outer network 120 (out-of-band network, OOB).Band
Outer network 120 referred to and carried out data transmission using autonomous channel, it allow system manager's Distant supervision and control server and
Other network equipments, no matter whether these equipment are in open state.Legacy network refer to by routine data passage (it is common with
Too net) carry out data transmission, its way to manage is implemented by network, when a network fails, no matter data transfer or
Management control cannot all be normally carried out.Band outer network 120 is solved with the physically-isolated management passage of data channel by deployment
Limit.
Network sensor 130 is positioned over web server 160-1 ... 160-n and database server 170-1 ... 170-r phases
With reference to the network segment.Network sensor 130 is an olfactory sensation device, can monitor, collect and reproduction comes from client 180 and sends
To web server 160, the request of database server 170.The network equipment 150 can be hub, switch, tap it is first-class.
Network sensor 130 monitors all information that web server 160 and database server 170 are received and sent.Network sensor
130 are not attached to client 180 and web server 160 or between database server 170, therefore network sensor
130 do not affect the promptness that communicates between client 180 and web server 160.
Adaptive security guard system 100 is run in two different ways:Learning model and protected mode.In learning model
Under, adaptive security guard system 100 monitors and learns the normal behaviour of user, and builds one certainly for each protection entity
Adapt to normal behaviour profile.In protected mode, adaptive security guard system 100 by real-time operation with misuse rule base and
Self adaptation normal behaviour profile is carried out contrasting, is matched.Match with misuse rule base, or with self adaptation normal behaviour profile pair
It is defined as anomalous event than discrepant.Adaptive security guard system proposed by the present invention has dynamic learning function, energy
It is enough that tactful configuration definition, renewal, maintenance are automatically performed according to scene change, form adaptive security protectiving scheme.
User behavior event can be collected by analyzing gateway protocol attributes, it is also possible to by inquiring about web server
160 or the relevant information of recent event of database server 170 be collected.Network sensor 130 can reappear multiple nets
The event of network agreement, such as Oracle Net8TM,Microsoft SQL ServerTM TDS,Sy base TDS,HTTP,
Encrypted HTTP (HTTPS) etc..In addition, network sensor 130 also has the correlation of the data bases such as inquiry Oracle, SQL
Information is collected the function of event.The operation of each network sensor 130-1 ... 130-m is independent.Therefore, it is guarantor
The extra web database of shield, enterprise only need increase additional networks sensor 130 to be monitored new protection entity.
Referring to Fig. 3, the network sensor of the present invention includes a http sensor 230 and a sql sensor 240,
Http sensors 230 have the ability collected and reappear http events, collect the first client 180-1 and are sent to web server
160 http request e1.Sql sensors 240 collect the sql request e2 for accessing database server 170.Request e1 and e2 quilts
Http sensors 230 and sql sensors 240 are processed respectively, then send event E1 and E2 to security server 110.Then, pacify
Full server 110 is analyzed process to event, forms a self adaptation normal behaviour profile to each protection entity.Example
Such as, it is that web server 160 and database server 170 form corresponding self adaptation normal behaviour profile respectively.
Adaptive security system of the present invention generates self adaptation normal behaviour profile using dynamic learning process.The profile passes through
After judgement of stability, stable self adaptation normal behaviour profile is dispersed to into security server by synchronous transfer passage
Between 110 and network sensor 130.Network sensor 130 carries out self adaptation normal behaviour profile equally using this passage
Upgrading and renewal.
In this example, security server 110 forms two self adaptation normal behaviour profiles, the normal row of first self adaptation
Web server 160 is represented for profile, and is loaded into http sensors 230, but second self adaptation normal behaviour profile table
Show database server 170, and be loaded into sql sensors 240.Once these self adaptation normal behaviour profiles are loaded into
Http sensors 230 and sql sensors 240, security system 110 will by the protected mode of self adaptation normal behaviour profile come
Protection web server 160 and database server 170.In protected mode, security server 110 is by analysis and misuse rule
The then difference of the unmatched real-time event in storehouse and self adaptation normal behaviour profile, and combine the detection of predefined security strategy
Network Intrusion.For example, the second client 180-2 is caught to http request e3 that web server 160 sends by http sensors 230
Obtain and classified, ask e3 and self adaptation normal behaviour silhouette contrast, if e3 is variant with normal behaviour profile, then
Http sensors 130 will be classified as anomalous event, and send anomalous event IE3 to security server 110, safety clothes
Business device 110 will be further processed to IE3 and determine if invasion, if be defined as attack, then by the thing
Part is updated in misuse rule base.On the other hand, if request IE3 is matched with self adaptation normal behaviour profile, then http
Sensor 230 will ignore the event, or the event is sent to security server 110 for self adaptation normal behaviour wheel
Exterior feature is modified or is updated.Equally, sql request e4 are formed by web server 160, is captured by sql sensors 240, if fruit e4
Request has deviation with self adaptation normal behaviour profile, and event is considered as anomalous event IE4, and is sent to security server 110
Further analyze, conversely, sql sensors 240 will ignore the event, or the event is sent to into security server 110 uses
In self adaptation normal behaviour profile is modified or is updated.If it should be noted that request e3 and e4 and misuse rule base
Match, then system can be alerted automatically to the request, and is responded accordingly.
Present system combines the security protection of two aspects of user behavior and data mode, has more fully ensured group
The safety of organization data.Self adaptation normal behaviour profile is formed by the method for dynamic learning mainly, by real-time behavior with it is adaptive
Answer normal behaviour profile to be matched, combine abnormality detection and misuse detection two ways is entered to user behavior and data mode
Row detection, improves the accuracy and efficiency of detection.Additionally, the system can be automatically performed strategy according to the change of application scenarios
Configuration definition, renewal, maintenance etc., form adaptive security protectiving scheme.Adaptive security of the present invention based on user behavior is prevented
Protecting system combines the accuracy that abnormality detection and misuse detection improve user behavior detection, mainly has dynamic learning user behavior
Two functions are protected with adaptive security.Wherein, dynamic learning refers to that the system can be according to the change of user behavior dynamically
Study and renewal;Adaptive security refers to that the system can predict the behavior of Future Data by dynamic study method, automatically raw
Into protectiving scheme.
Claims (8)
1. a kind of adaptive security means of defence based on user behavior and data mode, it is characterised in that comprise the following steps:
A. the user behavior event under normal condition is received by network sensor;
B. each user behavior event is divided into into different recognition units and template(-let);
C. by being classified to template(-let) and being collected, according to Similarity Measure, form matching somebody with somebody for self adaptation normal behaviour profile
Item is put, self adaptation normal behaviour profile is obtained;By the historical data and current data of user behavior, user's normal behaviour is set up
Model, predicts Changing Pattern and the trend of Future Data, and with following feature of the model tentative data;
D. extract personal behavior model;
D-1) real-time user behavior is contrasted and is matched with misuse rule base, carried out misuse detection;
Described misuse rule base is to be analyzed according to the feature to known users Deviant Behavior, forms corresponding rule, converges
The always data base of formation, and misuse rule base can be automatically updated;
D-2) real-time user behavior is contrasted and is matched with self adaptation normal behaviour profile, carried out abnormality detection;
Self adaptation normal behaviour profile is responded accordingly automatically according to the strategy being previously set, and realizes the guarantor to data
Shield;
E. self adaptation normal behaviour contoured profile is connected with protection equipment in network sensor.
2. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that:
The configuration item of each self adaptation normal behaviour profile supports the description value of respective performance comprising multiple descriptions;Self adaptation normal behaviour
Using front carrying out judgement of stability, judgement of stability by calculating the formation time of self adaptation normal behaviour outline frame is profile
The no percentage ratio more than reservation threshold, in this way, then judges that the configuration item or attribute are stable, in self adaptation normal behaviour profile
Judgement of stability in, have one to be stable in configuration item and attribute, then it is assumed that self adaptation normal behaviour outline frame is steady
Fixed.
3. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that:
Real-time user behavior is contrasted and matched with misuse rule base first in described step d, if it does, then thinking this
Behavior is Deviant Behavior really, and then self adaptation normal behaviour profile carries out respective response according to the strategy being previously set;Such as
Fruit mismatches, then it is assumed that the behavior is questionable conduct, needs to carry out abnormality detection, i.e., it is right to carry out with self adaptation normal behaviour profile
Than and matching, if deviation exceed setting threshold values, then it is assumed that have Deviant Behavior;If testing result confirms as normal behaviour,
The rule is added in self adaptation normal behaviour profile, self adaptation normal behaviour profile is updated, when the result of detection
When being defined as Deviant Behavior, then the rule is added in misuse rule base, is updated to misapplying rule base.
4. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that:
In described step d, misuse detection all carries out alarm prompt to the behavior for detecting every time, and system is responded accordingly,
For undetected behavior, then abnormality detection is carried out, need to be detected to determine whether as Deviant Behavior again.
5. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that:
For the Deviant Behavior for determining, system can work out audit log to the behavior, realize the monitor in real time to the behavior with backtracking work(
Energy.
6. adaptive security means of defence according to claim 1 based on user behavior and data mode, it is characterised in that:
Described protection equipment is web server (160) or database server (170), and network sensor is http sensors (230)
With sql sensors (240);Http sensors (230) collection client (180) are sent to the http of web server (160) please
Ask, sql sensors (240) collect the sql requests for accessing database server (170);Described http request and sql requests point
Event is sent after not processed by http sensors (230) and sql sensors (240) to security server (110).
7. it is a kind of to be applied in claim 1-5 described in any one claim based on the adaptive of user behavior and data mode
Answer the guard system of safety protecting method, it is characterised in that:Pass including the multiple secure networks being connected with security server (110)
Sensor (130), described secure network sensor (130) are arranged at web server (160) and database server (170) phase
With reference to the network segment, the network segment is provided with the network equipment (150), and the described network equipment (150) is prevented with security server (110) Jing
Wall with flues (140) is connected, fire wall (140) connection client (180).
8. guard system according to claim 7, it is characterised in that:Described security server (110) and a safety net
Pass through Ethernet or band outer network (120) connection between network sensor (130).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611249727.9A CN106534212A (en) | 2016-12-29 | 2016-12-29 | Adaptive safety protection method and system based on user behaviors and data states |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611249727.9A CN106534212A (en) | 2016-12-29 | 2016-12-29 | Adaptive safety protection method and system based on user behaviors and data states |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106534212A true CN106534212A (en) | 2017-03-22 |
Family
ID=58338504
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611249727.9A Pending CN106534212A (en) | 2016-12-29 | 2016-12-29 | Adaptive safety protection method and system based on user behaviors and data states |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106534212A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106998334A (en) * | 2017-05-25 | 2017-08-01 | 北京计算机技术及应用研究所 | A kind of computer user's abnormal behavior detection method |
CN107302520A (en) * | 2017-05-15 | 2017-10-27 | 北京明朝万达科技股份有限公司 | A kind of dynamic anti-leak of data and method for early warning and system |
CN107609004A (en) * | 2017-07-21 | 2018-01-19 | 深圳市小牛在线互联网信息咨询有限公司 | Application program buries point methods and device, computer equipment and storage medium |
CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
CN109495508A (en) * | 2018-12-26 | 2019-03-19 | 成都科来软件有限公司 | Firewall configuration method based on service access data |
CN109992961A (en) * | 2019-03-07 | 2019-07-09 | 北京华安普特网络科技有限公司 | Detection system and method for the anti-hacker attacks of Database Systems |
WO2020173136A1 (en) * | 2019-02-27 | 2020-09-03 | 平安科技(深圳)有限公司 | Method and apparatus for monitoring application system, device, and storage medium |
CN111865959A (en) * | 2020-07-14 | 2020-10-30 | 南京聚铭网络科技有限公司 | Detection method and device based on multi-source safety detection framework |
CN113162912A (en) * | 2021-03-12 | 2021-07-23 | 中航智能建设(深圳)有限公司 | Network security protection method, system and storage device based on big data |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050120054A1 (en) * | 2003-12-02 | 2005-06-02 | Imperva, Inc | Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications |
CN101588358A (en) * | 2009-07-02 | 2009-11-25 | 西安电子科技大学 | System and method for detecting host intrusion based on danger theory and NSA |
CN105681339A (en) * | 2016-03-07 | 2016-06-15 | 重庆邮电大学 | Incremental intrusion detection method fusing rough set theory and DS evidence theory |
-
2016
- 2016-12-29 CN CN201611249727.9A patent/CN106534212A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050120054A1 (en) * | 2003-12-02 | 2005-06-02 | Imperva, Inc | Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications |
CN101588358A (en) * | 2009-07-02 | 2009-11-25 | 西安电子科技大学 | System and method for detecting host intrusion based on danger theory and NSA |
CN105681339A (en) * | 2016-03-07 | 2016-06-15 | 重庆邮电大学 | Incremental intrusion detection method fusing rough set theory and DS evidence theory |
Non-Patent Citations (4)
Title |
---|
刘明等: "一种基于Snort规则和神经网络的混合入侵检测模型", 《广西大学学报(自然科学版)》 * |
周正国等: "基于数据挖掘技术的校园网络入侵检测系统应用", 《重庆科技学院学报(自然科学版)》 * |
尹才荣等: "基于混合入侵检测技术的网络入侵检测方法", 《合肥工业大学学报(自然科学版)》 * |
张波: "一种分布式动态防御系统在图书馆网络安全中的应用", 《河北科技图苑》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107302520A (en) * | 2017-05-15 | 2017-10-27 | 北京明朝万达科技股份有限公司 | A kind of dynamic anti-leak of data and method for early warning and system |
CN106998334A (en) * | 2017-05-25 | 2017-08-01 | 北京计算机技术及应用研究所 | A kind of computer user's abnormal behavior detection method |
CN106998334B (en) * | 2017-05-25 | 2021-04-06 | 北京计算机技术及应用研究所 | Computer user behavior abnormity detection method |
CN107609004B (en) * | 2017-07-21 | 2020-08-18 | 深圳市小牛在线互联网信息咨询有限公司 | Application program embedding method and device, computer equipment and storage medium |
CN107609004A (en) * | 2017-07-21 | 2018-01-19 | 深圳市小牛在线互联网信息咨询有限公司 | Application program buries point methods and device, computer equipment and storage medium |
CN108881194A (en) * | 2018-06-07 | 2018-11-23 | 郑州信大先进技术研究院 | Enterprises user anomaly detection method and device |
CN108881194B (en) * | 2018-06-07 | 2020-12-11 | 中国人民解放军战略支援部队信息工程大学 | Method and device for detecting abnormal behaviors of users in enterprise |
CN109495508A (en) * | 2018-12-26 | 2019-03-19 | 成都科来软件有限公司 | Firewall configuration method based on service access data |
CN109495508B (en) * | 2018-12-26 | 2021-07-13 | 成都科来网络技术有限公司 | Firewall configuration method based on service access data |
WO2020173136A1 (en) * | 2019-02-27 | 2020-09-03 | 平安科技(深圳)有限公司 | Method and apparatus for monitoring application system, device, and storage medium |
CN109992961A (en) * | 2019-03-07 | 2019-07-09 | 北京华安普特网络科技有限公司 | Detection system and method for the anti-hacker attacks of Database Systems |
CN111865959A (en) * | 2020-07-14 | 2020-10-30 | 南京聚铭网络科技有限公司 | Detection method and device based on multi-source safety detection framework |
CN113162912A (en) * | 2021-03-12 | 2021-07-23 | 中航智能建设(深圳)有限公司 | Network security protection method, system and storage device based on big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106534212A (en) | Adaptive safety protection method and system based on user behaviors and data states | |
Garg et al. | Statistical vertical reduction‐based data abridging technique for big network traffic dataset | |
Sabahi et al. | Intrusion detection: A survey | |
US9369484B1 (en) | Dynamic security hardening of security critical functions | |
CN104899513B (en) | A kind of datagram detection method of industrial control system malicious data attack | |
KR102108960B1 (en) | Machine Learning Based Frequency Type Security Rule Generator and Its Method | |
CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
CN102546638A (en) | Scene-based hybrid invasion detection method and system | |
CN107483414A (en) | A kind of security protection system and its means of defence based on cloud computing virtualized environment | |
CN109040130A (en) | Mainframe network behavior pattern measure based on attributed relational graph | |
KR101750760B1 (en) | System and method for anomaly behavior detection of smart home service | |
CN206332695U (en) | A kind of adaptive security guard system based on user behavior and data mode | |
Choksi et al. | Intrusion detection system using self organizing map: a survey | |
CN112272176A (en) | Network security protection method and system based on big data platform | |
Kumar et al. | Detection and prevention of profile cloning in online social networks | |
CN116032501A (en) | Network abnormal behavior detection method and device, electronic equipment and storage medium | |
KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
CN117294524A (en) | Endophytic security defense method and system for network information system | |
Kumar et al. | Design and implementation of IDS using Snort, Entropy and alert ranking system | |
Fessi et al. | A decisional framework system for computer network intrusion detection | |
Chauhan et al. | Study of various intrusion detection systems: A survey | |
Kadam et al. | Various approaches for intrusion detection system: an overview | |
Di | Design of the Network Security Intrusion Detection System Based on the Cloud Computing | |
Zhang et al. | Network security situation awareness technology based on multi-source heterogeneous data | |
Yazdani et al. | Intelligent Detection of Intrusion into Databases Using Extended Classifier System. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170322 |
|
RJ01 | Rejection of invention patent application after publication |