CN107169356B - Statistical analysis method and device - Google Patents
Statistical analysis method and device Download PDFInfo
- Publication number
- CN107169356B CN107169356B CN201710304999.2A CN201710304999A CN107169356B CN 107169356 B CN107169356 B CN 107169356B CN 201710304999 A CN201710304999 A CN 201710304999A CN 107169356 B CN107169356 B CN 107169356B
- Authority
- CN
- China
- Prior art keywords
- model
- user
- operation data
- database
- database operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention aims to provide a statistical analysis method and equipment, and provides an intelligent learning method. The invention can be suitable for most anti-unified safety protection systems, thereby accurately realizing the positioning of non-legal-side behaviors, improving the accuracy of hospital unified data and reducing the occurrence of non-legal-side events.
Description
Technical Field
The invention relates to the field of computers, in particular to a statistical analysis method and device.
Background
With the use of a large amount of information systems of various hospitals, methods for unifying medical data are more and more, and illegal unification events gradually occur frequently. More and more affected hospitals and related policies use the anti-false-party system in order to locate the non-false-party personnel in time and avoid more non-false-party events.
In the existing system for preventing the system from being unified, manufacturers generally build a fixed system knowledge base in the system, establish a system model, and perform action matching of illegal system behaviors, so as to position related system personnel. However, with the emergence of a new medical HIS system and the generation of a new technology of an illegal statistical method, the original built-in statistical database cannot effectively identify new illegal statistical behaviors, so that a new effective method is urgently needed to make up the defects of the original built-in statistical database technology.
Disclosure of Invention
The invention aims to provide a statistical analysis method and equipment, which can solve the problem that the existing scheme cannot effectively identify the behavior of a non-legal statistical method.
According to an aspect of the present invention, there is provided a statistical analysis method, the method including:
capturing database operation data of a user from a system side business system;
creating a model containing preset model elements and corresponding values for each user, and calculating the occurrence times of the corresponding values of the model elements in the model of each user according to the database operation data of each user;
filtering out model elements and corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value;
selecting database operation data to be analyzed from the database operation data, and obtaining the value of the model element of each user according to the database operation data to be analyzed of each user;
and comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result.
Further, in the above method, calculating, according to the database operation data of each user, the number of occurrences of the corresponding value of each model element in the model of the user includes:
decomposing the database operation data of each user according to the preset model element as a dimension, and taking each decomposed database operation data of each user as a corresponding value of a corresponding model element in the model of the user;
the number of occurrences of the values of the model elements in the model for each user is calculated.
Further, in the method, obtaining the value of the model element of each user according to the database operation data to be analyzed of the user includes:
and decomposing the database operation data to be analyzed of each user according to the dimension of the model element in the model of the user, and taking the decomposed database operation data to be analyzed of each user as the value of the corresponding model element of the user.
Further, in the above method, the model element includes an identity model element and/or an operation model element.
Further, in the above method, the identity model element includes one or any combination of an IP/MAC address, an operating system account, and a database login tool.
Further, in the above method, the operation model element includes one or any combination of a database instance, a database table field, an SQL hash, and a storage procedure.
Further, in the above method, capturing the database operation data of the user and/or the database operation data to be analyzed from the system service system includes:
and capturing the database operation data of the user and/or the database operation data to be analyzed from the system side service system in one or any combination of direct reading, bypass monitoring, serial interception and proxy.
Further, in the above method, comparing a deviation between a value of a model element in the to-be-analyzed database operation data of the user and a corresponding value of the model element filtered in the model of the user, and determining whether the to-be-analyzed database operation data is a suspicious statistical behavior according to a deviation result, includes:
comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and recording the element deviation value score of the model element with the deviation;
obtaining a total score of the element deviation value according to the element deviation value score;
and when the total score of the element deviation value is larger than a preset threshold value, judging the operation data of the database to be analyzed as suspicious statistical behavior.
According to another aspect of the present invention, there is also provided a statistical analysis apparatus, including:
the data capturing module is used for capturing database operation data of a user from a system side business system and selecting the database operation data to be analyzed from the database operation data;
the analysis modeling module is used for creating a model containing preset model elements and corresponding values for each user, calculating the occurrence times of the corresponding values of the model elements in the model of each user according to the database operation data of each user, and filtering the model elements and the corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value;
and the model deviation calculation module is used for obtaining the value of the model element of each user according to the database to be analyzed operation data of each user, comparing the deviation between the value of the model element in the database to be analyzed operation data of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database to be analyzed operation data is suspicious statistical behavior according to the deviation result.
Further, in the above device, the analysis modeling module includes a first data preprocessing module, configured to decompose the database operation data of each user according to the preset model element as a dimension, and use each decomposed database operation data of each user as a corresponding value of a corresponding model element in the model of the user; the number of occurrences of the values of the model elements in the model for each user is calculated.
Further, in the above device, the model deviation calculation module includes a second data preprocessing module, configured to decompose the to-be-analyzed database operation data of each user according to a dimension of a model element in the model of the user, and use the decomposed to-be-analyzed database operation data of each user as a value of a corresponding model element of the user.
Further, in the above apparatus, the model element includes an identity model element and/or an operation model element.
Further, in the above device, the identity model element includes one or any combination of an IP/MAC address, an operating system account, and a database login tool.
Further, in the above device, the operation model element includes one or any combination of a database instance, a database table field, an SQL hash, and a storage procedure.
Further, in the above device, the data capture module is configured to capture the database operation data of the user and/or the database operation data to be analyzed from the system side service system in one or any combination of direct reading, bypass monitoring, serial interception, and proxy.
Further, in the above apparatus, the model deviation calculating module is configured to compare a deviation between a value of a model element in the to-be-analyzed database operation data of the user and a corresponding value of the model element filtered in the model of the user, and mark an element deviation value score for the model element with the deviation; obtaining a total score of the element deviation value according to the element deviation value score; and when the total score of the element deviation value is larger than a preset threshold value, judging the operation data of the database to be analyzed as suspicious statistical behavior.
According to another aspect of the present application, there is also provided a computing-based device comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
capturing database operation data of a user from a system side business system;
creating a model containing preset model elements and corresponding values for each user, and calculating the occurrence times of the corresponding values of the model elements in the model of each user according to the database operation data of each user;
filtering out model elements and corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value;
selecting database operation data to be analyzed from the database operation data, and obtaining the value of the model element of each user according to the database operation data to be analyzed of each user;
and comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result.
Compared with the prior art, the invention provides an intelligent learning method, which can automatically generate a user statistical model by learning and analyzing hospital statistical business operation, namely database operation data, at the implementation initial stage, and then carry out deviation analysis on new business operation data, namely database operation data to be analyzed, based on the learned dynamic model, so that illegal statistical behaviors can be automatically and accurately identified. According to the embodiment, the system for preventing the hospital from being unified is generated, the account number data of the business system of the hospital can be imported into the system for preventing the hospital from being unified for positioning with the personnel operating the database/business system, and then the system for preventing the hospital from being unified captures the database operation and the business operation data of the hospital for analysis. The intelligent learning-based accurate unification method can be suitable for most of unification-prevention safety protection systems, so that the positioning of non-legal unification behaviors is accurately realized, the accuracy of hospital unification data is improved, and the occurrence of non-legal unification events is reduced.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
FIG. 1 illustrates a schematic diagram according to an embodiment of the invention;
FIG. 2 shows a model diagram of an embodiment of the invention.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include non-transitory computer readable media (transient media), such as modulated data signals and carriers.
As shown in fig. 1, the present application provides a statistical analysis method, including:
capturing database operation data of a user from a system side business system; here, the database operation data for modeling may be data captured in real time from a system-side business system;
creating a model containing preset model elements and corresponding values for each user, and calculating the occurrence times of the corresponding values of the model elements in the model of each user according to the database operation data of each user;
filtering out model elements and corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value; the low-frequency model data, namely the model elements with small occurrence frequency and corresponding values, are filtered, wherein the low-frequency model data can be understood as unreliable data, similar to noise data (invalid data) in statistics, and the model data after the invalid data is filtered, and the rest is reference model data during model deviation calculation, and can be used for accurate deviation calculation;
selecting database operation data to be analyzed from the database operation data, and obtaining the value of the model element of each user according to the database operation data to be analyzed of each user; here, the operation data of the database to be analyzed may be data captured in real time from a system-side business system;
and comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result.
In the implementation initial stage, the intelligent learning method automatically generates a user unification model by learning and analyzing hospital unification business operations, namely database operation data, and then performs deviation analysis on new business operation data, namely database operation data to be analyzed, based on the learned dynamic model, so that non-legal unification behaviors can be automatically and accurately identified. According to the embodiment, the system for preventing the hospital from being unified is generated, the account number data of the business system of the hospital can be imported into the system for preventing the hospital from being unified for positioning with the personnel operating the database/business system, and then the system for preventing the hospital from being unified captures the database operation and the business operation data of the hospital for analysis. The intelligent learning-based accurate unification method can be suitable for most of unification-prevention safety protection systems, so that the positioning of non-legal unification behaviors is accurately realized, the accuracy of hospital unification data is improved, and the occurrence of non-legal unification events is reduced.
In an embodiment of the system analysis method, calculating, according to the database operation data of each user, the number of occurrences of a corresponding value of each model element in the model of the user includes:
decomposing the database operation data of each user according to the preset model element as a dimension, and taking each decomposed database operation data of each user as a corresponding value of a corresponding model element in the model of the user;
the number of occurrences of the values of the model elements in the model for each user is calculated. In this embodiment, the database operation data of each user is decomposed according to the preset model elements as dimensions, so that the corresponding values of the corresponding model elements in the model can be accurately obtained, and subsequent analysis and comparison are facilitated.
In an embodiment of the system analysis method, obtaining values of the model elements of each user according to the database to be analyzed operation data of the user includes:
and decomposing the database operation data to be analyzed of each user according to the dimension of the model element in the model of the user, and taking the decomposed database operation data to be analyzed of each user as the value of the corresponding model element of the user. Here, in this embodiment, the to-be-analyzed database operation data of each user is decomposed according to the model elements in the model of the user as dimensions, so that the filtered values of the corresponding model elements of the user can be accurately obtained, and subsequent analysis and comparison are facilitated.
As shown in fig. 2, in an embodiment of the statistical analysis method of the present application, the model elements include identity model elements and/or operation model elements. The model elements are divided into identity model elements and operation model elements, so that comprehensive model element contents for analysis and comparison can be obtained.
As shown in fig. 2, in an embodiment of the system analysis method of the present application, the identity model element includes one or any combination of an IP/MAC address, an operating system account, and a database login tool. For example,
values for IP, MAC addresses, e.g., 192.168.0.1b8:38:61:60:67:3 f;
the value of the operating system account, such as administeror;
values for database logging tools, such as sql log. The identity model elements are divided into one or any combination of IP/MAC addresses, operating system accounts and database login tools, and comprehensive identity model element contents for analysis and comparison can be obtained subsequently.
As shown in fig. 2, in an embodiment of the system analysis method of the present application, the operation model element includes one or any combination of a database instance, a database table field, an SQL hash, and a storage process. For example,
a value of a database instance, such as information _ schema;
values for database table fields, such as table1column 1;
SQL hashed values, such as SQL values, selected from table1, hashed values 717FF39D1a64DE14995757FBF35AEA 60;
the value of the procedure, e.g., sp _ rep _ query, is stored. In this case, the operation model elements are respectively one or any combination of database instances, database table fields, SQL hashes and storage procedures, so that the contents of the subsequent comprehensive operation model elements for analysis and comparison can be obtained.
In an embodiment of the system side analysis method, capturing database operation data of a user and/or database operation data to be analyzed from a system side service system includes:
and capturing the database operation data of the user and/or the database operation data to be analyzed from the system side service system in one or any combination of direct reading, bypass monitoring, serial interception and proxy. In this case, the database operation data of the user and/or the database operation data to be analyzed can be effectively captured from the system side business system by one or any combination of direct reading, bypass monitoring, serial interception and proxy.
In an embodiment of the statistical analysis method of the present application, comparing a deviation between a value of a model element in the to-be-analyzed database operation data of the user and a corresponding value of the model element filtered in the model of the user, and determining whether the to-be-analyzed database operation data is a suspicious statistical behavior according to a deviation result includes:
comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and recording the element deviation value score of the model element with the deviation;
obtaining a total score of the element deviation value according to the element deviation value score;
and when the total score of the element deviation value is larger than a preset threshold value, judging the operation data of the database to be analyzed as suspicious statistical behavior. Here, bias value statistics may be performed for matching items of model elements, and if the IP/MAC address is different from that in the model, the final bias value score is + 10; if the database table fields are different, the final deviation value score is + 50; and finally, adding to obtain a total score of the deviation value, wherein the larger the score value is, the higher the deviation degree is, so that the operation data of the database to be analyzed can be accurately judged to be the suspicious statistical behavior.
As shown in fig. 1, the system for preventing the system from being unified according to an embodiment of the present invention mainly includes the following modules: the device comprises a data capturing module, a data preprocessing module, an analysis modeling module and a model deviation calculating module.
The data capturing module is responsible for capturing operation data of an original database formed by a business system, the data preprocessing module is used for preprocessing the original database data to form normalized SQL data, the analysis modeling module is used for reading the normalized SQL data to perform user modeling, and after the model is established completely, the model deviation calculating module is used for performing matching analysis on the captured user data, so that illegal behavior recording and alarming are generated.
The operation flow of the above system for preventing the system from being unified is as follows:
1) firstly, a service system normally operates;
2) the data capture module captures service data through a proper mode (including but not limited to direct reading, bypass monitoring, serial interception, proxy and the like) to obtain original database operation data RAW _ SQL;
3) and the data preprocessing module reads in RAW _ SQL, and then carries out data decomposition processing on model elements according to the dimensions of the model elements such as IP/MAC addresses, operating system accounts, database login tools, database instances, database table fields, SQL hash and storage processes, and the like to obtain normalized model data PROFILE _ SQL.
4) And in the stage of not establishing the model, the analysis modeling module establishes a user model for each new business system user, the model is mainly divided into a user identity model and a user operation model, a statistical table is established for each model element in the model, the statistical table performs statistical counting on the occurrence frequency of the model required value of the model, and the statistical frequency is initialized to be zero. Reading PROFILE _ SQL, and adding one to the occurrence frequency of the corresponding model element value in the model, wherein the statistical frequency is added every time the occurrence frequency is counted;
here, the established models are all independent tables in the database, for example, the database login tool table may be as follows:
in the above table, when the corresponding database login tool appears once, the number of occurrences is incremented by one.
5) Repeating the steps 3 and 4 until the model is built;
6) after the model is established, sequencing according to the occurrence frequency of the value of each model element from high to low, and filtering low-frequency model data, namely model elements with low occurrence frequency and corresponding values;
7) and the model deviation calculation module is used for acquiring the user and preprocessing the database operation data to be analyzed to obtain PROFILE _ SQL data, and performing deviation calculation on dimensionalities of an IP/MAC address, an operating system account, a database login tool, a database instance, a database table field and the like on the preprocessed PROFILE _ SQL data of the user, so that suspicious system behavior alarm is performed according to the deviation degree of the model.
According to another aspect of the present application, there is also provided a system side analysis apparatus, the apparatus comprising:
the data capturing module is used for capturing database operation data of a user from a system side business system and selecting the database operation data to be analyzed from the database operation data; the database operation data and the database operation data to be analyzed can be the same data or real-time data, and are only different in use purpose in different states before and after system modeling, are used for modeling before modeling, and are used for deviation calculation after modeling is completed;
the analysis modeling module is used for creating a model containing preset model elements and corresponding values for each user, calculating the occurrence times of the corresponding values of the model elements in the model of each user according to the database operation data of each user, and filtering the model elements and the corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value;
and the model deviation calculation module is used for obtaining the value of the model element of each user according to the database to be analyzed operation data of each user, comparing the deviation between the value of the model element in the database to be analyzed operation data of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database to be analyzed operation data is suspicious statistical behavior according to the deviation result.
In an embodiment of the statistical analysis device, the analysis modeling module includes a first data preprocessing module, configured to decompose database operation data of each user according to the preset model element as a dimension, and take each decomposed database operation data of each user as a corresponding value of a corresponding model element in the model of the user; the number of occurrences of the values of the model elements in the model for each user is calculated.
In an embodiment of the system analysis device, the model deviation calculation module includes a second data preprocessing module, configured to decompose the to-be-analyzed database operation data of each user according to a dimension of a model element in the model of the user, and use the decomposed to-be-analyzed database operation data of each user as a value of a corresponding model element of the user.
In an embodiment of the system analysis apparatus of the present invention, the model elements include identity model elements and/or operation model elements.
In an embodiment of the system side analysis device of the present invention, the identity model element includes one or any combination of an IP/MAC address, an operating system account, and a database login tool.
In an embodiment of the system side analysis device of the present invention, the operation model element includes one or any combination of a database instance, a database table field, an SQL hash, and a storage process.
In an embodiment of the system side analysis device of the present invention, the data capture module is configured to capture the database operation data of the user and/or the database operation data to be analyzed from the system side service system in one or any combination of direct reading, bypass monitoring, serial interception, and proxy.
In an embodiment of the system analysis device of the present invention, the model deviation calculation module is configured to compare a deviation between a value of a model element in the database operation data to be analyzed of the user and a corresponding value of the model element filtered in the model of the user, and record an element deviation value score for the model element with the deviation; obtaining a total score of the element deviation value according to the element deviation value score; and when the total score of the element deviation value is larger than a preset threshold value, judging the operation data of the database to be analyzed as suspicious statistical behavior.
According to another aspect of the application, there is also a computing-based device comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
capturing database operation data of a user from a system side business system;
creating a model containing preset model elements and corresponding values for each user, and calculating the occurrence times of the corresponding values of the model elements in the model of each user according to the database operation data of each user;
filtering out model elements and corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value;
selecting database operation data to be analyzed from the database operation data, and obtaining the value of the model element of each user according to the database operation data to be analyzed of each user;
and comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result.
In summary, the present invention provides an intelligent learning method, which automatically generates a user unification model by learning and analyzing hospital unification business operations, i.e., database operation data, and then performs deviation analysis on new business operation data, i.e., database operation data to be analyzed, based on a learned dynamic model, so as to automatically and accurately identify non-legal unification behaviors at an initial implementation stage. According to the embodiment, the system for preventing the hospital from being unified is generated, the account number data of the business system of the hospital can be imported into the system for preventing the hospital from being unified for positioning with the personnel operating the database/business system, and then the system for preventing the hospital from being unified captures the database operation and the business operation data of the hospital for analysis. The intelligent learning-based accurate unification method can be suitable for most of unification-prevention safety protection systems, so that the positioning of non-legal unification behaviors is accurately realized, the accuracy of hospital unification data is improved, and the occurrence of non-legal unification events is reduced.
For specific contents of the above device embodiment, reference may be made to corresponding parts of the method embodiment, and details are not described herein again.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
It should be noted that the present invention may be implemented in software and/or in a combination of software and hardware, for example, as an Application Specific Integrated Circuit (ASIC), a general purpose computer or any other similar hardware device. In one embodiment, the software program of the present invention may be executed by a processor to implement the steps or functions described above. Also, the software programs (including associated data structures) of the present invention can be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Further, some of the steps or functions of the present invention may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present invention can be applied as a computer program product, such as computer program instructions, which when executed by a computer, can invoke or provide the method and/or technical solution according to the present invention through the operation of the computer. Program instructions which invoke the methods of the present invention may be stored on a fixed or removable recording medium and/or transmitted via a data stream on a broadcast or other signal-bearing medium and/or stored within a working memory of a computer device operating in accordance with the program instructions. An embodiment according to the invention herein comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or solution according to embodiments of the invention as described above.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Claims (15)
1. A statistical analysis method, wherein the method comprises:
capturing database operation data of a user from a system side business system;
creating a model containing preset model elements and corresponding values for each user, and calculating the occurrence times of the corresponding values of the preset model elements in the model of each user according to the database operation data of each user;
filtering out preset model elements and corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value to obtain corresponding values of the filtered model elements;
selecting database operation data to be analyzed from the database operation data, and obtaining the value of the model element of each user according to the database operation data to be analyzed of each user;
comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result;
wherein, according to the database operation data of each user, calculating the occurrence times of the corresponding values of each preset model element in the model of the user, comprises:
decomposing the database operation data of each user according to the preset model element as a dimension, and taking each decomposed database operation data of each user as a corresponding value of a corresponding model element in the model of the user;
the number of occurrences of the values of the model elements in the model for each user is calculated.
2. The method of claim 1, wherein obtaining values of model elements of each user from the database-to-be-analyzed operation data of the user comprises:
and decomposing the database operation data to be analyzed of each user according to the dimension of the model element in the model of the user, and taking the decomposed database operation data to be analyzed of each user as the value of the corresponding model element of the user.
3. The method according to claim 1, wherein the pre-set model elements comprise identity model elements and/or operation model elements.
4. The method of claim 3, wherein the identity model elements comprise one or any combination of IP/MAC addresses, operating system accounts, and database logging tools.
5. The method of claim 3, wherein the operation model elements comprise one or any combination of database instances, database table fields, SQL hashes and stored procedures.
6. The method of claim 1, wherein capturing database operation data of a user and/or database operation data to be analyzed from a system-side business system comprises:
and capturing the database operation data of the user and/or the database operation data to be analyzed from the system side service system in one or any combination of direct reading, bypass monitoring, serial interception and proxy.
7. The method of claim 6, wherein comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and determining whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result comprises:
comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and recording the element deviation value score of the model element with the deviation;
obtaining a total score of the element deviation value according to the element deviation value score;
and when the total score of the element deviation value is larger than a preset threshold value, judging the operation data of the database to be analyzed as suspicious statistical behavior.
8. A statistical analysis device, wherein the device comprises:
the data capturing module is used for capturing database operation data of a user from a system side business system and selecting the database operation data to be analyzed from the database operation data;
the analysis modeling module is used for creating a model containing preset model elements and corresponding values for each user, calculating the occurrence times of the corresponding values of the preset model elements in the model of each user according to the database operation data of each user, and filtering the preset model elements and the corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value to obtain the corresponding values of the filtered model elements;
the model deviation calculation module is used for obtaining the value of the model element of each user according to the database to be analyzed operation data of each user, comparing the deviation between the value of the model element in the database to be analyzed operation data of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database to be analyzed operation data is suspicious statistical behavior or not according to the deviation result;
the analysis modeling module comprises a first data preprocessing module, a second data preprocessing module and a model analysis module, wherein the first data preprocessing module is used for decomposing the database operation data of each user according to the preset model elements as dimensions, and the decomposed database operation data of each user are respectively used as corresponding values of corresponding model elements in the model of the user; the number of occurrences of the values of the model elements in the model for each user is calculated.
9. The apparatus according to claim 8, wherein the model deviation calculating module includes a second data preprocessing module, configured to decompose the database operation data to be analyzed for each user according to a dimension of a model element in the model of the user, and use the decomposed database operation data to be analyzed for each user as a value of a corresponding model element of the user.
10. The apparatus of claim 8, wherein the pre-set model elements comprise identity model elements and/or operational model elements.
11. The apparatus of claim 10, wherein the identity model elements comprise one or any combination of IP/MAC addresses, operating system accounts, and database login tools.
12. The apparatus of claim 10, wherein the operation model elements comprise one or any combination of database instances, database table fields, SQL hashes, and stored procedures.
13. The device according to claim 8, wherein the data capture module is configured to capture the database operation data of the user and/or the database operation data to be analyzed from the system-side business system by one of direct reading, bypass monitoring, serial interception, and proxy, or any combination thereof.
14. The apparatus of claim 13, wherein the model deviation calculating module is configured to compare deviations between values of model elements in the database-under-analysis operation data of the user and corresponding values of filtered model elements in the user's model, and to score the deviated model elements with element deviation values; obtaining a total score of the element deviation value according to the element deviation value score; and when the total score of the element deviation value is larger than a preset threshold value, judging the operation data of the database to be analyzed as suspicious statistical behavior.
15. A computing-based device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
capturing database operation data of a user from a system side business system;
creating a model containing preset model elements and corresponding values for each user, and calculating the occurrence times of the corresponding values of the preset model elements in the model of each user according to the database operation data of each user;
filtering out preset model elements and corresponding values of which the occurrence times of the values in the model of each user are smaller than a preset threshold value to obtain corresponding values of the filtered model elements;
selecting database operation data to be analyzed from the database operation data, and obtaining the value of the model element of each user according to the database operation data to be analyzed of each user;
comparing the deviation between the value of the model element in the database operation data to be analyzed of the user and the corresponding value of the model element filtered in the model of the user, and judging whether the database operation data to be analyzed is suspicious statistical behavior according to the deviation result;
wherein, according to the database operation data of each user, calculating the occurrence times of the corresponding values of each preset model element in the model of the user, comprises:
decomposing the database operation data of each user according to the preset model element as a dimension, and taking each decomposed database operation data of each user as a corresponding value of a corresponding model element in the model of the user;
the number of occurrences of the values of the model elements in the model for each user is calculated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710304999.2A CN107169356B (en) | 2017-05-03 | 2017-05-03 | Statistical analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710304999.2A CN107169356B (en) | 2017-05-03 | 2017-05-03 | Statistical analysis method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107169356A CN107169356A (en) | 2017-09-15 |
| CN107169356B true CN107169356B (en) | 2020-08-18 |
Family
ID=59813565
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710304999.2A Active CN107169356B (en) | 2017-05-03 | 2017-05-03 | Statistical analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107169356B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110855648B (en) * | 2019-11-04 | 2021-11-19 | 腾讯科技(深圳)有限公司 | Early warning control method and device for network attack |
| CN112580022B (en) * | 2020-12-07 | 2024-06-25 | 北京中电飞华通信有限公司 | Host system security early warning method, device, equipment and storage medium |
| CN117524454B (en) * | 2024-01-05 | 2024-03-12 | 南京横渡医疗技术有限公司 | Medical data safety monitoring system and method based on Internet |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886203A (en) * | 2014-03-24 | 2014-06-25 | 美商天睿信息系统(北京)有限公司 | Automatic modeling system and method based on index prediction |
| CN105654046A (en) * | 2015-12-29 | 2016-06-08 | 中国科学院深圳先进技术研究院 | Electrocardiosignal identity identification method and electrocardiosignal identity identification device |
| CN105844176A (en) * | 2016-03-23 | 2016-08-10 | 上海上讯信息技术股份有限公司 | Security strategy generation method and equipment |
-
2017
- 2017-05-03 CN CN201710304999.2A patent/CN107169356B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103886203A (en) * | 2014-03-24 | 2014-06-25 | 美商天睿信息系统(北京)有限公司 | Automatic modeling system and method based on index prediction |
| CN105654046A (en) * | 2015-12-29 | 2016-06-08 | 中国科学院深圳先进技术研究院 | Electrocardiosignal identity identification method and electrocardiosignal identity identification device |
| CN105844176A (en) * | 2016-03-23 | 2016-08-10 | 上海上讯信息技术股份有限公司 | Security strategy generation method and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107169356A (en) | 2017-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110928718B (en) | Abnormality processing method, system, terminal and medium based on association analysis | |
| CN106656536B (en) | Method and equipment for processing service calling information | |
| CN111159706A (en) | Database security detection method, device, equipment and storage medium | |
| US20140279641A1 (en) | Identity and asset risk score intelligence and threat mitigation | |
| CN107169356B (en) | Statistical analysis method and device | |
| CN111930882A (en) | Server abnormity tracing method, system and storage medium | |
| CN110602029A (en) | Method and system for identifying network attack | |
| CN113162794B (en) | Next attack event prediction method and related equipment | |
| CN107402957B (en) | Method and system for constructing user behavior pattern library and detecting user behavior abnormity | |
| CN111859451B (en) | Multi-source multi-mode data processing system and method for applying same | |
| CN111478889B (en) | Alarm method and device | |
| CN106201886A (en) | The Proxy Method of the checking of a kind of real time data task and device | |
| CN108881271B (en) | Reverse tracing method and device for proxy host | |
| CN107403108A (en) | A kind of method and system of data processing | |
| CN114531304B (en) | Session processing method and system based on data packet | |
| CN111092880B (en) | Network traffic data extraction method and device | |
| US11290473B2 (en) | Automatic generation of detection alerts | |
| CN110363381B (en) | Information processing method and device | |
| CN109815695A (en) | Detection method, device and the equipment of process safety | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN113868698A (en) | File desensitization method and equipment | |
| CN112306820A (en) | Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium | |
| CN116991675A (en) | Abnormal access monitoring method and device, computer equipment and storage medium | |
| CN115361182B (en) | Botnet behavior analysis method, device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221209 Address after: 710075 18 / F, unit 1, building 1, Jinsong building, No.25, Gaoxin 6 road, high tech Zone, Xi'an City, Shaanxi Province Patentee after: SHAANXI SUNINFO TECHNOLOGY CO.,LTD. Address before: Room 20300, building 8, 498 GuoShouJing Road, Zhangjiang High Tech Park, Pudong New Area, Shanghai 201203 Patentee before: SHANGHAI SUNINFO TECHNOLOGY Co.,Ltd. |