CN108304308A - User behavior monitoring method, device, computer equipment and storage medium - Google Patents
User behavior monitoring method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN108304308A CN108304308A CN201810122815.5A CN201810122815A CN108304308A CN 108304308 A CN108304308 A CN 108304308A CN 201810122815 A CN201810122815 A CN 201810122815A CN 108304308 A CN108304308 A CN 108304308A
- Authority
- CN
- China
- Prior art keywords
- operation behavior
- information
- risk
- leakage
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
This application involves a kind of user behavior monitoring method, system, computer equipment and storage mediums.This method includes:Obtain the operation behavior daily record that multiple service terminals generate respectively in the monitoring period;Operation behavior daily record is parsed, multiple user identifiers and corresponding operation behavior data are obtained;Preset Analysis model of network behaviors is obtained, is analysis model by operation behavior data input columns, the corresponding leakage of information value-at-risk of multiple user identifiers is calculated;When existence information risk of leakage value is more than threshold value, leakage of information early warning is generated, information leakage early warning is sent to monitor terminal.Information security can be improved using this method.
Description
Technical field
This application involves field of computer technology, are set more particularly to a kind of user behavior monitoring method, device, computer
Standby and storage medium.
Background technology
As scope of the enterprise expands, the information security of sensitive information is most important for enterprise development.Sensitive information includes
Individual privacy information, business operation information, financial information, personnel information or IT O&M information etc..The sensitive information of enterprise is usual
Distribution is stored in multiple corresponding operation systems.Sensitive information leakage can lead to property loss, network service crashes, enterprise's sound
Reputation is impaired to wait harmful effects.Enterprise's sensitive information leakage in order to prevent, it will usually using the measures such as Intranet limitation or IP limitations come
Restricting user access, but undoubtedly this mode can only reduce the risk that enterprise external personnel steal sensitive information, but be difficult to take precautions against
Internal staff directly obtains sensitive information from operation system.Due to lack to internal staff operation system operation row
For monitoring technology so that the safety of sensitive information reduces.
Invention content
Based on this, it is necessary in view of the above technical problems, provide it is a kind of can to internal staff operation system operation
Behavior is monitored, and then the user behavior monitoring method, device, computer equipment and the storage that improve sensitive information safety are situated between
Matter.
A kind of user behavior monitoring method, the method includes:Multiple service terminals are obtained to generate respectively in the monitoring period
Operation behavior daily record;The operation behavior daily record is parsed, multiple user identifiers and corresponding operation behavior number are obtained
According to;Preset Analysis model of network behaviors is obtained, the operation behavior data are inputted into the Analysis model of network behaviors, are calculated multiple
The corresponding leakage of information value-at-risk of user identifier;When being more than threshold value there are described information risk of leakage value, information is generated
Early warning is leaked, described information leakage early warning is sent to monitor terminal.
The operation behavior day for obtaining multiple service terminals and being generated respectively in the monitoring period in one of the embodiments,
The step of will includes:In the free time of database, extracts multiple service terminals and generated based on preset bury in the monitoring period
Operation behavior daily record.
In one of the embodiments, multiple operation systems have been run on the service terminal;To the operation behavior day
Will is parsed, and the step of obtaining multiple user identifiers corresponding operation behavior data includes:To the operation behavior daily record into
Row parsing, obtains multiple operation behavior fields;The operation behavior field includes operation system mark, user identifier and operation row
For mark;By the obtained multiple operation behavior field records of parsing to the first tables of data;Based on first tables of data, to each
User multiple operation systems carry out different type operation behavior practical operation number count, by statistical result record to
Second tables of data;Second tables of data has recorded the corresponding operation behavior data of multiple user identifiers.
The pretreated operation behavior data include corresponding with each user identifier in one of the embodiments,
Operation behavior mark and practical operation number;It is described that the corresponding leakage of information value-at-risk of multiple user identifiers is calculated
The step of include:Determine that each operation behavior identifies corresponding routine operation number using the Analysis model of network behaviors;It counts respectively
Calculate the difference of the practical operation number and corresponding routine operation number of corresponding each operation behavior mark of each user identifier;
Corresponding information leakage value-at-risk is identified according to the mathematic interpolation relative users.
The Analysis model of network behaviors includes multiple operation behavior marks and corresponding behaviour in one of the embodiments,
Make time intervals;Determine that the step of each operation behavior identifies corresponding routine operation number is wrapped using the Analysis model of network behaviors
It includes:According to the number of operations area belonging to the practical operation number difference of corresponding each operation behavior mark of multiple user identifiers
Between, count each operation behavior mark the corresponding user identifier of different operation time intervals quantity;To corresponding use
It is screened in mark quantity most number of operations section in family;According to the end value in the number of operations section that screening obtains, phase is determined
Operation behavior is answered to identify corresponding routine operation number.
Operation behavior data further include department's mark in one of the embodiments,;It is mutually applied according to the mathematic interpolation
Family identifies corresponding information leakage value-at-risk:Obtain multiple departments identify corresponding operation behavior mark and adjust because
Son;Corresponding difference is identified using Dynamic gene to relative users mark different operation behavior to be adjusted;After adjustment
Mathematic interpolation relative users identify corresponding information leakage value-at-risk.
The method further includes in one of the embodiments,:When described information risk of leakage value is more than threshold value, to phase
Answer user identifier addition risk operations label;Count quantity and the association in time of the corresponding risk operations label of the user identifier
Degree;According to the quantity and association in time degree of risk operations label, it is corresponding to business end to reduce the user identifier
The operating right at end.
A kind of user behavior monitoring device, described device include:Data acquisition module exists for obtaining multiple service terminals
The operation behavior daily record that the monitoring period generates respectively;Data resolution module is obtained for being parsed to the operation behavior daily record
To multiple user identifiers and corresponding operation behavior data;Behavioural analysis module will for obtaining preset Analysis model of network behaviors
The operation behavior data input the Analysis model of network behaviors, and the corresponding leakage of information wind of multiple user identifiers is calculated
Danger value;Behavior warning module will for when being more than threshold value there are described information risk of leakage value, generating leakage of information early warning
Described information leakage early warning is sent to monitor terminal.
A kind of computer equipment, memory and processor, the memory are stored with computer program;The processor is held
Following steps are realized when the row computer program:Obtain the operation behavior day that multiple service terminals generate respectively in the monitoring period
Will;The operation behavior daily record is parsed, multiple user identifiers and corresponding operation behavior data are obtained;It obtains preset
The operation behavior data are inputted the Analysis model of network behaviors by Analysis model of network behaviors, and multiple user identifier difference are calculated
Corresponding leakage of information value-at-risk;When being more than threshold value there are described information risk of leakage value, leakage of information early warning is generated, by institute
It states information leakage early warning and is sent to monitor terminal.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor
Following steps are realized when row:Obtain the operation behavior daily record that multiple service terminals generate respectively in the monitoring period;To the operation
User behaviors log is parsed, and multiple user identifiers and corresponding operation behavior data are obtained;Preset Analysis model of network behaviors is obtained,
The operation behavior data are inputted into the Analysis model of network behaviors, the corresponding leakage of information of multiple user identifiers is calculated
Value-at-risk;When being more than threshold value there are described information risk of leakage value, leakage of information early warning is generated, described information is revealed into early warning
It is sent to monitor terminal.
Above-mentioned user behavior monitoring method, device, computer equipment and storage medium are based on industry in the monitoring period to user
The operation behavior daily record of business terminal extracts, and can obtain corresponding operation behavior data;The input of operation behavior data is pre-
If Analysis model of network behaviors, the corresponding leakage of information value-at-risk of multiple user identifiers can be calculated;By by information
Risk of leakage value and threshold comparison can detect whether that existence information risk of leakage value is more than threshold value;When existence information leaks wind
When danger value is more than threshold value, generating leakage of information early warning can prompt to monitor by the way that information leakage early warning is sent to monitor terminal
Terminal takes information leakage preventing measure in time, so as to improve information security.
Description of the drawings
Fig. 1 is the application scenario diagram of user behavior monitoring method in one embodiment;
Fig. 2 is the flow diagram of user behavior monitoring method in one embodiment;
Fig. 3 is the structure diagram of user behavior monitoring device in one embodiment;
Fig. 4 is the internal structure chart of one embodiment Computer equipment.
Specific implementation mode
It is with reference to the accompanying drawings and embodiments, right in order to make the object, technical solution and advantage of the application be more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not
For limiting the application.
User behavior monitoring method provided by the present application, can be applied in application environment as shown in Figure 1.Wherein, industry
Business terminal 102 is communicated by network with server 104.Monitor terminal 106 is communicated by network with server 104.
Wherein, service terminal 102 can be, but not limited to be various personal computers, laptop, intelligence respectively with monitor terminal 106
Mobile phone, tablet computer and portable wearable device, server 104 can be with independent servers or with multiple server groups
At server cluster realize.One or more operation systems have been run on service terminal 102.Operation system refers in enterprise
Portion for manage the one of which such as individual privacy information, business operation information, financial information, personnel information, IT O&M information or
The system of a variety of sensitive informations.Business procedure, which is pre-set, to be buried a little, is acquired for the operation behavior data to user.With
Family can handle different business in service terminal 102 by different business systems.Operation system a little exists to user based on preset bury
The operation behavior data of monitoring period are acquired.Server 104 extracts user in service terminal 102 and is based on different business systems
Operation behavior data, the corresponding operation behavior data of the multiple user identifiers got are pre-processed.Server 104 will
Pretreated operation behavior data belong to preset Analysis model of network behaviors, can be calculated using Analysis model of network behaviors each
The corresponding information leakage value-at-risk of user identifier.Server 104 detects whether that existence information disclosure risk value is more than threshold value, if depositing
Information leakage early warning is being generated using the information leakage value-at-risk more than threshold value, information leakage early warning is sent to monitor terminal
106.Monitor terminal 106 can take information leakage preventing measure in time according to information leakage early warning, improve information security.
In one embodiment, as shown in Fig. 2, providing a kind of user behavior monitoring method, it is applied to Fig. 1 in this way
In server for illustrate, include the following steps:
Step 202, the operation behavior daily record that multiple service terminals generate respectively in the monitoring period is obtained.
User can handle different business in service terminal by different business systems.Operation behavior daily record refers to passing through prison
The action event that control user acts on service terminal is formed by daily record.Wherein, action event may include power-on operation and pass
The regular jobs events such as machine operation can also include being directed under register, information inquiry operation and the information of operation system
Carry the sensitive operations events such as operation.The monitoring period can be freely arranged according to actual demand, such as legal working time morning 8:00
To at night 9:00 etc..User identifier is used for the operation object of positioning operation event, can be the login account or industry of operation system
At least one of the IP address (Internet Protocol Address, Internet protocol address) for terminal of being engaged in.Server is pressed
Extract the operation behavior daily record of relative users respectively in multiple service terminals according to preset time frequency.
Step 204, operation behavior daily record is parsed, obtains multiple user identifiers and corresponding operation behavior data.
Server parses the multiple operation behavior daily records extracted respectively, obtains the corresponding behaviour of multiple user identifiers
Make behavioral data.Server pre-processes operation behavior data, is joined with obtaining the utilizable input of Analysis model of network behaviors
Number.Specifically, operation behavior data include multiple operation behavior fields, according to multiple operation behavior fields to each user more
The practical operation number that a operation system carries out different type operation behavior is counted, and place is standardized to statistical result
Reason, the statistical result after standardization is pretreated operation behavior data.
In one embodiment, operation behavior daily record is parsed, obtains the corresponding operation behavior of multiple user identifiers
The step of data includes:Operation behavior daily record is parsed, multiple operation behavior fields are obtained;Operation behavior field includes industry
System banner, user identifier and the operation behavior of being engaged in identify;By the obtained multiple operation behavior field records of parsing to the first data
Table;Based on the first tables of data, the practical operation number of different type operation behavior is carried out in multiple operation systems to each user
It is counted, statistical result is recorded to the second tables of data;Second tables of data has recorded the corresponding operation row of multiple user identifiers
For data.
The preset parsing data packet of server by utilizing parses operation behavior daily record, obtains corresponding multiple operation rows
For field.Parsing data packet can be the included JSON parsing packets of JAVA.Operation behavior field includes operation system mark, user
Mark and operation behavior mark.Operation system mark refers to the mark for the operation system that action event occurs, such as operation system
Title, number etc..Operation behavior mark is used for one action event of unique identification, including action event title and corresponding event
Description.Wherein, event description can be the relevant information of corresponding operating event, such as the corresponding login result of register, inquiry
The information such as the corresponding querying condition of operation, the corresponding file name of down operation.It is readily appreciated that, event description can also include other
Information, such as operating time.Server is by the obtained multiple operation behavior field records of parsing to the first tables of data.First data
Each row of data corresponds to the corresponding data of once-through operation event of a user in table.First tables of data is as shown in Table 1:
Table one:
According to the first tables of data, server carries out each user in multiple operation systems the reality of different type operation behavior
Border number of operations is counted, and statistical result is recorded to the second tables of data.Data in second tables of data are after pre-processing
Operation behavior data.Each row of data is the corresponding operation behavior data of a user identifier in second tables of data.Second number
The practical operation number for each action event that a user carries out in monitoring period is had recorded according to table.In other words, the second data
The operation system that table no longer occurs action event distinguishes, and is only distinguished to the different operation event of different user.The
Two tables of data are as shown in Table 2:
Table two:
First tables of data may each be server with the second tables of data and be stored in advance in database, can also be interim life
At.First tables of data may each be one with the second tables of data, can also be multiple.In other words, it can be shared with multiple users
Same tables of data can also be that multiple users are respectively provided with corresponding tables of data, be not restricted to this.
In another embodiment, statistical result is being recorded to the second tables of data.Statistical result is standardized
Processing.Specifically, each field in preset the second tables of data of standardized algorithm pair of server by utilizing carries out at 01 standardization
Reason, i.e., the number converted field value between 0 to 1.Preset standardized algorithm can be Min-Max Standardization Act (extreme values
Standardization), Z-score Standardization Acts or Decimal scalling (decimal calibration standardization) etc..Standardization can carry
High data analysis precision can also reduce calculation amount when server analyzes operation behavior, to reduce server money
The occupancy in source.
Step 206, preset Analysis model of network behaviors is obtained, is analysis model by operation behavior data input columns, calculates
To the corresponding leakage of information value-at-risk of multiple user identifiers.
Analysis model of network behaviors has been prestored in server.Analysis model of network behaviors can be server by utilizing great amount of samples behaviour
It counts according to this and corresponding tag along sort, a kind of general Spark-MLlib Analysis model of network behaviors (machine learning model) is instructed
It gets.Sample operations data include sample operations behavior mark and corresponding a variety of number of operations differences.Number of operations
Difference is a kind of difference of the practical operation number and routine operation number of operating time.Different number of operations differences corresponds to not
Same tag along sort.Tag along sort can be number of operations section, such as [7,10] etc..
Server by utilizing Analysis model of network behaviors determines that each operation behavior identifies corresponding routine operation number.Server point
The practical operation number of corresponding each operation behavior mark of each user identifier and corresponding routine operation number are not calculated
Difference obtains corresponding information leakage Risk interval according to the inquiry.Server obtains preset each operation behavior mark pair
The weight answered.The corresponding information leakage wind of each user identifier is calculated according to weight and the information leakage Risk interval got
Danger value.
Step 208, when existence information risk of leakage value is more than threshold value, leakage of information early warning is generated, information leakage is pre-
Police is sent to monitor terminal.
Monitoring server is more than threshold value with the presence or absence of the corresponding information leakage value-at-risk of user identifier.When existence information leaks
When value-at-risk is more than threshold value, server generates information according to the information leakage value-at-risk and corresponding user identifier that are more than threshold value and lets out
Leak early warning.Leakage of information early warning there are many embodiment, one of which embodiment be server according to each user identifier with
And corresponding information leakage value-at-risk generates user behavior and monitors report, it will be more than the letter of threshold value in user behavior monitors report
It ceases disclosure risk value and corresponding user identifier carries out distinguishing mark.Information leakage early warning is sent to monitor terminal by server,
Even if to prompt monitor terminal to take information leakage preventing measure, such as reducing operating right of the relative users to operation system.Prison
Control terminal is the preassigned terminal with supervision authority.It is readily appreciated that, monitor terminal may include user terminal, with direct
Relative users are prompted.
In the present embodiment, operation behavior daily record of the user based on service terminal is extracted in the monitoring period, can be obtained
Take corresponding operation behavior data;Operation behavior data are inputted into preset Analysis model of network behaviors, multiple use can be calculated
Family identifies corresponding leakage of information value-at-risk;By that by leakage of information value-at-risk and threshold comparison, can detect whether to deposit
It is more than threshold value in leakage of information value-at-risk;When existence information risk of leakage value is more than threshold value, leakage of information early warning is generated, is passed through
Information leakage early warning is sent to monitor terminal, monitor terminal can be prompted to take information leakage preventing measure in time, so as to
Improve information security.
In one embodiment, multiple service terminals are obtained the step of monitoring the operation behavior daily record that the period generates respectively
Including:In the free time of database, extracts multiple service terminals and bury the operation behavior generated based on preset in the monitoring period
Daily record.
User is monitored in the operation behavior of operation system in order to realize, in the corresponding business of user that needs monitor
Each operation system in terminal is preset to bury a little.When user monitor the period operation system is operated when, operation system base
It is recorded in the preset operation behavior buried a little to user, generates corresponding operation behavior daily record.Service terminal is by different business
The operation behavior daily record that system generates is stored.
Server extracts the operation behavior daily record of relative users in multiple service terminals respectively.In order to fully alleviate clothes
The pressure that database resource consumes in business device, server carry out the extraction of operation behavior daily record in the free time of database.Tool
Body, server runs monitoring script, and shape is executed to the batch processing task in database in preset time period by monitoring script
Condition and resource consumption situation are monitored, and obtain execution time and the resource consumption time of the batch processing task in preset period of time.
Preset period of time can be the period of entire non-working time or the period of part non-working time.For example, to user's row
For the evening 8 in one month before being monitored:00~morning 5:00 period etc..Server will within a preset period of time
The resource consumption time is counted, and the resource consumption time is compared with the execution time of multiple batch processing tasks, is filtered out
It can avoid the resource consumption time that multiple batch processing tasks execute the time.It can be consumed when being executed due to batch processing task more
Database resource, therefore the resource consumption time that multiple batch processing tasks execute the time is avoided, it can be as the free time of database
Time.Since the free time of database is that within a preset period of time, preset time period can be the time of non-working time
Section, thus the free time of the database obtained through the above way can be considered as database performance optimal free time.Clothes
Business device is parsed to extracting multiple operation behavior daily records, obtains the corresponding operation behavior data of each user identifier.
In the present embodiment, operation behavior daily record is extracted in the free time of database, it is possible to reduce to server
The occupancy of resource.
In one embodiment, pretreated operation behavior data include operation behavior mark corresponding with each user identifier
Know and practical operation number;The step of multiple user identifiers corresponding leakage of information value-at-risk is calculated include:It utilizes
Analysis model of network behaviors determines that each operation behavior identifies corresponding routine operation number;It is corresponding to calculate separately each user identifier
The difference of the practical operation number and corresponding routine operation number of each operation behavior mark, according to mathematic interpolation relative users
Identify corresponding information leakage value-at-risk.
Server by utilizing Analysis model of network behaviors, according to the corresponding practical operation number of multiple user identifiers, screening is every
Kind operation behavior identifies corresponding routine operation number.Routine operation number refers to the relatively reasonable generation time of corresponding operating event
Number.It further includes the practical operation that multiple user identifiers correspond to each operation behavior mark respectively to parse obtained operation behavior data
Number.Server calculate separately the practical operation number of each user identifier corresponding each operation behavior mark with it is corresponding normal
Advise the difference of number of operations.For example, in above-mentioned table two, it is assumed that the corresponding routine of action event mark " inquiry Client handset number "
Number of operations is 20 times, and the corresponding practical operation number of user identifier " user A " is 10 times, then corresponding difference is 10.It is easy
Understand, when difference is negative, indicates that the number that the user carries out corresponding operating behavior is more than routine operation number, existence information
Disclosure risk, corresponding operating event may be information leakage risk case.It is worth noting that, when difference is negative, indicate
The number that the user carries out corresponding operating behavior is less than routine operation number, and Information Risk is not present, then server is by the difference
It is set as 0.
Server to each user identifier, accordingly sum by the corresponding difference of multiple operation behaviors marks, by summed result
Information leakage value-at-risk as relative users mark.In another embodiment, server calculate each difference with it is corresponding
The ratio of routine operation number, to each user identifier, accordingly the corresponding ratio of multiple operation behaviors marks is summed, and will be asked
The information leakage value-at-risk identified as relative users with result.For example, in the above-described embodiments, corresponding ratio is (20-
10)/20=0.5.
In yet another embodiment, Analysis model of network behaviors includes that multiple operation behaviors identify corresponding weight.
Different operation event causes the possibility of information leakage different.Weight can be server to be caused according to different operation event
The possibility setting of information leakage.For example, inquiry operation leads to the possibility bigger of information leakage with respect to register, download
The opposite inquiry operation of operation leads to the possibility bigger of information leakage, then can be by register, inquiry operation and down operation
Operation behavior identify corresponding weight and be sequentially increased.Such as the corresponding weights of operation behavior mark " registering service system 1 "
The factor can be 0.8, and the corresponding weight of operation behavior mark " downloading employee's address list " can be 1.2, operation behavior mark
It can be 1 etc. to know " inquiry Client handset number " corresponding weight.Corresponding weight is identified according to each operation behavior,
Server calculates each user identifier, and accordingly a variety of operation behaviors identify the product of corresponding ratio and the corresponding weight value factor, to every
The corresponding multiple products of a user identifier are summed, using summed result as the corresponding information leakage risk of the user identifier
Value.
For example, as shown in above-mentioned table two, it is assumed that user A has carried out above-mentioned 4 kinds of action events, corresponding behaviour in the monitoring period
Make behavior mark and is followed successively by " failure of registering service system 1 ", " downloading employee's address list ", " inquiry Client handset number " and " inquiry
Client's QQ number ", corresponding practical operation number are 2 times, 7 times, 22 times and 16 times, corresponding routine operation number is respectively 2 times,
8 times, 20 times and 13 times, then corresponding ratio is followed successively by 0,0, (22-20)/20, (16-13)/12, corresponding weight point
Not Wei 0.8,1.2,1,1, then " user A " corresponding information leakage value-at-risk can be 0*0.8+0/8*1.2+1/10*1+1/4*1
=0.35.Corresponding weight is respectively set based on different operation behavior marks, fully considers that different operation event causes
The different possibilities of information leakage, for example, whether reflection download event may cause the standard of information leakage to be more prone to down
Content is carried, whether reflection query event may cause the standard of information leakage to be more prone to inquiry times;It more adapts to practical
Applicable cases, so as to improve the accuracy calculated to information leakage risk.
In the present embodiment, the routine operation of corresponding operating behavior is dynamically determined according to the practical operation number of multiple users
Number, relatively traditional setting routine operation number are fixed value, are dynamically determined routine operation number and make routine operation number more
Add and tally with the actual situation, to improve the accuracy of monitored results.
In one embodiment, Analysis model of network behaviors includes multiple operation behavior marks and corresponding number of operations area
Between;Determine that the step of each operation behavior identifies corresponding routine operation number includes using Analysis model of network behaviors:According to multiple
Number of operations section belonging to the practical operation number difference of corresponding each operation behavior mark of user identifier, counts each behaviour
Make behavior mark the corresponding user identifier of different operation time intervals quantity;The behaviour most to corresponding user identifier quantity
It is screened as time intervals;According to the end value in the number of operations section that screening obtains, determine that corresponding operating behavior mark corresponds to
Routine operation number.
Server by utilizing Analysis model of network behaviors clusters multiple user identifiers from different dimensions.Specifically, behavior point
Analysis model includes multiple operation behavior marks and corresponding multiple number of operations sections, and such as " inquiry Client handset number " is right
The number of operations section answered can be [1,6], [7,10], [11,15] etc..Server according to multiple user identifiers it is corresponding each
Number of operations section belonging to the practical operation number difference of operation behavior mark carries out multiple user identifiers from different dimensions
Group divides, and obtains each operation behavior and identifies corresponding catergories of user group.Include one or more use per class user group
Family identifies.For example, the user identifier by the practical operation number for inquiring Client handset number no more than 6 times is classified as one kind, will be more than 6
Secondary but no more than 10 times user identifiers are classified as one kind, so analogize.
Server statistics correspond to the quantity of user identifier per class user group, and each behaviour is calculated according to the quantity of user identifier
Make the corresponding accounting of the corresponding catergories of user group of behavior mark.The highest a kind of user group of screening server accounting corresponds to
Number of operations section.For example, 20% user belongs to section [1,6], 60% user to the inquiry times of Client handset number
Section [7,10] etc. is belonged to the inquiry times of Client handset number, then the number of operations section screened is [7,10].
The end value in the number of operations section that server is obtained according to screening determines that corresponding operating behavior identifies corresponding routine
Number of operations.Specifically, server can be with one between one of selection operation time intervals end value or two end values
A numerical value is as routine operation number.For example, server can calculate multiple practical operations time positioned at the number of operations section
Several average value, using the average value as routine operation number.Server can also be according to the operation of preset rules random screening
One numerical value of time intervals is as routine operation number.
In the present embodiment, preset multiple operation behaviors identify corresponding number of operations section, according to user identifier number
Measure the routine operation number that most number of operations sections is dynamically determined corresponding operating behavior, relatively traditional setting routine operation
Number is fixed value, is dynamically determined routine operation number and routine operation number is made to be more in line with actual conditions, to improve prison
Control the accuracy of result.
In one embodiment, operation behavior data further include department's mark;According to mathematic interpolation relative users mark pair
The step of information leakage value-at-risk answered includes:Obtain multiple departments identify corresponding operation behavior mark and adjust because
Son;Using Dynamic gene, corresponding difference is identified to relative users mark different operation behavior and is adjusted;After adjustment
Mathematic interpolation relative users identify corresponding information leakage value-at-risk.
The users of different departments business to be treated is different, operation system action event frequent operation degree not
Together, there are the users of a department carries out the operation to the practical operation number of certain operation behavior far more than other department users
The practical operation number situation of behavior, that is, there is the department, there are certain rational high frequencies of operation behaviors.
In order to improve the accuracy calculated to information leakage risk, the business nature of server combination user affiliated function,
Calculate the leakage of information value-at-risk of the user.Specifically, the operation behavior data that server is extracted in service terminal further include
The corresponding department's mark of user identifier.Server in advance marks the department of each existing above-mentioned rational high frequencies of operation behavior
Know and corresponding Dynamic gene is set.In other words, server is preset a variety of department's marks and corresponding operation behavior mark and is adjusted
Integral divisor, the Dynamic gene as department's mark " market department " is based on operation behavior mark " inquiry Client handset number " can be
60%.It is readily appreciated that, a department is more for a kind of reasonable operation number of operation behavior, and corresponding Dynamic gene is smaller.
When corresponding Dynamic gene is not arranged in department's mark, it is defaulted as 100%.After above-mentioned difference is calculated in server, inspection
The corresponding operating behavior surveyed with the presence or absence of user identifier affiliated function mark identifies corresponding Dynamic gene.If in the presence of service
The Dynamic gene is multiplied by device with difference, to be adjusted to difference, using product as the difference after adjustment.Server is according to upper
It states mode and identifies corresponding information leakage value-at-risk according to the mathematic interpolation relative users after adjustment.
In the present embodiment, the leakage of information value-at-risk of the user is calculated in conjunction with the business nature of user affiliated function, fully
Consider the business otherness between different departments, avoids certain high-frequency but rational operation behavior being determined as information leakage wind
Danger operation, adapts to practical situations, can improve the accuracy calculated to information leakage risk.
In one embodiment, this method further includes:When leakage of information value-at-risk is more than threshold value, relative users are identified
Add risk operations label;Counting user identifies the quantity and association in time degree of corresponding risk operations label;It is grasped according to risk
The quantity and association in time degree marked reduce the corresponding operating right to service terminal of user identifier.
Server is not only monitored user in the operation behavior of single monitoring period, also to user in multiple monitoring
The operation behavior of section is analyzed.Specifically, each if monitoring period leakage of information value-at-risk is more than threshold value, server is corresponding
User identifier adds risk operations label.Carry out risk operations label it is newly-increased when, server is to user identifier when default
The quantity for increasing risk operations label in section newly is counted.Preset period of time includes multiple monitoring periods, can according to demand freely
Setting, such as 1 month.Server obtains the label time of multiple risk operations labels, calculates the association in time of multiple label times
Degree.Multiple label times are closer, and corresponding association in time degree is higher;On the contrary, multiple label times more disperse, the corresponding time
The degree of association is lower.
Server preset kinds of risks operation marker number and association in time degree combination and each combination it is corresponding
Permission adjustable strategies.Whether the quantity for the risk operations label that server comparison statistics obtains is more than preset value.Preset value refers to
The upper limit value that occurrence risk operates in preset period of time, such as 5 times.If the quantity of risk operations label is more than preset value, according to system
The quantity and association in time degree for counting obtained risk operations label, obtain corresponding permission adjustable strategies, and plan is adjusted according to permission
It is decreased slightly as low relative users and identifies the corresponding operating right to service terminal.
In the present embodiment, not only user is monitored in the operation behavior of single monitoring period, also to user multiple
The operation behavior of monitoring period is analyzed, and whether there is according to the operation behavior comprehensive descision relative users of multiple monitoring periods
Information leakage trend further determines whether the operating right for needing to reduce relative users mark, improves the accurate of monitored results
Property.It is more than threshold value not only according to leakage of information value-at-risk occurs and when judging that relative users whether there is information leakage trend
The number of situation is more than the time interval of threshold condition herein in connection with multiple leakage of information value-at-risks, adapts to practical situations, into
One step improves the accuracy of monitored results.
It should be understood that although each step in the flow chart of Fig. 2 is shown successively according to the instruction of arrow, this
A little steps are not that the inevitable sequence indicated according to arrow executes successively.Unless expressly state otherwise herein, these steps
It executes there is no the limitation of stringent sequence, these steps can execute in other order.Moreover, at least part in Fig. 2
Step may include that either these sub-steps of multiple stages or stage are executed in synchronization to multiple sub-steps
It completes, but can execute at different times, the execution sequence in these sub-steps or stage is also not necessarily to be carried out successively,
But it can either the sub-step of other steps or at least part in stage execute in turn or alternately with other steps.
In one embodiment, as shown in figure 3, providing a kind of user behavior monitoring device, including:Data acquisition module
302, data resolution module 304, behavioural analysis module 306 and behavior warning module 308, wherein:Data acquisition module 302 is used
In the operation behavior daily record that the multiple service terminals of acquisition generate respectively in the monitoring period.
Data resolution module 304 obtains multiple user identifiers and corresponding behaviour for being parsed to operation behavior daily record
Make behavioral data.
Operation behavior data input columns are analysis for obtaining preset Analysis model of network behaviors by behavioural analysis module 306
The corresponding leakage of information value-at-risk of multiple user identifiers is calculated in model.
Behavior warning module 308, for when existence information risk of leakage value is more than threshold value, generating leakage of information early warning,
Information leakage early warning is sent to monitor terminal.
In one embodiment, data resolution module 304 is additionally operable to the free time in database, and it is whole to extract multiple business
It holds and buries the operation behavior daily record generated based on preset in the monitoring period.
In one embodiment, multiple operation systems have been run on service terminal;Data resolution module 304 is additionally operable to behaviour
It is parsed as user behaviors log, obtains multiple operation behavior fields;Operation behavior field includes operation system mark, user identifier
It is identified with operation behavior;By the obtained multiple operation behavior field records of parsing to the first tables of data;It is right based on the first tables of data
The practical operation number that each user carries out different type operation behavior in multiple operation systems counts, and statistical result is remembered
It records to the second tables of data;Second tables of data has recorded the corresponding operation behavior data of multiple user identifiers.
Pretreated operation behavior data include operation row corresponding with each user identifier in one of the embodiments,
For mark and practical operation number;Behavioural analysis module 306 is additionally operable to determine each operation behavior mark using Analysis model of network behaviors
Know corresponding routine operation number;Calculate separately the practical operation number of corresponding each operation behavior mark of each user identifier
With the difference of corresponding routine operation number;Corresponding information leakage value-at-risk is identified according to mathematic interpolation relative users.
Analysis model of network behaviors includes multiple operation behavior marks and corresponding operation time in one of the embodiments,
Number interval;Behavioural analysis module 306 is additionally operable to the practical operation according to corresponding each operation behavior mark of multiple user identifiers
Number of operations section belonging to number difference counts each operation behavior mark in the corresponding user's mark of different operation time intervals
The quantity of knowledge;It screens in the number of operations sections most to corresponding user identifier quantity;The operation time obtained according to screening
The end value of number interval determines that corresponding operating behavior identifies corresponding routine operation number.
Operation behavior data further include department's mark in one of the embodiments,;Behavioural analysis module 306 is additionally operable to obtain
Multiple departments are taken to identify corresponding operation behavior mark and Dynamic gene;Using Dynamic gene, not to relative users mark
Biconditional operation behavior identifies corresponding difference and is adjusted;Corresponding information is identified according to the mathematic interpolation relative users after adjustment to let out
Reveal value-at-risk.
The device further includes permission adjustment module 310 in one of the embodiments, for surpassing when leakage of information value-at-risk
When crossing threshold value, addition risk operations label is identified to relative users;Counting user identifies the quantity of corresponding risk operations label
With association in time degree;According to the quantity and association in time degree of risk operations label, it is corresponding to service terminal to reduce user identifier
Operating right.
Specific about user behavior monitoring device limits the limit that may refer to above for user behavior monitoring method
Fixed, details are not described herein.Modules in above-mentioned user behavior monitoring device can fully or partially through software, hardware and its
It combines to realize.Above-mentioned each module can be embedded in or in the form of hardware independently of in the processor in computer equipment, can also
It is stored in a software form in the memory in computer equipment, in order to which processor calls the above modules of execution corresponding
Operation.
In one embodiment, a kind of computer equipment is provided, which can be server, internal junction
Composition can be as shown in Figure 4.The computer equipment include the processor connected by system bus, memory, network interface and
Database.Wherein, the processor of the computer equipment is for providing calculating and control ability.The memory packet of the computer equipment
Include non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program and data
Library.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The calculating
The database of machine equipment is used for Analysis model of network behaviors and the corresponding operation behavior data of multiple user identifiers.The computer equipment
Network interface be used to communicate by network connection with external terminal.To realize one when the computer program is executed by processor
Kind user behavior monitoring method.
It will be understood by those skilled in the art that structure shown in Fig. 4, is only tied with the relevant part of application scheme
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
May include either combining certain components than more or fewer components as shown in the figure or being arranged with different components.
In one embodiment, a kind of computer equipment, including memory and processor are provided, which is stored with
Computer program, the processor realize following steps when executing computer program:Multiple service terminals are obtained in the monitoring period point
The operation behavior daily record not generated;Operation behavior daily record is parsed, multiple user identifiers and corresponding operation behavior are obtained
Data;Preset Analysis model of network behaviors is obtained, is analysis model by operation behavior data input columns, multiple user's marks are calculated
Know corresponding leakage of information value-at-risk;When existence information risk of leakage value is more than threshold value, leakage of information early warning is generated, it will
Information leakage early warning is sent to monitor terminal.
In one embodiment, following steps are also realized when processor executes computer program:In the free time of database
Between, it extracts multiple service terminals and buries the operation behavior daily record generated based on preset in the monitoring period.
In one embodiment, multiple operation systems have been run on service terminal;Processor is gone back when executing computer program
Realize following steps:Operation behavior daily record is parsed, multiple operation behavior fields are obtained;Operation behavior field includes business
System banner, user identifier and operation behavior mark;By the obtained multiple operation behavior field records of parsing to the first tables of data;
Based on the first tables of data, the practical operation number for carrying out different type operation behavior in multiple operation systems to each user carries out
Statistics, statistical result is recorded to the second tables of data;Second tables of data has recorded the corresponding operation behavior number of multiple user identifiers
According to.
In one embodiment, pretreated operation behavior data include operation behavior mark corresponding with each user identifier
Know and practical operation number;Processor also realizes following steps when executing computer program:It is determined using Analysis model of network behaviors every
A operation behavior identifies corresponding routine operation number;Calculate separately corresponding each operation behavior mark of each user identifier
The difference of practical operation number and corresponding routine operation number;Corresponding information leakage is identified according to mathematic interpolation relative users
Value-at-risk.
In one embodiment, Analysis model of network behaviors includes multiple operation behavior marks and corresponding number of operations area
Between;Processor also realizes following steps when executing computer program:According to each corresponding operation behavior mark of multiple user identifiers
Number of operations section belonging to the practical operation number difference of knowledge counts each operation behavior mark in different operation time intervals
The quantity of corresponding user identifier;It screens in the number of operations sections most to corresponding user identifier quantity;According to screening
The end value in obtained number of operations section determines that corresponding operating behavior identifies corresponding routine operation number.
In one embodiment, operation behavior data further include department's mark;Processor goes back reality when executing computer program
Existing following steps:It obtains multiple departments and identifies corresponding operation behavior mark and Dynamic gene;Using Dynamic gene, to phase
It answers user identifier different operation behavior to identify corresponding difference to be adjusted;According to the mathematic interpolation relative users mark after adjustment
Corresponding information leakage value-at-risk.
In one embodiment, following steps are also realized when processor executes computer program:When leakage of information value-at-risk
When more than threshold value, addition risk operations label is identified to relative users;Counting user identifies the number of corresponding risk operations label
Amount and association in time degree;According to the quantity and association in time degree of risk operations label, it is corresponding to business end to reduce user identifier
The operating right at end.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated
Machine program realizes following steps when being executed by processor:Obtain the operation behavior that multiple service terminals generate respectively in the monitoring period
Daily record;Operation behavior daily record is parsed, multiple user identifiers and corresponding operation behavior data are obtained;Obtain preset row
For analysis model, it is analysis model by operation behavior data input columns, the corresponding information of multiple user identifiers is calculated
Risk of leakage value;When existence information risk of leakage value is more than threshold value, leakage of information early warning is generated, information leakage early warning is sent
To monitor terminal.
In one embodiment, following steps are also realized when computer program is executed by processor:In the free time of database
Time extracts multiple service terminals and buries the operation behavior daily record generated based on preset in the monitoring period.
In one embodiment, multiple operation systems have been run on service terminal;When computer program is executed by processor
Also realize following steps:Operation behavior daily record is parsed, multiple operation behavior fields are obtained;Operation behavior field includes industry
System banner, user identifier and the operation behavior of being engaged in identify;By the obtained multiple operation behavior field records of parsing to the first data
Table;Based on the first tables of data, the practical operation number of different type operation behavior is carried out in multiple operation systems to each user
It is counted, statistical result is recorded to the second tables of data;Second tables of data has recorded the corresponding operation row of multiple user identifiers
For data.
In one embodiment, pretreated operation behavior data include operation behavior mark corresponding with each user identifier
Know and practical operation number;Following steps are also realized when computer program is executed by processor:It is determined using Analysis model of network behaviors
Each operation behavior identifies corresponding routine operation number;Calculate separately corresponding each operation behavior mark of each user identifier
Practical operation number and corresponding routine operation number difference;Corresponding information is identified according to mathematic interpolation relative users to let out
Reveal value-at-risk.
In one embodiment, Analysis model of network behaviors includes multiple operation behavior marks and corresponding number of operations area
Between;Following steps are also realized when computer program is executed by processor:According to each corresponding operation behavior of multiple user identifiers
Number of operations section belonging to the practical operation number difference of mark counts each operation behavior mark in different operation number area
Between corresponding user identifier quantity;It screens in the number of operations sections most to corresponding user identifier quantity;According to sieve
The end value for selecting obtained number of operations section determines that corresponding operating behavior identifies corresponding routine operation number.
In one embodiment, operation behavior data further include that department's mark computer program goes back reality when being executed by processor
Existing following steps:It obtains multiple departments and identifies corresponding operation behavior mark and Dynamic gene;Using Dynamic gene, to phase
It answers user identifier different operation behavior to identify corresponding difference to be adjusted;According to the mathematic interpolation relative users mark after adjustment
Corresponding information leakage value-at-risk.
In one embodiment, following steps are also realized when computer program is executed by processor:When leakage of information risk
When value is more than threshold value, addition risk operations label is identified to relative users;Counting user identifies corresponding risk operations label
Quantity and association in time degree;According to the quantity and association in time degree of risk operations label, it is corresponding to business to reduce user identifier
The operating right of terminal.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, being can be with
Instruct relevant hardware to complete by computer program, computer program can be stored in a non-volatile computer readable
It takes in storage medium, the computer program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, this Shen
Any reference to memory, storage, database or other media used in each embodiment please provided, may each comprise
Non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above example can be combined arbitrarily, to keep description succinct, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield is all considered to be the range of this specification record.
Above example only expresses the several embodiments of the application, the description thereof is more specific and detailed, but can not
Therefore it is construed as limiting the scope of the patent.It should be pointed out that for those of ordinary skill in the art,
Under the premise of not departing from the application design, various modifications and improvements can be made, these belong to the protection domain of the application.
Therefore, the protection domain of the application patent should be determined by the appended claims.
Claims (10)
1. a kind of user behavior monitoring method, the method includes:
Obtain the operation behavior daily record that multiple service terminals generate respectively in the monitoring period;
The operation behavior daily record is parsed, multiple user identifiers and corresponding operation behavior data are obtained;
Preset Analysis model of network behaviors is obtained, the operation behavior data are inputted into the Analysis model of network behaviors, are calculated more
The corresponding leakage of information value-at-risk of a user identifier;
When being more than threshold value there are described information risk of leakage value, leakage of information early warning is generated, by described information leakage early warning hair
It send to monitor terminal.
2. according to the method described in claim 1, it is characterized in that, the multiple service terminals of acquisition are given birth to respectively in the monitoring period
At operation behavior daily record the step of include:
In the free time of database, extracts multiple service terminals and bury the operation behavior day generated based on preset in the monitoring period
Will.
3. according to the method described in claim 1, it is characterized in that, having run multiple operation systems on the service terminal;It is right
The operation behavior daily record is parsed, and the step of obtaining multiple user identifiers corresponding operation behavior data includes:
The operation behavior daily record is parsed, multiple operation behavior fields are obtained;The operation behavior field includes business
System banner, user identifier and operation behavior mark;
By the obtained multiple operation behavior field records of parsing to the first tables of data;
Based on first tables of data, the practical operation of different type operation behavior is carried out in multiple operation systems to each user
Number is counted, and statistical result is recorded to the second tables of data;Second tables of data has recorded multiple user identifiers and corresponds to
Operation behavior data.
4. according to the method described in claims 1 to 3 any one, which is characterized in that the pretreated operation behavior number
According to including operation behavior mark corresponding with each user identifier and practical operation number;It is described that multiple user's marks are calculated
The step of knowing corresponding leakage of information value-at-risk include:
Determine that each operation behavior identifies corresponding routine operation number using the Analysis model of network behaviors;
Calculate separately the practical operation number of corresponding each operation behavior mark of each user identifier and corresponding routine operation
The difference of number;
Corresponding information leakage value-at-risk is identified according to the mathematic interpolation relative users.
5. according to the method described in claim 4, it is characterized in that, the Analysis model of network behaviors includes multiple operation behavior marks
And corresponding number of operations section;Determine that each operation behavior identifies corresponding conventional behaviour using the Analysis model of network behaviors
The step of making number include:
According to the number of operations area belonging to the practical operation number difference of corresponding each operation behavior mark of multiple user identifiers
Between, count each operation behavior mark the corresponding user identifier of different operation time intervals quantity;
It screens in the number of operations sections most to corresponding user identifier quantity;
According to the end value in the number of operations section that screening obtains, determine that corresponding operating behavior identifies corresponding routine operation number.
6. according to the method described in claim 4, it is characterized in that, the operation behavior data further include department's mark;According to
The mathematic interpolation relative users identify the step of corresponding information leakage value-at-risk and include:
It obtains multiple departments and identifies corresponding operation behavior mark and Dynamic gene;
Using the Dynamic gene, corresponding difference is identified to relative users mark different operation behavior and is adjusted;
Corresponding information leakage value-at-risk is identified according to the mathematic interpolation relative users after adjustment.
7. according to the method described in claim 1, it is characterized in that, the method further includes:
When described information risk of leakage value is more than threshold value, addition risk operations label is identified to relative users;
Count the quantity and association in time degree of the corresponding risk operations label of the user identifier;
According to the quantity and association in time degree of risk operations label, it is corresponding to business end to reduce the user identifier
The operating right at end.
8. a kind of user behavior monitoring device, described device include:
Data acquisition module, the operation behavior daily record generated respectively in the monitoring period for obtaining multiple service terminals;
Data resolution module obtains multiple user identifiers and corresponding operation for being parsed to the operation behavior daily record
Behavioral data;
The operation behavior data are inputted the behavior point by behavioural analysis module for obtaining preset Analysis model of network behaviors
Model is analysed, the corresponding leakage of information value-at-risk of multiple user identifiers is calculated;
Behavior warning module, for when being more than threshold value there are described information risk of leakage value, leakage of information early warning being generated, by institute
It states information leakage early warning and is sent to monitor terminal.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists
In when the processor executes the computer program the step of any one of realization claim 1 to 7 the method.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
The step of method described in any one of claim 1 to 7 is realized when being executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810122815.5A CN108304308A (en) | 2018-02-07 | 2018-02-07 | User behavior monitoring method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810122815.5A CN108304308A (en) | 2018-02-07 | 2018-02-07 | User behavior monitoring method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108304308A true CN108304308A (en) | 2018-07-20 |
Family
ID=62864657
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810122815.5A Pending CN108304308A (en) | 2018-02-07 | 2018-02-07 | User behavior monitoring method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108304308A (en) |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109102392A (en) * | 2018-08-15 | 2018-12-28 | 吉林亿联银行股份有限公司 | A kind of reference inquiry method for prewarning risk and device |
| CN109166031A (en) * | 2018-08-15 | 2019-01-08 | 吉林亿联银行股份有限公司 | A kind of reference inquiry method for prewarning risk and device |
| CN109189657A (en) * | 2018-08-17 | 2019-01-11 | 中国平安人寿保险股份有限公司 | A kind of recording method, storage medium and the server of user's operation behavior |
| CN109255518A (en) * | 2018-08-01 | 2019-01-22 | 阿里巴巴集团控股有限公司 | Data application risk appraisal procedure, device and system |
| CN109684863A (en) * | 2018-09-07 | 2019-04-26 | 平安科技(深圳)有限公司 | Data leakage prevention method, device, equipment and storage medium |
| CN109872234A (en) * | 2019-01-24 | 2019-06-11 | 平安科技(深圳)有限公司 | Trading activity monitoring method, device, computer equipment and medium |
| CN109903045A (en) * | 2019-01-24 | 2019-06-18 | 平安科技(深圳)有限公司 | Action trail monitoring method, device, computer equipment and medium |
| CN109918899A (en) * | 2019-01-23 | 2019-06-21 | 平安科技(深圳)有限公司 | Server, employee reveal the prediction technique and storage medium of company information |
| CN109918278A (en) * | 2019-01-24 | 2019-06-21 | 平安科技(深圳)有限公司 | Monitoring method, device and the computer storage medium of the number of operations of custom system |
| CN109933705A (en) * | 2019-03-22 | 2019-06-25 | 国家电网有限公司 | A kind of big data platform operation management system |
| CN110046245A (en) * | 2018-11-27 | 2019-07-23 | 阿里巴巴集团控股有限公司 | A kind of data monitoring method and device, a kind of calculating equipment and storage medium |
| CN110097289A (en) * | 2019-05-09 | 2019-08-06 | 深圳前海微众银行股份有限公司 | Risk monitoring and control method, apparatus, equipment and computer readable storage medium |
| CN110175083A (en) * | 2019-04-16 | 2019-08-27 | 平安科技(深圳)有限公司 | The monitoring method and device of operating system |
| CN110175109A (en) * | 2019-05-31 | 2019-08-27 | 北京北信源软件股份有限公司 | A kind of determination method, determining device, equipment and the medium of user type |
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| CN110445637A (en) * | 2019-07-05 | 2019-11-12 | 深圳壹账通智能科技有限公司 | Event-monitoring method, system, computer equipment and storage medium |
| CN110493181A (en) * | 2019-07-05 | 2019-11-22 | 中国平安财产保险股份有限公司 | User behavior detection method, device, computer equipment and storage medium |
| CN110532158A (en) * | 2019-09-03 | 2019-12-03 | 南方电网科学研究院有限责任公司 | Safety evaluation method, device, equipment and the readable storage medium storing program for executing of operation data |
| CN111008123A (en) * | 2019-10-23 | 2020-04-14 | 贝壳技术有限公司 | Database testing method and device, storage medium and electronic equipment |
| CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
| CN111581931A (en) * | 2020-04-26 | 2020-08-25 | 泰康保险集团股份有限公司 | Report generation method and device based on data leakage prevention system |
| CN111639318A (en) * | 2020-05-26 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Wind control method based on gesture monitoring on mobile terminal and related device |
| CN112182537A (en) * | 2020-09-28 | 2021-01-05 | 深圳前海微众银行股份有限公司 | Monitoring method, device, server, system and storage medium |
| CN112434949A (en) * | 2020-11-25 | 2021-03-02 | 平安普惠企业管理有限公司 | Service early warning processing method, device, equipment and medium based on artificial intelligence |
| CN112580089A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Information leakage early warning method, device and system, storage medium and electronic device |
| CN112579408A (en) * | 2020-10-29 | 2021-03-30 | 上海钱拓网络技术有限公司 | Classification method of embedded point information |
| CN112861120A (en) * | 2019-11-27 | 2021-05-28 | 深信服科技股份有限公司 | Identification method, device and storage medium |
| CN112988772A (en) * | 2021-02-08 | 2021-06-18 | 平安科技(深圳)有限公司 | Behavior data monitoring method, device, equipment and medium |
| CN113434537A (en) * | 2021-06-02 | 2021-09-24 | 上海数禾信息科技有限公司 | Data processing method and device based on data acquisition |
| CN113570201A (en) * | 2021-06-30 | 2021-10-29 | 北京达佳互联信息技术有限公司 | Data processing method, device, equipment, storage medium and program product |
| CN113610535A (en) * | 2021-07-29 | 2021-11-05 | 浙江惠瀜网络科技有限公司 | Risk monitoring method and device suitable for consumption staging business process |
| CN115174224A (en) * | 2022-07-06 | 2022-10-11 | 北京神州慧安科技有限公司 | Information safety monitoring method and device suitable for industrial control network |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102495942A (en) * | 2011-10-26 | 2012-06-13 | 深信服网络科技(深圳)有限公司 | Assessment method for risks of internal network of organization and system |
| CN102946319A (en) * | 2012-09-29 | 2013-02-27 | 焦点科技股份有限公司 | System and method for analyzing network user behavior information |
| CN105989155A (en) * | 2015-03-02 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for identifying risk behaviors |
| CN106228388A (en) * | 2016-07-14 | 2016-12-14 | 乐视控股(北京)有限公司 | A kind of member user's behavior monitoring method, device and electronic equipment |
| CN107409126A (en) * | 2015-02-24 | 2017-11-28 | 思科技术公司 | System and method for protecting enterprise computing environment safety |
| CN107612882A (en) * | 2017-08-03 | 2018-01-19 | 北京奇安信科技有限公司 | A kind of user behavior recognition method and device based on middle daily record |
-
2018
- 2018-02-07 CN CN201810122815.5A patent/CN108304308A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102495942A (en) * | 2011-10-26 | 2012-06-13 | 深信服网络科技(深圳)有限公司 | Assessment method for risks of internal network of organization and system |
| CN102946319A (en) * | 2012-09-29 | 2013-02-27 | 焦点科技股份有限公司 | System and method for analyzing network user behavior information |
| CN107409126A (en) * | 2015-02-24 | 2017-11-28 | 思科技术公司 | System and method for protecting enterprise computing environment safety |
| CN105989155A (en) * | 2015-03-02 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Method and device for identifying risk behaviors |
| CN106228388A (en) * | 2016-07-14 | 2016-12-14 | 乐视控股(北京)有限公司 | A kind of member user's behavior monitoring method, device and electronic equipment |
| CN107612882A (en) * | 2017-08-03 | 2018-01-19 | 北京奇安信科技有限公司 | A kind of user behavior recognition method and device based on middle daily record |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109255518A (en) * | 2018-08-01 | 2019-01-22 | 阿里巴巴集团控股有限公司 | Data application risk appraisal procedure, device and system |
| CN109166031A (en) * | 2018-08-15 | 2019-01-08 | 吉林亿联银行股份有限公司 | A kind of reference inquiry method for prewarning risk and device |
| CN109102392A (en) * | 2018-08-15 | 2018-12-28 | 吉林亿联银行股份有限公司 | A kind of reference inquiry method for prewarning risk and device |
| CN109189657A (en) * | 2018-08-17 | 2019-01-11 | 中国平安人寿保险股份有限公司 | A kind of recording method, storage medium and the server of user's operation behavior |
| CN109189657B (en) * | 2018-08-17 | 2024-04-02 | 中国平安人寿保险股份有限公司 | Recording method of user operation behaviors, storage medium and server |
| CN109684863A (en) * | 2018-09-07 | 2019-04-26 | 平安科技(深圳)有限公司 | Data leakage prevention method, device, equipment and storage medium |
| CN109684863B (en) * | 2018-09-07 | 2024-01-19 | 平安科技(深圳)有限公司 | Data leakage prevention method, device, equipment and storage medium |
| CN110046245A (en) * | 2018-11-27 | 2019-07-23 | 阿里巴巴集团控股有限公司 | A kind of data monitoring method and device, a kind of calculating equipment and storage medium |
| CN110046245B (en) * | 2018-11-27 | 2023-11-17 | 创新先进技术有限公司 | Data monitoring method and device, computing equipment and storage medium |
| CN109918899A (en) * | 2019-01-23 | 2019-06-21 | 平安科技(深圳)有限公司 | Server, employee reveal the prediction technique and storage medium of company information |
| CN109918278A (en) * | 2019-01-24 | 2019-06-21 | 平安科技(深圳)有限公司 | Monitoring method, device and the computer storage medium of the number of operations of custom system |
| CN109903045B (en) * | 2019-01-24 | 2024-05-03 | 平安科技(深圳)有限公司 | Behavior track monitoring method, device, computer equipment and medium |
| CN109903045A (en) * | 2019-01-24 | 2019-06-18 | 平安科技(深圳)有限公司 | Action trail monitoring method, device, computer equipment and medium |
| CN109872234A (en) * | 2019-01-24 | 2019-06-11 | 平安科技(深圳)有限公司 | Trading activity monitoring method, device, computer equipment and medium |
| CN109918278B (en) * | 2019-01-24 | 2022-03-11 | 平安科技(深圳)有限公司 | Method and device for monitoring operation times of user system and computer storage medium |
| CN110417721B (en) * | 2019-03-07 | 2021-10-26 | 腾讯科技(深圳)有限公司 | Security risk assessment method, device, equipment and computer readable storage medium |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| CN109933705A (en) * | 2019-03-22 | 2019-06-25 | 国家电网有限公司 | A kind of big data platform operation management system |
| CN110175083A (en) * | 2019-04-16 | 2019-08-27 | 平安科技(深圳)有限公司 | The monitoring method and device of operating system |
| CN110097289A (en) * | 2019-05-09 | 2019-08-06 | 深圳前海微众银行股份有限公司 | Risk monitoring and control method, apparatus, equipment and computer readable storage medium |
| CN110175109A (en) * | 2019-05-31 | 2019-08-27 | 北京北信源软件股份有限公司 | A kind of determination method, determining device, equipment and the medium of user type |
| CN110493181A (en) * | 2019-07-05 | 2019-11-22 | 中国平安财产保险股份有限公司 | User behavior detection method, device, computer equipment and storage medium |
| CN110445637A (en) * | 2019-07-05 | 2019-11-12 | 深圳壹账通智能科技有限公司 | Event-monitoring method, system, computer equipment and storage medium |
| CN110445637B (en) * | 2019-07-05 | 2022-08-09 | 深圳壹账通智能科技有限公司 | Event monitoring method, system, computer device and storage medium |
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
| CN110532158B (en) * | 2019-09-03 | 2024-01-19 | 南方电网科学研究院有限责任公司 | Safety evaluation method, device and equipment for operation data and readable storage medium |
| CN110532158A (en) * | 2019-09-03 | 2019-12-03 | 南方电网科学研究院有限责任公司 | Safety evaluation method, device, equipment and the readable storage medium storing program for executing of operation data |
| CN112580089A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Information leakage early warning method, device and system, storage medium and electronic device |
| CN111008123A (en) * | 2019-10-23 | 2020-04-14 | 贝壳技术有限公司 | Database testing method and device, storage medium and electronic equipment |
| CN111008123B (en) * | 2019-10-23 | 2023-10-24 | 贝壳技术有限公司 | Database testing method and device, storage medium and electronic equipment |
| CN112861120A (en) * | 2019-11-27 | 2021-05-28 | 深信服科技股份有限公司 | Identification method, device and storage medium |
| CN111444534A (en) * | 2020-03-12 | 2020-07-24 | 中国建设银行股份有限公司 | Method, device, equipment and computer readable medium for monitoring user operation |
| CN111581931A (en) * | 2020-04-26 | 2020-08-25 | 泰康保险集团股份有限公司 | Report generation method and device based on data leakage prevention system |
| CN111581931B (en) * | 2020-04-26 | 2023-08-11 | 泰康保险集团股份有限公司 | Report generation method and device based on data leakage prevention system |
| CN111639318A (en) * | 2020-05-26 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Wind control method based on gesture monitoring on mobile terminal and related device |
| CN112182537A (en) * | 2020-09-28 | 2021-01-05 | 深圳前海微众银行股份有限公司 | Monitoring method, device, server, system and storage medium |
| CN112579408A (en) * | 2020-10-29 | 2021-03-30 | 上海钱拓网络技术有限公司 | Classification method of embedded point information |
| CN112434949A (en) * | 2020-11-25 | 2021-03-02 | 平安普惠企业管理有限公司 | Service early warning processing method, device, equipment and medium based on artificial intelligence |
| CN112988772B (en) * | 2021-02-08 | 2023-07-21 | 平安科技(深圳)有限公司 | Behavior data monitoring method, device, equipment and medium |
| CN112988772A (en) * | 2021-02-08 | 2021-06-18 | 平安科技(深圳)有限公司 | Behavior data monitoring method, device, equipment and medium |
| CN113434537A (en) * | 2021-06-02 | 2021-09-24 | 上海数禾信息科技有限公司 | Data processing method and device based on data acquisition |
| CN113570201A (en) * | 2021-06-30 | 2021-10-29 | 北京达佳互联信息技术有限公司 | Data processing method, device, equipment, storage medium and program product |
| CN113610535A (en) * | 2021-07-29 | 2021-11-05 | 浙江惠瀜网络科技有限公司 | Risk monitoring method and device suitable for consumption staging business process |
| CN115174224A (en) * | 2022-07-06 | 2022-10-11 | 北京神州慧安科技有限公司 | Information safety monitoring method and device suitable for industrial control network |
| CN115174224B (en) * | 2022-07-06 | 2024-02-23 | 北京神州慧安科技有限公司 | Information security monitoring method and device suitable for industrial control network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108304308A (en) | User behavior monitoring method, device, computer equipment and storage medium | |
| US11853290B2 (en) | Anomaly detection | |
| US11188619B2 (en) | Single click delta analysis | |
| US10380002B1 (en) | User interface for specifying data stream processing language programs for analyzing instrumented software | |
| US20180248902A1 (en) | Malicious activity detection on a computer network and network metadata normalisation | |
| US10353799B2 (en) | Testing and improving performance of mobile application portfolios | |
| US20190028557A1 (en) | Predictive human behavioral analysis of psychometric features on a computer network | |
| CN108304704A (en) | Authority control method, device, computer equipment and storage medium | |
| CN109284269A (en) | Abnormal log analysis method, device, storage medium and server | |
| US20180246797A1 (en) | Identifying and monitoring normal user and user group interactions | |
| CN107622084A (en) | Blog management method, system and computer-readable recording medium | |
| CN111581054A (en) | ELK-based log point-burying service analysis and alarm system and method | |
| US11042525B2 (en) | Extracting and labeling custom information from log messages | |
| CN108509313A (en) | A kind of business monitoring method, platform and storage medium | |
| CN112527600A (en) | Monitoring log processing method, device, equipment and storage medium | |
| CN109684863A (en) | Data leakage prevention method, device, equipment and storage medium | |
| US7310592B2 (en) | Method and apparatus to group sets of computers into classes for statistical analysis | |
| Lavazza et al. | An empirical study on the factors affecting software development productivity | |
| US11030024B2 (en) | Assigning a severity level to a computing service using tenant telemetry data | |
| CN110113208A (en) | Alarm information processing method, device, equipment and computer readable storage medium | |
| US20140156339A1 (en) | Operational risk and control analysis of an organization | |
| CN114637685A (en) | Performance test method, device, equipment and medium of application program in bank system | |
| Vogel et al. | Security Compliance Monitoring–The next Evolution of Information Security Management?! | |
| US11743274B2 (en) | Systems and methods for fraud management | |
| CN111177537B (en) | Data exchange processing method, device, equipment and medium based on parallel processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180720 |
|
| RJ01 | Rejection of invention patent application after publication |