CN109460664B - Risk analysis method and device, electronic equipment and computer readable medium - Google Patents

Risk analysis method and device, electronic equipment and computer readable medium Download PDF

Info

Publication number
CN109460664B
CN109460664B CN201811236573.9A CN201811236573A CN109460664B CN 109460664 B CN109460664 B CN 109460664B CN 201811236573 A CN201811236573 A CN 201811236573A CN 109460664 B CN109460664 B CN 109460664B
Authority
CN
China
Prior art keywords
target
target entity
behavior
knowledge graph
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811236573.9A
Other languages
Chinese (zh)
Other versions
CN109460664A (en
Inventor
汪南
孙浩庭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Three Cloud Computing Co ltd
Beijing Sankuai Online Technology Co Ltd
Original Assignee
Beijing Sankuai Online Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sankuai Online Technology Co Ltd filed Critical Beijing Sankuai Online Technology Co Ltd
Priority to CN201811236573.9A priority Critical patent/CN109460664B/en
Publication of CN109460664A publication Critical patent/CN109460664A/en
Priority to CA3059709A priority patent/CA3059709A1/en
Application granted granted Critical
Publication of CN109460664B publication Critical patent/CN109460664B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Economics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Strategic Management (AREA)
  • Health & Medical Sciences (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Computer Security & Cryptography (AREA)
  • Educational Administration (AREA)
  • Development Economics (AREA)
  • Databases & Information Systems (AREA)
  • Game Theory and Decision Science (AREA)
  • Automation & Control Theory (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure relates to a risk analysis method, a risk analysis device, an electronic device and a computer readable medium. Relates to the field of computer information processing, and the method comprises the following steps: acquiring a target entity, a target behavior and an incidence relation between the target entity and the target behavior; taking the target entity and the target behavior as nodes, taking the incidence relation between the target entity and the target behavior as edges, and jointly establishing a knowledge graph model; and performing risk analysis of the target entity and the target behavior through the knowledge graph model. The risk analysis method, the risk analysis device, the electronic equipment and the computer readable medium can comprehensively consider the enterprise safety, and can quickly perform dangerous behaviors and dangerous targets when a safety event occurs.

Description

Risk analysis method and device, electronic equipment and computer readable medium
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a risk analysis method, apparatus, electronic device, and computer readable medium.
Background
Generally, enterprises are dominated by human resources, capital, and markets. Machine equipment, materials, information and other elements. At present, enterprise management is more and more important, and particularly in the current information society, various electronic data inside an enterprise are easily stolen by enterprise staff, thereby causing great business loss. In order to realize the sustainable security development of enterprises, there are a plurality of ways to manage and control the information security of enterprises: the method has the advantages that firstly, the scientific and technical level is greatly improved, and a network security system is built; secondly, the law control is standardized, and the information safety awareness of the staff is promoted; thirdly, the supervision responsibilities of all levels of government departments are refined, and the supervision is strengthened. However, all the above aspects can only restrict the employees of the enterprise from the point of view of morality and law, and the management means has little effect on the employees with special purposes and special attempts. In addition, especially for employees responsible for network security of enterprises, some illegal behaviors or illegal operation traces of the employees are easily cleared away by the employees, and in such a case, information security management and control inside the enterprises is a problem to be solved urgently.
Therefore, a new risk analysis method, apparatus, electronic device and computer readable medium are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of the above, the present disclosure provides a risk analysis method, a risk analysis device, an electronic device, and a computer readable medium, which can comprehensively consider enterprise safety and can quickly perform dangerous behaviors and dangerous targets when a safety event occurs
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a risk analysis method is provided, the method including: acquiring a target entity, a target behavior and an incidence relation between the target entity and the target behavior; constructing a knowledge graph model by taking the target entity and the target behavior as nodes and taking the incidence relation between the target entity and the target behavior as edges; and performing risk analysis of the target entity and the target behavior through the knowledge graph model.
In an exemplary embodiment of the present disclosure, further comprising: determining a strength of an associative relationship between the target entity and the target behavior.
In an exemplary embodiment of the present disclosure, the target entities include a user, a device, and a network address; and/or the target behavior comprises a plurality of predetermined behaviors of a target entity; and/or the incidence relation between the target entity and the target behavior comprises an operation behavior.
In an exemplary embodiment of the present disclosure, determining the target entity, the target behavior, and the incidence relation between the target entity and the target behavior includes: extracting the user, the equipment and the network address in the monitoring log as a target entity; extracting a predetermined behavior in the monitoring log as a target behavior; and extracting operation behaviors between the target entity and the target behavior in the monitoring log as the incidence relation.
In an exemplary embodiment of the present disclosure, determining the strength of the associative relationship between the target entity and the target behavior comprises: and determining the strength of the association relationship according to the frequency of the operation behaviors between the target entity and the target behavior.
In an exemplary embodiment of the present disclosure, taking the target entity and the target behavior as nodes, taking an association relationship between the target entity and the target behavior as an edge, and jointly building the knowledge graph model further includes: and taking the strength of the incidence relation as the weight of the edge of the knowledge graph model.
In an exemplary embodiment of the present disclosure, performing risk analysis of the target entity and the target behavior through the knowledge graph model includes: determining a risk value of a target entity through the knowledge graph model; and/or determining abnormal target entities through the knowledge graph model; and/or determining abnormal target behavior through the knowledge graph model.
In an exemplary embodiment of the present disclosure, determining, by the knowledge graph model, a risk value of a target entity comprises: acquiring the safety level of each target behavior in the knowledge graph model; and determining the risk value of the target entity in the knowledge graph model according to the weight of the edges in the knowledge graph model, the security level of the target behavior and the access and/or the degree of access of each target entity in the target entity set in the knowledge graph model.
In an exemplary embodiment of the present disclosure, a risk value of a target entity is calculated by a risk degree formula;
Figure GDA0003538693350000031
wherein, R (j) is a risk value of the target entity Xj, Yi is an ith target behavior associated with the target entity Xj, θ (i) is a connection strength between the target entity Xj and Yi, α (i) is a security level of the target entity Xj, ID (Yi) is an entrance and exit degree of Yi, and Ni is the number of target entities associated with Yi.
In an exemplary embodiment of the present disclosure, determining an anomalous target entity from the knowledge graph model comprises: determining a target entity with a risk value greater than a threshold; determining a set of associated entities of the target entity; and when the risk value of the target entity is greater than the risk value of each target entity in the associated entity set, determining that the target entity is an abnormal target entity.
In an exemplary embodiment of the present disclosure, determining an abnormal target behavior by the knowledge graph model comprises: determining a target entity of the anomaly; determining, by the knowledge graph model, a risk value for each target behavior associated with an anomalous target entity; and determining the target behavior corresponding to the maximum risk value as the abnormal target behavior.
According to an aspect of the present disclosure, there is provided a risk analysis device, the device including: the extraction module is used for acquiring a target entity, a target behavior and an incidence relation between the target entity and the target behavior; the model module is used for taking the target entity and the target behavior as nodes and taking the incidence relation between the target entity and the target behavior as edges to jointly establish a knowledge graph model; and the analysis module is used for carrying out risk analysis on the target entity and the target behavior through the knowledge graph model.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored, which program, when being executed by a processor, carries out the method as above.
According to the risk analysis method, the risk analysis device, the electronic equipment and the computer readable medium, the enterprise safety can be comprehensively considered, and dangerous behaviors and dangerous targets can be rapidly identified when a safety event occurs.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a system block diagram illustrating a risk analysis method and apparatus according to an exemplary embodiment.
FIG. 2 is a flow diagram illustrating a method of risk analysis according to an exemplary embodiment.
FIG. 3 is a schematic diagram illustrating a method of risk analysis according to another exemplary embodiment.
FIG. 4 is a flow chart illustrating a method of risk analysis according to another exemplary embodiment.
FIG. 5 is a block diagram illustrating a risk analysis device according to an exemplary embodiment.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 7 is a schematic diagram illustrating a computer-readable storage medium according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
Fig. 1 is a system block diagram illustrating a risk analysis method and apparatus according to an exemplary embodiment.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user can use the terminal devices 101, 102, 103 to perform various information interactions through the network 104 to receive or transmit messages and the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a data server for monitoring the terminal devices 101, 102, 103, and the server 105 may acquire logs of various operations or data services performed by the users using the terminal devices 101, 102, 103. The server 105 may perform processing such as data analysis on the acquired log information, and feed back a processing result (an abnormal terminal device, an abnormal operation behavior, or the like) to the terminal device.
The server 105 may, for example, obtain a target entity, a target behavior, and an association between the target entity and the target behavior; the server 105 may, for example, take the target entity and the target behavior as nodes, and take the association relationship between the target entity and the target behavior as edges, to collectively construct a knowledge graph model; server 105 may perform a risk analysis of the target entity and the target behavior, e.g., through the knowledge graph model; wherein the target entity comprises a user, a device, and a network address; and/or the target behavior comprises a plurality of predetermined behaviors of a target entity; and/or the incidence relation between the target entity and the target behavior comprises an operation behavior.
The server 105 may be a server of one entity, and may also be composed of a plurality of servers, for example, a part of the server 105 may be, for example, a risk analysis system in the present disclosure, configured to perform risk analysis of the target entity and the target behavior through the knowledge graph model; a portion of the server 105 may also be used, for example, as a data system for responding to data access requests of user terminals.
It should be noted that the risk analysis method provided by the embodiment of the present disclosure may be executed by the server 105, and accordingly, the risk analysis device may be disposed in the server 105. And the requesting end provided for the user to perform data operation or send data request is generally located in the terminal equipment 101, 102, 103.
According to the risk analysis method and device disclosed by the invention, the target entity and the target behavior are subjected to risk analysis through the knowledge graph model, the comprehensive consideration can be carried out on the enterprise safety, and the dangerous behavior and the dangerous target can be rapidly realized when a safety event occurs.
FIG. 2 is a flow diagram illustrating a method of risk analysis according to an exemplary embodiment. The risk analysis method 20 includes at least steps S202 to S206.
As shown in fig. 2, in S202, a target entity, a target behavior, and an association relationship between the target entity and the target behavior are obtained. Wherein the target entity comprises any combination of a user, a device, and a network address.
In this embodiment, the target entity is an individual performing a target behavior in an enterprise, and the target entity may include a user, a device, and a network address.
In the embodiment, the target behavior is a set of behaviors which are executed by a target entity in an enterprise and have a security risk, and the target behavior comprises a plurality of predetermined behaviors of the target entity; specifically, the actions such as uploading data, downloading data, consulting data, etc. can be taken.
Wherein the incidence relation between the target entity and the target behavior comprises an operation behavior. An incidence is a connection between a target entity and the target action it performs.
In one embodiment, determining the target entity, the target behavior, and the incidence relationship between the target entity and the target behavior comprises: extracting the user, the equipment and the network address in the monitoring log as a target entity; extracting a predetermined behavior in the monitoring log as a target behavior; and extracting operation behaviors between the target entity and the target behavior in the monitoring log as the incidence relation.
In one embodiment, target entity A may be, for example, an XX user; the target behavior B is a data downloading behavior; the target behavior C is a data deletion behavior, and when the XX user has a data downloading behavior, the target entity A and the target behavior B are determined to have an association relationship; and if the XX user has no data deletion behavior, determining that the target entity A and the target behavior C have no association relationship.
In S204, a knowledge graph model is constructed with the target entity and the target behavior as nodes and the association between the target entity and the target behavior as edges.
In one embodiment, further comprising: determining a strength of an associative relationship between the target entity and the target behavior. The strength of the association may specifically be determined, for example, by the frequency of operational behaviors between the target entity and the target behavior. And taking the strength of the incidence relation as the weight of the edge of the knowledge graph model.
In one embodiment, the frequency of operation within the predetermined time may be the strength θ of the correlation. For example, a day is taken as a deadline, and when the XX user has data downloading behavior in one day, it is determined that the target entity a and the target behavior B have an association relationship, and when the number of XX user data downloading behaviors is 10 times, the strength θ of the association relationship is 10.
In one embodiment, the knowledge graph is a modern theory for achieving the purpose of multi-discipline fusion by combining theories and methods applying mathematics, graphics, information visualization technology, information science and other disciplines with methods of metrology citation analysis, co-occurrence analysis and the like and utilizing the visualized graph to vividly display the core structure, development history, frontier field and overall knowledge framework of the disciplines.
The knowledge-graph includes a plurality of nodes:
the term entity refers to something that is distinguishable and independent.
The concept is as follows: a collection of entities having the same kind of characteristics.
Attribute-the value of an attribute that points to it from an entity. Different attribute types correspond to edges of different types of attributes.
Relationship on the knowledge graph, the relationship is a function that maps kk graph nodes (entities, semantic classes, attribute values) to boolean values.
One common representation mode of the knowledge graph is that nodes are entity sets in a knowledge base and contain | E | different entities; the edges are a relation set in the knowledge base and contain | R | different relations.
In one embodiment, based on the above definitions, the target entity and the target behavior can be used as nodes, and the knowledge graph constructed by the association relationship can be shown in fig. 3, for example. The nodes with two attributes exist in the knowledge graph model, namely a target entity node and a target behavior node, and edges connecting the target entity node and the target behavior node are in an incidence relation. As shown in fig. 3, the white nodes in the knowledge graph model may be, for example, target entity nodes, and the black nodes may be, for example, target behavior nodes.
In one embodiment, as shown in fig. 3, the target entity node and the target behavior node in the knowledge graph model are connected by an edge, and the target entity node are not directly connected; the target behavior node is not directly connected with the target behavior node. Such a setting in the knowledge graph model is realistic, and may be, for example, that target entity a is an XX user; the target behavior B is a data downloading behavior, the target behavior C is a data deleting behavior, the target entity D is an XX computer, and the XX user and the XX computer can be associated with each other only through the data downloading behavior. And the data downloading behavior and the data deleting behavior can not directly generate a relationship, and correlation needs to be carried out through a target entity node.
In S206, a risk analysis of the target entity or the target behavior is performed through the knowledge graph model.
In one embodiment, performing risk analysis of the target entity and the target behavior by the knowledge graph model comprises: determining a risk value of a target entity through the knowledge graph model; and/or determining abnormal target entities through the knowledge graph model; and/or determining abnormal target behavior through the knowledge graph model.
Wherein determining, by the knowledge graph model, a risk value for a target entity comprises: acquiring the safety level of each target behavior in the knowledge graph model; and determining the risk value of the target entity in the knowledge graph model according to the weight of the edges in the knowledge graph model, the security level of the target behavior and the access and/or the degree of access of each target entity in the target entity set in the knowledge graph model.
Wherein determining an abnormal target entity through the knowledge graph model comprises: determining a target entity with a risk value greater than a threshold; determining a set of associated entities of the target entity; and when the risk value of the target entity is greater than the risk value of each target entity in the associated entity set, determining that the target entity is an abnormal target entity.
Wherein determining abnormal target behavior via the knowledge graph model comprises: determining a target entity of the anomaly; determining, by the knowledge graph model, a risk value for each target behavior associated with an anomalous target entity; and determining the target behavior corresponding to the maximum risk value as the abnormal target behavior.
In one embodiment, monitoring log data may also be obtained periodically, for example in the form of a timed task, to build the knowledge graph model for risk analysis.
According to the risk analysis method disclosed by the disclosure, the target entity and the target behavior are used as nodes, the incidence relation between the target entity and the target behavior is used as edges, a knowledge graph model is jointly established, and the risk analysis of the target entity and the target behavior is carried out through the knowledge graph model, so that the comprehensive consideration can be carried out on the enterprise safety, and the dangerous behavior and the dangerous target can be rapidly carried out when a safety event occurs.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
FIG. 4 is a flow chart illustrating a method of risk analysis according to another exemplary embodiment. The risk analysis method 40 shown in fig. 4 is a detailed description of S206 "risk analysis of the target entity and the target behavior through the knowledge graph model" in the risk analysis method 20 shown in fig. 2.
As shown in fig. 4, in S402, a risk value of the target entity is determined by the knowledge graph model. The safety level of each target behavior in the knowledge graph model can be obtained, for example; and determining the risk value of the target entity in the knowledge graph model according to the weight of the edges in the knowledge graph model, the security level of the target behavior and the access and/or the degree of access of each target entity in the target entity set in the knowledge graph model.
In one embodiment, for each target entity Xj in the knowledge graph model, its risk value can be calculated by the following formula:
Figure GDA0003538693350000101
wherein:
r (j) represents the risk value of Xj
Yi represents the ith target behavior associated with the target entity Xj, and the ID function evaluates the in degree of the target behavior
Ni represents the number of target entities associated with this security action.
θ (i) represents the connection strength of Xj and Yi
α (i) represents the risk level of the ith security risk
In S404, an abnormal target entity is determined by the knowledge graph model. May, for example, determine a target entity having a risk value greater than a threshold; determining a set of associated entities of the target entity; and when the risk value of the target entity is greater than the risk value of each target entity in the associated entity set, determining that the target entity is an abnormal target entity.
In one embodiment, the threshold may be, for example, an empirical threshold T set empirically, and for each target entity Xj of R (j) > T, an associated entity set SR of the target entity is determined, in this embodiment, a target entity in the associated entity set is a target entity set having a target behavior associated with an abnormal target entity:
{R(k)|j!=k,Xj-Xk}
risk values for a plurality of target entities Xk in communication with Xj. If R (j) satisfies the condition:
Rj>max(Rk)
then the label R (j) is the target entity of the exception.
And if the risk value of the target entity is not greater than the risk value of each target entity in the associated entity set, not marking the target entity.
Defining a set of target behaviors that the security event makes for the target entity beyond the range of security risks that it can assume in one embodiment; the anomalous target entity may be considered to trigger a security event, for example, after the anomalous target entity is determined.
In S406, abnormal target behavior is determined by the knowledge graph model. May, for example, determine a target entity for the anomaly; determining, by the knowledge graph model, a risk value for each target behavior associated with an anomalous target entity; and determining the target behavior corresponding to the maximum risk value as the abnormal target behavior.
For an anomalous target entity R (j), according to the following formula:
Figure GDA0003538693350000111
the impact of all target behaviors on R (j) may be calculated and the target behavior with the greatest impact on its security risk may be flagged.
According to the risk analysis method disclosed by the invention, a quantitative index which can be referenced and compared is provided for the safety risk value of the enterprise target entity by using a knowledge graph technology.
According to the risk analysis method disclosed by the invention, when a security event occurs, a target entity causing the security event can be marked.
According to the risk analysis method disclosed by the invention, when a security event occurs, the security behavior of the security event triggered by the enterprise target entity can be traced.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the disclosed apparatus that may be used to perform embodiments of the disclosed methods. For details not disclosed in the embodiments of the apparatus of the present disclosure, refer to the embodiments of the method of the present disclosure.
FIG. 5 is a block diagram illustrating a risk analysis device according to an exemplary embodiment. The risk analysis device 50 includes: an extraction module 502, a model module 504, and an analysis module 506.
The extracting module 502 is configured to obtain a target entity, a target behavior, and an association relationship between the target entity and the target behavior; the method comprises the following steps: extracting the user, the equipment and the network address in the monitoring log as a target entity; extracting a predetermined behavior in the monitoring log as a target behavior; and extracting operation behaviors between the target entity and the target behavior in the monitoring log as the incidence relation.
The model module 504 is configured to construct a knowledge graph model together with the target entity and the target behavior as nodes and the association between the target entity and the target behavior as edges; in the knowledge graph model, a target entity node is connected with a target behavior node through an edge, and the target entity node is not directly connected with the target entity node; the target behavior node is not directly connected with the target behavior node.
The analysis module 506 is configured to perform risk analysis of the target entity and the target behavior through the knowledge graph model. The method comprises the following steps: determining a risk value of a target entity through the knowledge graph model; and/or determining abnormal target entities through the knowledge graph model; and/or determining abnormal target behavior through the knowledge graph model.
According to the risk analysis device disclosed by the disclosure, the target entity and the target behavior are used as nodes, the incidence relation between the target entity and the target behavior is used as a side, a knowledge graph model is jointly established, and the risk analysis of the target entity and the target behavior is carried out through the knowledge graph model, so that the comprehensive consideration can be carried out on the enterprise safety, and the dangerous behavior and the dangerous target can be rapidly carried out when a safety event occurs.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 200 according to this embodiment of the present disclosure is described below with reference to fig. 6. The electronic device 200 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, the electronic device 200 is embodied in the form of a general purpose computing device. The components of the electronic device 200 may include, but are not limited to: at least one processing unit 210, at least one memory unit 220, a bus 230 connecting different system components (including the memory unit 220 and the processing unit 210), a display unit 240, and the like.
Wherein the storage unit stores program code executable by the processing unit 210 to cause the processing unit 210 to perform the steps according to various exemplary embodiments of the present disclosure described in the above-mentioned electronic prescription flow processing method section of the present specification. For example, the processing unit 210 may perform the steps as shown in fig. 2 and 4.
The memory unit 220 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)2201 and/or a cache memory unit 2202, and may further include a read only memory unit (ROM) 2203.
The storage unit 220 may also include a program/utility 2204 having a set (at least one) of program modules 2205, such program modules 2205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 230 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 200 may also communicate with one or more external devices 300 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 200, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 200 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 250. Also, the electronic device 200 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 260. The network adapter 260 may communicate with other modules of the electronic device 200 via the bus 230. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 200, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiments of the present disclosure.
Fig. 7 schematically illustrates a computer-readable storage medium in an exemplary embodiment of the disclosure.
Referring to fig. 7, a program product 400 for implementing the above method according to an embodiment of the present disclosure is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: acquiring a target entity, a target behavior and an incidence relation between the target entity and the target behavior; taking the target entity and the target behavior as nodes, taking the incidence relation between the target entity and the target behavior as edges, and jointly establishing a knowledge graph model; and performing risk analysis of the target entity and the target behavior through the knowledge graph model.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus according to the description of the embodiments, or may be modified accordingly in one or more apparatuses unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (10)

1. A method of risk analysis, comprising:
acquiring a target entity, a target behavior and an incidence relation between the target entity and the target behavior, wherein the target entity comprises any combination of a user, equipment and a network address;
constructing a knowledge graph model by taking the target entity and the target behavior as nodes and taking the incidence relation between the target entity and the target behavior as edges; and
performing risk analysis of the target entity or the target behavior through the knowledge graph model;
wherein determining, by the knowledge graph model, a risk value for a target entity comprises:
acquiring the safety level of each target behavior in the knowledge graph model; and
determining a risk value of a target entity in the knowledge graph model according to the weight of the edges in the knowledge graph model, the security level of the target behavior and the out-degree and/or in-degree of each target entity in the target entity set in the knowledge graph model;
calculating a risk value of the target entity through a risk degree formula;
Figure FDA0003563611190000011
wherein, R (j) is a risk value of the target entity Xj, Yi is an ith target behavior associated with the target entity Xj, θ (i) is a connection strength between the target entity Xj and Yi, α (i) is a security level of the target entity Xj, ID (Yi) is an entrance and exit degree of Yi, and Ni is the number of target entities associated with Yi.
2. The method of claim 1, further comprising:
and determining the strength of the association relationship according to the frequency of the operation behaviors between the target entity and the target behavior, and taking the strength of the association relationship as the weight of the edge of the knowledge graph model.
3. The method of claim 1,
the target behavior comprises a plurality of predetermined behaviors of a target entity; and/or
The incidence relation between the target entity and the target behavior comprises an operation behavior.
4. The method of claim 3, wherein obtaining the target entity, the target behavior, and the association between the target entity and the target behavior comprises:
extracting the user, the equipment and the network address in the monitoring log as a target entity;
extracting a predetermined behavior in the monitoring log as a target behavior; and
and extracting operation behaviors between the target entity and the target behavior in the monitoring log as the incidence relation.
5. The method of claim 1, wherein performing, by the knowledge graph model, risk analysis of the target entity and the target behavior comprises:
determining a risk value of a target entity through the knowledge graph model; and/or
Determining abnormal target entities through the knowledge graph model; and/or
And determining abnormal target behaviors through the knowledge graph model.
6. The method of claim 1, wherein determining, by the knowledge graph model, anomalous target entities comprises:
determining a target entity with a risk value greater than a threshold;
determining a set of associated entities of the target entity; and
and when the risk value of the target entity is greater than the risk value of each target entity in the associated entity set, determining that the target entity is an abnormal target entity.
7. The method of claim 6, wherein determining, by the knowledge graph model, anomalous target behaviors comprises:
determining a target entity of the anomaly;
determining, by the knowledge graph model, a risk value for each target behavior associated with an anomalous target entity; and
and determining the target behavior corresponding to the maximum risk value as the abnormal target behavior.
8. A risk analysis device, comprising:
the system comprises an extraction module, a target behavior module and a target behavior module, wherein the extraction module is used for acquiring a target entity, the target behavior and an incidence relation between the target entity and the target behavior, and the target entity comprises any combination of a user, equipment and a network address;
the model module is used for constructing a knowledge graph model by taking the target entity and the target behavior as nodes and taking the incidence relation between the target entity and the target behavior as edges; and
an analysis module for performing risk analysis of the target entity or the target behavior through the knowledge graph model; wherein determining, by the knowledge graph model, a risk value for a target entity comprises: acquiring the safety level of each target behavior in the knowledge graph model; determining the risk value of the target entity in the knowledge graph model according to the weight of the edges in the knowledge graph model, the security level of the target behavior and the out-degree and/or in-degree of each target entity in the target entity set in the knowledge graph model; calculating a risk value of the target entity through a risk degree formula;
Figure FDA0003563611190000031
wherein, R (j) is a risk value of the target entity Xj, Yi is an ith target behavior associated with the target entity Xj, θ (i) is a connection strength between the target entity Xj and Yi, α (i) is a security level of the target entity Xj, ID (Yi) is an entrance and exit degree of Yi, and Ni is the number of target entities associated with Yi.
9. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-7.
10. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
CN201811236573.9A 2018-10-23 2018-10-23 Risk analysis method and device, electronic equipment and computer readable medium Active CN109460664B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811236573.9A CN109460664B (en) 2018-10-23 2018-10-23 Risk analysis method and device, electronic equipment and computer readable medium
CA3059709A CA3059709A1 (en) 2018-10-23 2019-10-22 Risk analysis method, device and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811236573.9A CN109460664B (en) 2018-10-23 2018-10-23 Risk analysis method and device, electronic equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN109460664A CN109460664A (en) 2019-03-12
CN109460664B true CN109460664B (en) 2022-05-03

Family

ID=65608212

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811236573.9A Active CN109460664B (en) 2018-10-23 2018-10-23 Risk analysis method and device, electronic equipment and computer readable medium

Country Status (2)

Country Link
CN (1) CN109460664B (en)
CA (1) CA3059709A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110111110A (en) * 2019-04-01 2019-08-09 北京三快在线科技有限公司 The method and apparatus of knowledge based map detection fraud, storage medium
CN110209835B (en) * 2019-05-09 2021-09-10 四川九洲电器集团有限责任公司 Anomaly detection method and device, computer storage medium and electronic equipment
CN112053021A (en) * 2019-06-05 2020-12-08 国网信息通信产业集团有限公司 Feature coding method and device for enterprise operation management risk identification
CN112351441B (en) * 2019-08-06 2023-08-15 中国移动通信集团广东有限公司 Data processing method and device and electronic equipment
CN110933101B (en) * 2019-12-10 2022-11-04 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN111178615B (en) * 2019-12-24 2023-10-27 成都数联铭品科技有限公司 Method and system for constructing enterprise risk identification model
CN113313333A (en) * 2020-02-26 2021-08-27 阿里巴巴集团控股有限公司 Risk judgment method, device and medium for relational network topology
CN111292008A (en) * 2020-03-03 2020-06-16 电子科技大学 Privacy protection data release risk assessment method based on knowledge graph
CN111949803B (en) * 2020-08-21 2024-05-28 深圳供电局有限公司 Knowledge graph-based network abnormal user detection method, device and equipment
CN112256887B (en) * 2020-10-28 2022-06-24 福建亿榕信息技术有限公司 Intelligent supply chain management method based on knowledge graph
CN112256889B (en) * 2020-11-06 2024-04-12 奇安信科技集团股份有限公司 Knowledge graph construction method, device, equipment and medium for security entity
CN112785320B (en) * 2021-02-01 2023-09-19 北京互金新融科技有限公司 Credit risk determination method and device, storage medium and electronic equipment
CN113722576A (en) * 2021-05-07 2021-11-30 北京达佳互联信息技术有限公司 Network security information processing method, query method and related device
CN113536319B (en) * 2021-07-07 2022-12-13 上海浦东发展银行股份有限公司 Interface risk prediction method and device, computer equipment and storage medium
CN115048533B (en) * 2022-06-21 2023-06-27 四维创智(北京)科技发展有限公司 Knowledge graph construction method and device, electronic equipment and readable storage medium
CN115203689B (en) * 2022-07-25 2023-05-02 广州正则纬创信息科技有限公司 Data security sharing method and system
CN115659307A (en) * 2022-10-18 2023-01-31 国家工业信息安全发展研究中心 Safety protection method, device, equipment and medium for field industrial control terminal equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104519032A (en) * 2013-09-30 2015-04-15 深圳市腾讯计算机系统有限公司 Internet account safety policy and system
CN108228706A (en) * 2017-11-23 2018-06-29 中国银联股份有限公司 For identifying the method and apparatus of abnormal transaction corporations
CN108431846A (en) * 2015-12-18 2018-08-21 Aci环球公司 Use pattern analysis Transaction Information

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170124464A1 (en) * 2015-10-28 2017-05-04 Fractal Industries, Inc. Rapid predictive analysis of very large data sets using the distributed computational graph

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104519032A (en) * 2013-09-30 2015-04-15 深圳市腾讯计算机系统有限公司 Internet account safety policy and system
CN108431846A (en) * 2015-12-18 2018-08-21 Aci环球公司 Use pattern analysis Transaction Information
CN108228706A (en) * 2017-11-23 2018-06-29 中国银联股份有限公司 For identifying the method and apparatus of abnormal transaction corporations

Also Published As

Publication number Publication date
CA3059709A1 (en) 2020-04-23
CN109460664A (en) 2019-03-12

Similar Documents

Publication Publication Date Title
CN109460664B (en) Risk analysis method and device, electronic equipment and computer readable medium
US10713664B1 (en) Automated evaluation and reporting of microservice regulatory compliance
US10771492B2 (en) Enterprise graph method of threat detection
US20220291969A1 (en) Intelligent cloud management based on profile
US11586813B2 (en) Natural language processing of unstructured data
US11610136B2 (en) Predicting the disaster recovery invocation response time
US9456004B2 (en) Optimizing risk-based compliance of an information technology (IT) system
US11178022B2 (en) Evidence mining for compliance management
US11968224B2 (en) Shift-left security risk analysis
CN113297287B (en) Automatic user policy deployment method and device and electronic equipment
CN107634947A (en) Limitation malice logs in or the method and apparatus of registration
US10057358B2 (en) Identifying and mapping emojis
US11601347B2 (en) Identification of incident required resolution time
US10002181B2 (en) Real-time tagger
US11537668B2 (en) Using a machine learning system to process a corpus of documents associated with a user to determine a user-specific and/or process-specific consequence index
CN111191677B (en) User characteristic data generation method and device and electronic equipment
US10379840B2 (en) Crowd sourcing accessibility rendering system for non-accessible applications
CN114398465A (en) Exception handling method and device of Internet service platform and computer equipment
US11914597B2 (en) Natural language processing of unstructured data
US10332048B2 (en) Job profile generation based on intranet usage
US20200380530A1 (en) Automatic internet of things enabled contract compliance monitoring
US11972368B2 (en) Determining source of interface interactions
CN112950352A (en) User screening strategy generation method and device and electronic equipment
CN111582648A (en) User policy generation method and device and electronic equipment
US20180060735A1 (en) Use of asset and enterprise data to predict asset personality attributes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221024

Address after: 100102 Room 01, Floor 3, Room 01, Building 2 to 4, Yard 6, Wangjing East Road, Chaoyang District, Beijing

Patentee after: Beijing three cloud computing Co.,Ltd.

Patentee after: BEIJING SANKUAI ONLINE TECHNOLOGY Co.,Ltd.

Address before: 100083 2106-030, 9 North Fourth Ring Road, Haidian District, Beijing.

Patentee before: BEIJING SANKUAI ONLINE TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right