CN109525611A - A kind of abnormal outgoing behavioral value method and device of Intranet user - Google Patents
A kind of abnormal outgoing behavioral value method and device of Intranet user Download PDFInfo
- Publication number
- CN109525611A CN109525611A CN201910029939.3A CN201910029939A CN109525611A CN 109525611 A CN109525611 A CN 109525611A CN 201910029939 A CN201910029939 A CN 201910029939A CN 109525611 A CN109525611 A CN 109525611A
- Authority
- CN
- China
- Prior art keywords
- access
- intranet user
- weight
- ratio
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides a kind of abnormal outgoing behavioral value method and devices of Intranet user, the abnormal outgoing behavioral value method of Intranet user includes: the outgoing user behaviors log for obtaining behavior auditing equipment and reporting, for Intranet user, obtain the first access control log that access control apparatus reports in the preset time period in outgoing user behaviors log before the outgoing time of the Intranet user outgoing data, based on the access control information in the first access control log, the access for counting Intranet user is controlled data, according to the data information of outgoing data and the controlled data of access, when determining the access behavior of Intranet user and being distributed as deviateing default behavior baseline outside, determine that Intranet user is distributed as in the presence of exception is outer.By this programme, the outer accuracy being distributed as of exception of detection Intranet user can be improved.
Description
Technical field
The present invention relates to technical field of network security, more particularly to a kind of abnormal outgoing behavioral value side of Intranet user
Method and device.
Background technique
With the rapid development of information technology, computer and networks has become routine office work, Communication and cooperation interaction
Important tool and approach, be widely used in the occasions such as enterprise, government, factory, incident is increasingly serious information peace
Full problem.Many enterprises are resisted by preventive means such as firewall, intrusion detection, anti-virus softwares from external attack, but
It is that in practical applications, Intranet user leakage internal data already becomes an important factor for leading to information security issue.
In order to avoid Intranet user reveals internal data, using DLP (Data Leakage Prevention, leakage of data
Protection) equipment is outer to Intranet user outgoing mail, outer transmitting file etc. is distributed as detecting, and based on the detection of DLP equipment
Historical data establishes historical behavior baseline, if DLP equipment detect outer be distributed as deviating from historical behavior baseline, it is determined that
The Intranet user is distributed as in the presence of exception is outer.
However, historical data of the foundation of historical behavior baseline dependent on the detection of DLP equipment, if historical time setting
Shorter, historical data referenced by historical behavior baseline is limited, and if the row of leakage internal data is contained in historical data
For, it is most likely that the abnormal behaviour for revealing internal data is identified as normal behaviour, causes the accuracy of testing result lower.
Summary of the invention
A kind of abnormal outgoing behavioral value method and device for being designed to provide Intranet user of the embodiment of the present invention, with
Improve the outer accuracy being distributed as of exception of detection Intranet user.Specific technical solution is as follows:
In a first aspect, the embodiment of the invention provides a kind of abnormal outgoing behavioral value method of Intranet user, the side
Method includes:
The outgoing user behaviors log that behavior auditing equipment reports is obtained, the outgoing user behaviors log includes Intranet user outgoing number
According to data information and the outgoing time;
For the Intranet user, access control apparatus is reported in the preset time period before obtaining the outgoing time
First access control log, the first access control log include the access control information and the Intranet of the Intranet user
The resource information of user's access, the access control information include the Intranet user access denied or the letter that is allowed to
Breath;
Based on the access control information in the first access control log, the controlled number of access of the Intranet user is counted
According to the controlled data of access include the following three types at least one of data: the access denied in the preset time period
The total access times of number Zhan the first ratio, the resource number Zhan of access denied always accesses money in the preset time period
Second ratio of source number, in the preset time period resource of access denied access frequency;
Data are being controlled according to the data information and described access, are determining the access behavior and outgoing of the Intranet user
When behavior deviates default behavior baseline, determine that the Intranet user is distributed as in the presence of exception is outer, the default behavior baseline includes
At least one of three kinds of baselines below: the corresponding first ratio baseline of first ratio, second ratio corresponding
The corresponding access frequency baseline of two ratio baselines, the access frequency.
Second aspect, the embodiment of the invention provides a kind of abnormal outgoing behavioral value device of Intranet user, the dresses
It sets and includes:
Module, the outgoing user behaviors log reported for obtaining behavior auditing equipment are obtained, the outgoing user behaviors log includes
The data information of Intranet user outgoing data and outgoing time;For the Intranet user, before obtaining the outgoing time
The first access control log that access control apparatus reports in preset time period, the first access control log include in described
The access control information of network users and the resource information of Intranet user access, the access control information includes the Intranet
User's access denied or the information being allowed to;
Statistical module, for counting the Intranet and using based on the access control information in the first access control log
The access at family is controlled data, and the controlled data of access include the following three types at least one of data: in the preset time
Section in access denied the total access times of number Zhan the first ratio, in the preset time period access denied resource
Number Zhan always access the second ratio of resource number, in the preset time period resource of access denied access frequency;
Detection module determines the Intranet user for being controlled data according to the data information and described access
When access behavior with being distributed as deviateing default behavior baseline outside, determine that the Intranet user is distributed as in the presence of exception is outer, it is described pre-
If behavior baseline includes the following three types at least one of baseline: the corresponding first ratio baseline of first ratio, described
The corresponding second ratio baseline of two ratios, the corresponding access frequency baseline of the access frequency.
The third aspect, the embodiment of the invention provides a kind of detection device, including processor and machine readable storage medium,
The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor is by institute
Machine-executable instruction is stated to promote to execute method and step provided by first aspect of the embodiment of the present invention.
Fourth aspect, the embodiment of the invention provides a kind of machine readable storage mediums, are stored with machine-executable instruction,
When being called and being executed by processor, the machine-executable instruction promotes the processor to execute first party of the embodiment of the present invention
Method and step provided by face.
A kind of abnormal outgoing behavioral value method and device of Intranet user provided in an embodiment of the present invention is gone by obtaining
The Intranet user outgoing number in outgoing user behaviors log is obtained for Intranet user for the outgoing user behaviors log that audit device reports
According to the outgoing time before preset time period in the first access control log for reporting of access control apparatus, based on the first access
The access control information in log is controlled, the access for counting Intranet user is controlled data, in the data information according to outgoing data
Data are controlled with accessing, when determining the access behavior of Intranet user and being distributed as deviateing default behavior baseline outside, determine that Intranet is used
Family is distributed as in the presence of exception is outer.The outer of Intranet user can be recognized by behavior auditing equipment to be distributed as, and pass through access control
Interior access the Intranet user of preset time period before equipment is externally distributed as occurring carries out access caused by active control
Controlled data are counted, and are controlled data in conjunction with the access of data information and statistics in outgoing user behaviors log, interior to detect this
Network users are distributed as with the presence or absence of exception is outer, and the first access control log that access control apparatus reports is accessed Intranet user
When active control generate access control information set, reflect the access behavior of Intranet user, bonding behavior audit device
The outgoing user behaviors log reported, before being counted when occurring being distributed as outside Intranet user in preset time period the Intranet user visit
It asks controlled data, comprehensively considers the outer of Intranet user and be distributed as and access behavior, effectively avoid detect outer and be distributed as
Normally, the case where combining corresponding access abnormal behavior improves the outer accuracy being distributed as of exception of detection Intranet user.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the flow diagram of the abnormal outgoing behavioral value method of the Intranet user of one embodiment of the invention;
Fig. 2 is the flow diagram of the abnormal outgoing behavioral value method of the Intranet user of another embodiment of the present invention;
Fig. 3 is the structural schematic diagram of the abnormal outgoing behavioral value device of the Intranet user of the embodiment of the present invention;
Fig. 4 is the structural schematic diagram of the detection device of the embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
In order to improve the outer accuracy being distributed as of exception of detection Intranet user, the embodiment of the invention provides a kind of Intranets
Abnormal outgoing behavioral value method, apparatus, detection device and the machine readable storage medium of user.In the following, first to the present invention
The abnormal outgoing behavioral value method of Intranet user provided by embodiment is introduced.
The executing subject of the abnormal outgoing behavioral value method of Intranet user provided by the embodiment of the present invention can be use
In the detection device, such as net background server, firewall, interchanger etc. that carry out outgoing behavioral value to Intranet user.This
The abnormal outgoing behavioral value method of Intranet user provided by inventive embodiments can be arranged at software in executing subject,
At least one of hardware circuit, logic circuit execute realization.
It, can be with as shown in Figure 1, a kind of abnormal outgoing behavioral value method of Intranet user provided by the embodiment of the present invention
Include the following steps.
S101 obtains the outgoing user behaviors log that behavior auditing equipment reports, wherein outgoing user behaviors log includes Intranet user
The data information of outgoing data and outgoing time.
Which Intranet user the outgoing user behaviors log that behavior auditing equipment reports has been described in detail is existed using which platform host
When the information such as great data of outgoing.It may include the thing of outgoing data that is, being distributed as in log outside
Part type, the data information of outgoing data, the size of data of outgoing data, the user information of Intranet user (user name, IP
Location), host identification (such as host MAC address), outgoing time of outgoing data etc..
Specifically, the format of outgoing user behaviors log can be as shown in table 1.
Table 1
Behavior auditing equipment can ensure information security for DLP equipment for preventing data from leaking.Implement in the present invention
In example, behavior auditing equipment will be outer when occurring being distributed as outside Intranet user as the identification equipment being distributed as outside Intranet user
The relevant information being distributed as is recorded in outgoing user behaviors log, and is reported to detection device, and detection device is based on being distributed as day outside
Will can determine which Intranet user uses which platform host outgoing information of great data at what time.Therefore, row
Be audit device other than it can be DLP equipment, can also for other can to Intranet user it is outer be distributed as being audited,
The equipment for reporting outgoing user behaviors log, will not enumerate here.
It is distributed as to more adequately get the outer of Intranet user, detection device can read behavior in a period of time
The outgoing user behaviors log that audit device reports.Behavior auditing equipment can be distributed as outside primary with often recognizing, just will be corresponding outer
It is distributed as log and is sent to detection device, by the outgoing user behaviors log in detection device statistics a period of time;Behavior auditing equipment
The outer of appearance in a period of time can also be counted to be distributed as, the outgoing user behaviors log of statistics is sent to detection device.
S102, for Intranet user, access control apparatus is reported in the preset time period before obtaining the outgoing time the
One access control log, wherein the first access control log includes the access control information and Intranet user access of Intranet user
Resource information, access control information includes Intranet user access denied or the information that is allowed to.
Which has been described in detail in which Intranet user access network in the access control log that access control apparatus reports
Resource accesses and the information such as is allowed to or is rejected.That is, may include that Intranet is used in the access control log
The user information (user name, IP address) at family, the resource information (access end slogan) for accessing resource, access control information (allow
Or refusal), access time etc..
Specifically, the format of access control log can be as shown in table 2.
Table 2
Access control apparatus can be VPN (Virtual Private Network, Virtual Private Network) equipment, in order to
The deficiency of security defensive system is coped with, VPN device can be disposed in network, single-point defence is integrated by VPN device, is reinforced
Unified Prevention-Security strategy is implemented in management to Intranet user, improves the Initiative Defense ability of network.Certainly, access control
Equipment can also be other controls that can access to Intranet user, the equipment for reporting access control log, here not further
One enumerates.
Any one Intranet user in outgoing user behaviors log reported for behavior auditing equipment, can actively obtain access
The first access control log of the Intranet user that equipment reports is controlled, is had recorded in the first access control log in discovery Intranet
Before user is distributed as outside, occurs access within a preset period of time and be allowed to or the relevant information of access denied.
S103, based on the access control information in the first access control log, the access for counting Intranet user is controlled data,
Wherein, controlled data are accessed and include the following three types at least one of data: the number of access denied within a preset period of time
The resource number Zhan of first ratio of the total access times of Zhan, within a preset period of time access denied always accesses the of resource number
The access frequency of the resource of two ratios, within a preset period of time access denied.
Access control information in first access control log indicates that Intranet user is allowed to also when accessing a certain resource
It is to be rejected, if the number of Intranet user access denied is more or the number accounting of access denied is very big or visits
Ask that the number for the resource being rejected is many etc., then illustrate the Intranet user it is doubtful collect may outgoing data.Cause
This can be believed when carrying out the abnormal outgoing behavioral value of Intranet user based on the access control in the first access control log
Breath, the number accounting of statistics Intranet user the number accounting, the resource of access denied of access denied within a preset period of time
Whether equal access are controlled data, based on accessing controlled data, to being distributed as being abnormal outer to be distributed as judging outside user.
Wherein, controlled data are accessed and include the following three types at least one of data: accessing refused within a preset period of time
The resource number Zhan of first ratio of the exhausted total access times of number Zhan, within a preset period of time access denied always accesses resource
The access frequency of the resource of second ratio of number, within a preset period of time access denied.
As above-mentioned, accessing controlled data is based on Intranet user access denied in the first access control log or to be permitted
What access control Information Statistics perhaps obtained, access the number that controlled data may include access denied within a preset period of time
The resource number Zhan of first ratio of the total access times of Zhan, within a preset period of time access denied always accesses the of resource number
The access frequency etc. of the resource of two ratios, within a preset period of time access denied.Also, it accesses on controlled data may include
At least one of data are stated, it is more accurate to access more more then final detection results that controlled data include.
Optionally, the number that controlled data can also include: access denied is accessed, and/or, it is allowed to based on access
Whether the resource that the access that the resource information and data information of resource determine is allowed to is related to Intranet user outgoing data.
Controlled data are accessed other than it may include at least one of above-mentioned three kinds of data, can also include access quilt
The number of refusal, and/or, it is whether related to Intranet user outgoing data to access the resource being allowed to.
It is whether doubtful collect may outgoing corresponding to Intranet user to the statistics of the related data of access denied
Data correspond to Intranet user to the statistics for the resource data whether relevant to Intranet user outgoing data that access is allowed to
The data of collection are subjected to outgoing.
Specifically, the mode of the number of statistics access denied can be with are as follows: based on the access in the first access control log
Control information, statistics Intranet user within a preset period of time access control information be access denied number.
The mode for counting the first ratio can be with are as follows: based on the access control information in the first access control log, in statistics
Access control information is the number of access denied and the total degree of access to network users within a preset period of time, calculates access quilt
The number of refusal accounts for the first ratio of total degree.
The mode for counting the second ratio can be with are as follows: based on the access control information and resource letter in the first access control log
Breath, access control information is the resource number of access denied and always accesses resource statistics Intranet user within a preset period of time
Number, the resource number Zhan for calculating access denied always access the second ratio of resource number.
The mode for counting access frequency can be with are as follows: based on the access control information and resource letter in the first access control log
Breath, statistics Intranet user within a preset period of time access control information be access denied resource access frequency.
The resource mode whether relevant to Intranet user outgoing data that is allowed to of statistics access can be with are as follows: based on the first visit
It asks the access control information and resource information in control log, determines that access control information be to access the resource that is allowed to, and base
Data information in the resource information of resource and outgoing user behaviors log is determined and is accessed outside the resource being allowed to and Intranet user
Whether related send out data.
Data are controlled according to above-mentioned access, may include at least one of above-mentioned data due to accessing controlled data, then
It is correspondingly arranged different statisticals:, can be from the first access control for accessing the number that controlled data are access denied
It is directly counted in log, statistics access control information is the number of the list item of refusal, the as number of access denied;For visiting
It asks that controlled data are the first ratio, can count the Intranet user while counting the number of access denied and carry out in total
How many times access, the two is divided by can be obtained the first ratio;It is the second ratio for accessing controlled data, can be visited from first
It asks in control log and identifies that Intranet user accesses some resource and is rejected, the resource of access denied is counted with this
Number, and the total number of access resource is counted, the two, which is divided by, can be obtained the second ratio;It is access frequency for controlled data are accessed
Rate can identify that Intranet user accesses some resource and is rejected from the first access control log, count the resource
Access frequency;It is controlled data are whether the resource that access is allowed to is related to Intranet user outgoing data for accessing, Ke Yicong
Identify that Intranet user accesses some resource and is allowed in first access control log, it can be with from the first access control log
Resource information and IP address that access is allowed to are extracted, resource information and IP address is based on, corresponding can determine resource
Title, such as " A Evaluating Projects System " can extract the data letter of the Intranet user outgoing data from outgoing user behaviors log
It ceases (i.e. file name), such as " B detailed design .doc ", then by comparing data information and resource name, passes through phase
The analysis of closing property determines whether data information is related to resource name, further, judges that the resource that access is allowed to is used with Intranet
Whether family outgoing data is related.For example, determining that " B detailed design .doc " is the detailed of B product in A project by correlation analysis
Thin design review file, then can be determined that the resource that access is allowed to is related to Intranet user outgoing data.
S104 determines the access behavior of Intranet user and is distributed as outside partially according to data information and the controlled data of access
When from default behavior baseline, determine that Intranet user is distributed as in the presence of exception is outer, wherein default behavior baseline includes the following three types base
At least one of line: the corresponding first ratio baseline of the first ratio, the corresponding second ratio baseline of the second ratio, access frequency
Corresponding access frequency baseline.
After statistics obtains accessing controlled data, the access behavior of Intranet user is reflected due to accessing controlled data,
And the data information in the first access control log reflects the outer of Intranet user and is distributed as, it is generally the case that outside be distributed as and
Access behavior has biggish relevance, can integrate as detection Intranet user with the presence or absence of the abnormal outer item being distributed as
Part, to guarantee the accuracy of testing result.
Default behavior baseline is that data are controlled for different access, pre-set judgements Intranet user be distributed as outside be
No abnormal baseline, for example, the preset times threshold value of access denied, the first ratio baseline, the second ratio baseline, access frequency
Baseline, the resource being allowed to are related to Intranet user outgoing data etc..Default behavior baseline can be to be calculated according to historical data
It obtains, can also be and be rule of thumb arranged.Combined data information and the controlled data of access, can determine Intranet user
Access behavior and be distributed as outside, if the access behavior of Intranet user be distributed as deviating from default behavior baseline outside, illustrate
The outer of Intranet user is distributed as being that abnormal outer a possibility that being distributed as is larger, can determine that Intranet user has abnormal outer distribution
To remind testing staff to carry out emphasis supervision by way of alarm prompt.
Optionally, that presets behavior baseline establishes mode, can specifically include:
Obtain the second access control log that access control apparatus reports in specified historical time section, wherein the second access
Control log includes the access control information of Intranet user and the resource information of Intranet user access;
Statistics Intranet user is preset in the sub- period in specified each of historical time section respectively, and access control information is access
The total degree of the number and access that are rejected calculates each number for presetting access denied in the sub- period accounts for total degree the
One ratio, and the first ratio baseline is established based on each first ratio;
Statistics Intranet user is preset in the sub- period in specified each of historical time section respectively, and access control information is access
The resource number and total access resource number being rejected, calculate each resource number for presetting access denied in the sub- period and account for
Second ratio of total access resource number, and the second ratio baseline is established based on each second ratio;
Statistics Intranet user is preset in the sub- period in specified each of historical time section respectively, and access control information is access
The access frequency for the resource being rejected, and access frequency baseline is established based on each access frequency.
Default behavior baseline can be established based on the history access control data of access control apparatus, preset behavior baseline master
It to include the corresponding first ratio baseline of the first ratio, the corresponding second ratio baseline of the second ratio, the corresponding visit of access frequency
It asks frequency baseline etc., specifies historical time section to be normally set up longer, to guarantee the accuracy of default behavior baseline, usual situation
Under specified historical time section can be set as to 3 months, 6 months etc., preset the sub- period be to specified historical time section carry out
It divides and obtains, such as one day, one week, one month etc., based on each sub- period available multiple first ratios, multiple preset
The wire definition of multiple first ratios can be the first ratio baseline, multiple second ratios by the second ratio, multiple access frequencys
Wire definition be the second ratio baseline, multiple access frequencys wire definition be access frequency baseline.Specific statistical
Similar to the controlled statistics calculation of data is accessed, which is not described herein again.
Optionally, S104 can specifically include:
Judge Intranet user within a preset period of time access control information whether be greater than for the number of access denied it is default
Frequency threshold value, if more than the first weight is then distributed;
Judge whether the first ratio is greater than the first ratio baseline, if more than the second weight is then distributed;
Judge whether the second ratio is greater than the second ratio baseline, if more than third weight is then distributed;
Judge whether access frequency is greater than access frequency baseline, if more than the 4th weight is then distributed;
If it is determined that the resource that access is allowed to is related to the Intranet user outgoing data, then the 5th weight is distributed;
According to the first weight, the second weight, third weight, the 4th weight and the 5th weight, determining Intranet user, there are different
It is often outer to be distributed as.
Data are controlled for different access, the corresponding default behavior baseline of data can be controlled based on the access, to sentence
Whether the controlled data of the access of breaking are greater than corresponding baseline, if it is greater, then corresponding weight is distributed, for different access quilts
The case where data are greater than corresponding baseline is controlled, as long as being greater than, a fixed weight can be distributed;The distribution of weight can also be base
In the size distribution for accessing controlled data, the controlled data of access are bigger, then the weight distributed is bigger.It can be based on above-mentioned weight
Comprehensive descision Intranet user is distributed as with the presence or absence of exception is outer, as long as example, there is a weight to be greater than preset threshold, then it is assumed that interior
Network users outgoing abnormal behavior;Alternatively, the number for being greater than the weight of preset threshold reaches certain amount, then it is assumed that outside Intranet user
It is distributed as exception;Alternatively, adding up to weight, if accumulation result is greater than certain threshold value, then it is assumed that Intranet user outgoing
Abnormal behavior.
Optionally, according to the first weight, the second weight, third weight, the 4th weight and the 5th weight, Intranet user is determined
In the presence of abnormal outer the step of being distributed as, can specifically include:
It adds up to the first weight, the second weight, third weight, the 4th weight and the 5th weight;
Judge whether accumulation result is greater than or equal to preset threshold;
If more than or be equal to, it is determined that there is abnormal outer is distributed as in Intranet user.
Comprehensive all weights come carry out it is abnormal it is outer be distributed as whether Yi Chang detection, access is multiple when being rejected, also
When being that the accumulation result of the first weight, the second weight, third weight and the 4th weight is larger, it is possible to determine that Intranet user it is doubtful
Data are frequently collected, the correlation of the resource and outgoing data that access in conjunction with the cumulative embodiment with the 5th weight, to judge user
The doubtful abnormal behaviour of the data outgoing of collection, more comprehensive due to considering, testing result is more accurate.
Using the present embodiment, the outgoing user behaviors log reported by obtaining behavior auditing equipment is obtained for Intranet user
Access control apparatus reports in preset time period in outgoing user behaviors log before the outgoing time of the Intranet user outgoing data
The first access control log Intranet user is counted when default based on the access control information in the first access control log
Between access in section be controlled data, according to the data information of outgoing data and accessing controlled data, determining the visit of Intranet user
When asking behavior and being distributed as deviateing default behavior baseline outside, determine that Intranet user is distributed as in the presence of exception is outer.Pass through behavior auditing
Equipment can recognize the outer of Intranet user and be distributed as, the preset time before being externally distributed as occurring by access control apparatus
It accesses the controlled data of access caused by progress active control to the Intranet user in section to count, in conjunction with outgoing user behaviors log
In the access of data information and statistics be controlled data, come detect the Intranet user with the presence or absence of it is abnormal it is outer be distributed as, access control
The collection for the access control information that active control generates when the first access control log that control equipment reports is to Intranet user access
It closes, reflects the access behavior of Intranet user, Intranet user is occurring in the outgoing user behaviors log that bonding behavior audit device reports
The access of the Intranet user is controlled data in preset time period before statistics when being distributed as outside, comprehensively considers the outgoing of Intranet user
Behavior and access behavior effectively avoid detect outer and are distributed as feelings that are normal, and combining corresponding access abnormal behavior
Condition improves the outer accuracy being distributed as of exception of detection Intranet user.
In the following, being provided for the embodiments of the invention the abnormal outgoing behavioral value side of Intranet user in conjunction with specific example
Method is introduced, as shown in Fig. 2, may include steps of.
The first step obtains the outgoing user behaviors log that behavior auditing equipment reports.
Second step, for Intranet user, access control apparatus is reported in the preset time period before obtaining the outgoing time
First access control log.
Third step calculates separately Intranet use based on the access control information and resource information in the first access control log
The access of family within a preset period of time is controlled data:
1, weight W1 is arranged in the number S1 of access denied;
2, the number of access denied accounts for the first ratio S2 of total degree, and weight W2 is arranged;
3, the resource number Zhan of access denied always accesses the second ratio S3 of resource number, and weight W3 is arranged;
4, weight W4 is arranged in the access frequency S4 of the resource of access denied;
5, the resource S5 whether related to Intranet user outgoing data being allowed to is accessed, weight W5 is set.
Wherein, W1+W2+W3+W4+W5=1.
4th step counts the default behavior baseline in specified historical time section:
1, the number of access denied accounts for the first ratio baseline P2 of total degree;
2, the resource number Zhan of access denied always accesses the second ratio baseline P3 of resource number;
3, the access frequency baseline P4 of the resource of access denied.
5th step reads preset times threshold value P1.
6th step calculates separately each score for accessing controlled data:
If 1, S1 > P1, weight V1=W1, otherwise V1=0;
If 2, S2 > P2, weight V2=W2, otherwise V2=0;
If 3, S3 > P3, weight V3=W3, otherwise V3=0;
If 4, S4 > P4, weight V4=W4, otherwise V4=0;
If 5, S5 is yes, weight V5=W5, otherwise V5=0.
7th step calculates V=V1+V2+V3+V4+V5.
8th step, it is assumed that preset threshold 0.6 judges whether V is greater than or equal to 0.6.
9th step, if so, determining that Intranet user is distributed as in the presence of exception is outer.
By this programme, what the first access control log and behavior auditing equipment reported in conjunction with access control apparatus reported
Outgoing user behaviors log, behavior auditing equipment pass through access control apparatus for being distributed as outside the data of active detecting Intranet user
The first access control log, access repeatedly determines that Intranet user is doubtful when being rejected and is frequently collecting data, controls in conjunction with access
The resource of access and the correlation of outgoing data are made, to judge that user the doubtful abnormal behaviour of the data outgoing of collection, improves
The accuracy of unusual checking.
Corresponding to above method embodiment, the embodiment of the invention provides a kind of abnormal outgoing behavioral values of Intranet user
Device, as shown in figure 3, the apparatus may include:
Obtain module 310, the outgoing user behaviors log reported for obtaining behavior auditing equipment, the outgoing user behaviors log packet
Include data information and the outgoing time of Intranet user outgoing data;For the Intranet user, before obtaining the outgoing time
Preset time period in the first access control log that reports of Virtual Private Network access control apparatus, first access control
Log includes the access control information of the Intranet user and the resource information of Intranet user access, the access control letter
Breath includes the Intranet user access denied or the information being allowed to;
Statistical module 320, for counting the Intranet based on the access control information in the first access control log
The access of user is controlled data, and the controlled data of access include the following three types at least one of data: when described default
Between the first ratio of the total access times of number Zhan of access denied in section, in the preset time period access denied money
Source number Zhan always access the second ratio of resource number, in the preset time period resource of access denied access frequency
Rate;
Detection module 330 determines the Intranet user for being controlled data according to the data information and described access
Access behavior and outside when being distributed as deviateing default behavior baseline, determine the Intranet user exist it is abnormal it is outer be distributed as, it is described
Default behavior baseline includes the following three types at least one of baseline: the corresponding first ratio baseline of first ratio, described
The corresponding second ratio baseline of second ratio, the corresponding access frequency baseline of the access frequency.
Optionally, the acquisition module 310 can be also used for obtaining the access control apparatus in specified historical time section
The the second access control log reported, the second access control log include the Intranet user access control information and
The resource information of the Intranet user access;
The statistical module 320, can be also used for:
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control letter
Breath is the number of access denied and the total degree of access, calculates each number for presetting the access denied in the sub- period
The first ratio of the total degree is accounted for, and the first ratio baseline is established based on each first ratio;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control letter
Breath is the resource number and total access resource number of access denied, and calculating is each to preset the access denied in the sub- period
Resource number account for the second ratio of total access resource number, and the second ratio baseline is established based on each second ratio;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control letter
Breath is the access frequency of the resource of access denied, and establishes access frequency baseline based on each access frequency.
Optionally, the controlled data of the access can also include: the number of access denied, and/or, permitted based on access
Perhaps the resource and the Intranet user outgoing number that the access that the resource information of resource and the data information determine is allowed to
According to whether related.
Optionally, the detection module 330, specifically can be used for:
Judge the Intranet user in the preset time period access control information for the number of access denied whether
Greater than preset times threshold value, if more than the first weight is then distributed;
Judge whether first ratio is greater than the first ratio baseline, if more than the second weight is then distributed;
Judge whether second ratio is greater than the second ratio baseline, if more than third weight is then distributed;
Judge whether the access frequency is greater than the access frequency baseline, if more than the 4th weight is then distributed;
If it is determined that the resource being allowed to that accesses is related to the Intranet user outgoing data, then the 5th weight is distributed;
According to first weight, second weight, the third weight, the 4th weight and the 5th power
Weight determines that the Intranet user is distributed as in the presence of exception is outer.
Optionally, the detection module 330, specifically can be used for:
To first weight, second weight, the third weight, the 4th weight and the 5th weight into
Row is cumulative;
Judge whether accumulation result is greater than or equal to preset threshold;
If more than or be equal to, it is determined that there is abnormal outer is distributed as in the Intranet user.
Using the present embodiment, the outgoing user behaviors log reported by obtaining behavior auditing equipment is obtained for Intranet user
Access control apparatus reports in preset time period in outgoing user behaviors log before the outgoing time of the Intranet user outgoing data
The first access control log Intranet user is counted when default based on the access control information in the first access control log
Between access in section be controlled data, according to the data information of outgoing data and accessing controlled data, determining the visit of Intranet user
When asking behavior and being distributed as deviateing default behavior baseline outside, determine that Intranet user is distributed as in the presence of exception is outer.Pass through behavior auditing
Equipment can recognize the outer of Intranet user and be distributed as, the preset time before being externally distributed as occurring by access control apparatus
It accesses the controlled data of access caused by progress active control to the Intranet user in section to count, in conjunction with outgoing user behaviors log
In the access of data information and statistics be controlled data, come detect the Intranet user with the presence or absence of it is abnormal it is outer be distributed as, access control
The collection for the access control information that active control generates when the first access control log that control equipment reports is to Intranet user access
It closes, reflects the access behavior of Intranet user, Intranet user is occurring in the outgoing user behaviors log that bonding behavior audit device reports
The access of the Intranet user is controlled data in preset time period before statistics when being distributed as outside, comprehensively considers the outgoing of Intranet user
Behavior and access behavior effectively avoid detect outer and are distributed as feelings that are normal, and combining corresponding access abnormal behavior
Condition improves the outer accuracy being distributed as of exception of detection Intranet user.
The embodiment of the invention also provides a kind of detection devices, as shown in figure 4, including processor 401 and machine readable depositing
Storage media 402, the machine readable storage medium 402 are stored with the executable finger of the machine that can be executed by the processor 401
It enables, the processor 401 is promoted to execute the exception of Intranet user provided in an embodiment of the present invention by the machine-executable instruction
All steps of outgoing behavioral value method.
Above-mentioned computer readable storage medium may include RAM (Random Access Memory, random access memory
Device), it also may include NVM (Non-volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.
Optionally, computer readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing
Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processor,
Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit),
FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device are divided
Vertical door or transistor logic, discrete hardware components.
In the present embodiment, processor 401 refers to by the way that the machine stored in read machine readable storage medium storing program for executing 402 is executable
It enables, is promoted can be realized by machine-executable instruction: the outer of Intranet user can be recognized by behavior auditing equipment and be distributed as,
The Intranet user is accessed in preset time period before being externally distributed as occurring by access control apparatus and carries out active control
The generated controlled data of access are counted, and are controlled number in conjunction with the access of data information and statistics in outgoing user behaviors log
According to, come detect the Intranet user with the presence or absence of it is abnormal it is outer be distributed as, the first access control log that access control apparatus reports is
The set for the access control information that active control generates when to Intranet user access, reflects the access behavior of Intranet user, ties
The outgoing user behaviors log that behavior auditing equipment reports is closed, before counting when occurring being distributed as outside Intranet user in preset time period
The access of the Intranet user is controlled data, comprehensively considers the outer of Intranet user and is distributed as and accesses behavior, effectively avoids inspection
Measure it is outer be distributed as normal, and the case where combine corresponding access abnormal behavior, the exception for improving detection Intranet user is outer
The accuracy being distributed as.
In addition, machine-executable instruction is stored with the embodiment of the invention provides a kind of machine readable storage medium, in quilt
When processor is called and executed, the machine-executable instruction promotes the processor to execute in provided by the embodiment of the present invention
All steps of the abnormal outgoing behavioral value method of network users.
In the present embodiment, machine readable storage medium executes Intranet user provided by the embodiment of the present invention at runtime
The machine-executable instruction of abnormal outgoing behavioral value method, therefore can be realized: it can be recognized by behavior auditing equipment
The outer of Intranet user is distributed as, and is used in the preset time period before being externally distributed as occurring by access control apparatus the Intranet
Family access, which carries out accessing controlled data caused by active control, to be counted, in conjunction in outgoing user behaviors log data information and
The access of statistics is controlled data, come detect the Intranet user with the presence or absence of it is abnormal it is outer be distributed as, access control apparatus report the
The set for the access control information that active control generates when one access control log is to Intranet user access, reflects Intranet use
The access behavior at family, the outgoing user behaviors log that bonding behavior audit device reports, the statistics when occurring being distributed as outside Intranet user
The access of the Intranet user is controlled data in preset time period before, comprehensively considers the outer of Intranet user and is distributed as and accesses row
Effectively to avoid detect outer and being distributed as normal, and the case where combine corresponding access abnormal behavior, improve detection
The outer accuracy being distributed as of the exception of Intranet user.
For detection device and machine readable storage medium embodiment, the basic phase of method content that is related to due to it
It is similar to embodiment of the method above-mentioned, so being described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device,
For detection device and machine readable storage medium embodiment, since it is substantially similar to the method embodiment, so description
Fairly simple, the relevent part can refer to the partial explaination of embodiments of method.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (10)
1. a kind of abnormal outgoing behavioral value method of Intranet user, which is characterized in that the described method includes:
The outgoing user behaviors log that behavior auditing equipment reports is obtained, the outgoing user behaviors log includes Intranet user outgoing data
Data information and outgoing time;
For the Intranet user, access control apparatus is reported in the preset time period before obtaining the outgoing time first
Access control log, the first access control log include the Intranet user access control information and the Intranet user
The resource information of access, the access control information include the Intranet user access denied or the information that is allowed to;
Based on the access control information in the first access control log, the access for counting the Intranet user is controlled data,
The controlled data of access include the following three types at least one of data: time of access denied in the preset time period
First ratio of the number total access times of Zhan, the resource number Zhan of access denied always accesses resource in the preset time period
Several the second ratio, in the preset time period resource of access denied access frequency;
Data are being controlled according to the data information and described access, the access behavior of the Intranet user is being determined and is distributed as outside
When deviateing default behavior baseline, determine that the Intranet user is distributed as in the presence of exception is outer, the default behavior baseline includes following
At least one of three kinds of baselines: corresponding second ratio of the corresponding first ratio baseline of first ratio, second ratio
Example baseline, the corresponding access frequency baseline of the access frequency.
2. the method according to claim 1, wherein the mode of establishing of the default behavior baseline includes:
Obtain the second access control log that the access control apparatus reports in specified historical time section, the second access control
Log processed includes the access control information of the Intranet user and the resource information of Intranet user access;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control information is
The number of access denied and the total degree of access calculate each number for presetting the access denied in the sub- period and account for institute
The first ratio of total degree is stated, and the first ratio baseline is established based on each first ratio;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control information is
The resource number of access denied and total access resource number, calculate each money for presetting the access denied in the sub- period
Source number accounts for the second ratio of total access resource number, and establishes the second ratio baseline based on each second ratio;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control information is
The access frequency of the resource of access denied, and access frequency baseline is established based on each access frequency.
3. the method according to claim 1, wherein described access controlled data further include: access denied
Number, and/or, the money being allowed to based on the access that the resource information and the data information for accessing the resource being allowed to determine
Whether source and the Intranet user outgoing data are related.
4. according to the method described in claim 3, it is characterized in that, described controlled in conjunction with the data information and the access
Data determine the Intranet user when determining the access behavior of the Intranet user and being distributed as deviateing default behavior baseline outside
It is distributed as in the presence of exception is outer, comprising:
Judge whether Intranet user access control information in the preset time period is greater than for the number of access denied
Preset times threshold value, if more than the first weight is then distributed;
Judge whether first ratio is greater than the first ratio baseline, if more than the second weight is then distributed;
Judge whether second ratio is greater than the second ratio baseline, if more than third weight is then distributed;
Judge whether the access frequency is greater than the access frequency baseline, if more than the 4th weight is then distributed;
If it is determined that the resource being allowed to that accesses is related to the Intranet user outgoing data, then the 5th weight is distributed;
According to first weight, second weight, the third weight, the 4th weight and the 5th weight, really
The fixed Intranet user is distributed as in the presence of exception is outer.
5. according to the method described in claim 4, it is characterized in that, described according to first weight, second weight, institute
Third weight, the 4th weight and the 5th weight are stated, determines that the Intranet user is distributed as in the presence of exception is outer, comprising:
First weight, second weight, the third weight, the 4th weight and the 5th weight are carried out tired
Add;
Judge whether accumulation result is greater than or equal to preset threshold;
If more than or be equal to, it is determined that there is abnormal outer is distributed as in the Intranet user.
6. a kind of abnormal outgoing behavioral value device of Intranet user, which is characterized in that described device includes:
Module is obtained, the outgoing user behaviors log reported for obtaining behavior auditing equipment, the outgoing user behaviors log includes Intranet
The data information of user's outgoing data and outgoing time;It is default before obtaining the outgoing time for the Intranet user
The first access control log that access control apparatus reports in period, the first access control log include that the Intranet is used
The access control information at family and the resource information of Intranet user access, the access control information includes the Intranet user
Access denied or the information being allowed to;
Statistical module, for counting the Intranet user based on the access control information in the first access control log
Controlled data are accessed, the controlled data of access include the following three types at least one of data: in the preset time period
First ratio of the total access times of number Zhan of access denied, in the preset time period access denied resource number
Zhan always access the second ratio of resource number, in the preset time period resource of access denied access frequency;
Detection module determines the access of the Intranet user for being controlled data according to the data information and described access
When behavior with being distributed as deviateing default behavior baseline outside, determine that the Intranet user is distributed as in the presence of exception is outer, the default row
At least one of baseline is included the following three types for baseline: the corresponding first ratio baseline of first ratio, second ratio
The corresponding second ratio baseline of example, the corresponding access frequency baseline of the access frequency.
7. device according to claim 6, which is characterized in that
The acquisition module is also used to obtain the second access control that the access control apparatus reports in specified historical time section
Log, the second access control log include that the access control information of the Intranet user and the Intranet user access
Resource information;
The statistical module, is also used to:
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control information is
The number of access denied and the total degree of access calculate each number for presetting the access denied in the sub- period and account for institute
The first ratio of total degree is stated, and the first ratio baseline is established based on each first ratio;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control information is
The resource number of access denied and total access resource number, calculate each money for presetting the access denied in the sub- period
Source number accounts for the second ratio of total access resource number, and establishes the second ratio baseline based on each second ratio;
It counts the Intranet user respectively to preset in the sub- period in described each of specified historical time section, access control information is
The access frequency of the resource of access denied, and access frequency baseline is established based on each access frequency.
8. device according to claim 6, which is characterized in that described to access controlled data further include: access denied
Number, and/or, the money being allowed to based on the access that the resource information and the data information for accessing the resource being allowed to determine
Whether source and the Intranet user outgoing data are related.
9. device according to claim 8, which is characterized in that the detection module is specifically used for:
Judge whether Intranet user access control information in the preset time period is greater than for the number of access denied
Preset times threshold value, if more than the first weight is then distributed;
Judge whether first ratio is greater than the first ratio baseline, if more than the second weight is then distributed;
Judge whether second ratio is greater than the second ratio baseline, if more than third weight is then distributed;
Judge whether the access frequency is greater than the access frequency baseline, if more than the 4th weight is then distributed;
If it is determined that the resource being allowed to that accesses is related to the Intranet user outgoing data, then the 5th weight is distributed;
According to first weight, second weight, the third weight, the 4th weight and the 5th weight, really
The fixed Intranet user is distributed as in the presence of exception is outer.
10. device according to claim 9, which is characterized in that the detection module is specifically used for:
First weight, second weight, the third weight, the 4th weight and the 5th weight are carried out tired
Add;
Judge whether accumulation result is greater than or equal to preset threshold;
If more than or be equal to, it is determined that there is abnormal outer is distributed as in the Intranet user.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910029939.3A CN109525611B (en) | 2019-01-11 | 2019-01-11 | Method and device for detecting abnormal outgoing behavior of intranet user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910029939.3A CN109525611B (en) | 2019-01-11 | 2019-01-11 | Method and device for detecting abnormal outgoing behavior of intranet user |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109525611A true CN109525611A (en) | 2019-03-26 |
CN109525611B CN109525611B (en) | 2021-03-12 |
Family
ID=65799453
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910029939.3A Active CN109525611B (en) | 2019-01-11 | 2019-01-11 | Method and device for detecting abnormal outgoing behavior of intranet user |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109525611B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
CN111277606A (en) * | 2020-02-10 | 2020-06-12 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
CN112507384A (en) * | 2020-12-22 | 2021-03-16 | 北京明朝万达科技股份有限公司 | Method and device for processing data outgoing behavior |
CN113971187A (en) * | 2020-07-24 | 2022-01-25 | 中移物联网有限公司 | Service monitoring method and device |
CN117171787A (en) * | 2023-08-24 | 2023-12-05 | 湖北交投襄阳高速公路运营管理有限公司 | Access control method and system for special highway toll collection network mobile storage equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104778415A (en) * | 2015-02-06 | 2015-07-15 | 北京北信源软件股份有限公司 | Computer behavior-based data anti-leakage system and method |
CN107169361A (en) * | 2017-06-15 | 2017-09-15 | 深信服科技股份有限公司 | The detection method and system of a kind of leaking data |
CN108011881A (en) * | 2017-12-05 | 2018-05-08 | 北京明朝万达科技股份有限公司 | It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system |
CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
CN108989150A (en) * | 2018-07-19 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of login method for detecting abnormality and device |
CN109040110A (en) * | 2018-08-31 | 2018-12-18 | 新华三信息安全技术有限公司 | A kind of outgoing behavioral value method and device |
-
2019
- 2019-01-11 CN CN201910029939.3A patent/CN109525611B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104778415A (en) * | 2015-02-06 | 2015-07-15 | 北京北信源软件股份有限公司 | Computer behavior-based data anti-leakage system and method |
CN107169361A (en) * | 2017-06-15 | 2017-09-15 | 深信服科技股份有限公司 | The detection method and system of a kind of leaking data |
CN108011881A (en) * | 2017-12-05 | 2018-05-08 | 北京明朝万达科技股份有限公司 | It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system |
CN108989150A (en) * | 2018-07-19 | 2018-12-11 | 新华三信息安全技术有限公司 | A kind of login method for detecting abnormality and device |
CN109040110A (en) * | 2018-08-31 | 2018-12-18 | 新华三信息安全技术有限公司 | A kind of outgoing behavioral value method and device |
CN108965346A (en) * | 2018-10-10 | 2018-12-07 | 上海工程技术大学 | One kind is fallen Host Detection method |
Non-Patent Citations (3)
Title |
---|
BARBARA HAUER: "Data and Information Leakage Prevention Within the Scope of Information Security", 《 IEEE ACCESS 》 * |
JINHYUNG KIM; HYUNG JONG KIM: "Design of internal information leakage detection system considering the privacy violation", 《2010 INTERNATIONAL CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGY CONVERGENCE (ICTC)》 * |
李振彪: "打造企业内部数据的安全堡垒", 《计算机安全与维护》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
CN111277606A (en) * | 2020-02-10 | 2020-06-12 | 北京邮电大学 | Detection model training method, detection method and device, and storage medium |
CN113971187A (en) * | 2020-07-24 | 2022-01-25 | 中移物联网有限公司 | Service monitoring method and device |
CN112507384A (en) * | 2020-12-22 | 2021-03-16 | 北京明朝万达科技股份有限公司 | Method and device for processing data outgoing behavior |
CN112507384B (en) * | 2020-12-22 | 2022-10-04 | 北京明朝万达科技股份有限公司 | Method and device for processing data outgoing behavior |
CN117171787A (en) * | 2023-08-24 | 2023-12-05 | 湖北交投襄阳高速公路运营管理有限公司 | Access control method and system for special highway toll collection network mobile storage equipment |
Also Published As
Publication number | Publication date |
---|---|
CN109525611B (en) | 2021-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109525611A (en) | A kind of abnormal outgoing behavioral value method and device of Intranet user | |
CN111654489B (en) | Network security situation sensing method, device, equipment and storage medium | |
CN113347205B (en) | Method and device for detecting service access request | |
US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
CN104391979B (en) | Network malice reptile recognition methods and device | |
AU2011209894B2 (en) | Insider threat correlation tool | |
CN108304308A (en) | User behavior monitoring method, device, computer equipment and storage medium | |
WO2019136282A1 (en) | Control maturity assessment in security operations environments | |
CN105357195A (en) | Unauthorized web access vulnerability detecting method and device | |
CN104462973B (en) | The dynamic malicious act detecting system and method for application program in mobile terminal | |
CN108989150A (en) | A kind of login method for detecting abnormality and device | |
CN108596738A (en) | A kind of user behavior detection method and device | |
CN100362805C (en) | Multifunctional management system for detecting erotic images and unhealthy information in network | |
CN108416665B (en) | Data interaction method and device, computer equipment and storage medium | |
FR2962826A1 (en) | SUPERVISION OF THE SECURITY OF A COMPUTER SYSTEM | |
CN108989294A (en) | A kind of method and system for the malicious user accurately identifying website visiting | |
CN108092985A (en) | Network safety situation analysis method, device, equipment and computer storage media | |
CN109684863A (en) | Data leakage prevention method, device, equipment and storage medium | |
CN113792308A (en) | Government affair sensitive data oriented security behavior risk analysis method | |
CN114301706B (en) | Defense method, device and system based on existing threat in target node | |
CN107135199A (en) | The detection method and device at webpage back door | |
CN106502887A (en) | A kind of stability test method, test controller and system | |
KR20110037578A (en) | The integration security monitoring system and method thereof | |
CN112769739B (en) | Database operation violation processing method, device and equipment | |
CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |