CN109525611B - Method and device for detecting abnormal outgoing behavior of intranet user - Google Patents

Method and device for detecting abnormal outgoing behavior of intranet user Download PDF

Info

Publication number
CN109525611B
CN109525611B CN201910029939.3A CN201910029939A CN109525611B CN 109525611 B CN109525611 B CN 109525611B CN 201910029939 A CN201910029939 A CN 201910029939A CN 109525611 B CN109525611 B CN 109525611B
Authority
CN
China
Prior art keywords
access
intranet user
behavior
access control
outgoing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910029939.3A
Other languages
Chinese (zh)
Other versions
CN109525611A (en
Inventor
赵志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910029939.3A priority Critical patent/CN109525611B/en
Publication of CN109525611A publication Critical patent/CN109525611A/en
Application granted granted Critical
Publication of CN109525611B publication Critical patent/CN109525611B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a method and a device for detecting abnormal outgoing behavior of an intranet user, wherein the method for detecting the abnormal outgoing behavior of the intranet user comprises the following steps: the method comprises the steps of obtaining an outgoing behavior log reported by behavior audit equipment, obtaining a first access control log reported by access control equipment in a preset time period before outgoing time of outgoing data of an intranet user in the outgoing behavior log aiming at the intranet user, counting access controlled data of the intranet user based on access control information in the first access control log, and determining that the intranet user has abnormal outgoing behavior when the access behavior and the outgoing behavior of the intranet user deviate from a preset behavior baseline according to data information and the access controlled data of the outgoing data. According to the scheme, the accuracy of detecting the abnormal outgoing behavior of the intranet user can be improved.

Description

Method and device for detecting abnormal outgoing behavior of intranet user
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting abnormal outgoing behavior of an intranet user.
Background
With the rapid development of information technology, computers and networks have become important tools and approaches for daily office work, communication and cooperative interaction, and are widely applied to enterprises, governments, factories and other occasions, with the accompanying problem of increasingly severe information security. Many enterprises defend against external attacks through protection means such as firewalls, intrusion detection and anti-virus software, but in practical applications, internal data leakage of intranet users has become an important factor causing information security problems.
In order to avoid internal Data Leakage of an intranet user, Data Leakage Prevention (DLP) equipment is adopted to detect outgoing behaviors such as outgoing mails and outgoing files of the intranet user, a historical behavior baseline is established based on historical Data detected by the DLP equipment, and if the outgoing behavior detected by the DLP equipment deviates from the historical behavior baseline, the intranet user is determined to have abnormal outgoing behaviors.
However, the establishment of the historical behavior baseline depends on the historical data detected by the DLP device, if the historical time setting is short, the historical data referred by the historical behavior baseline is limited, and if the historical data contains a behavior which leaks the internal data, it is highly likely that an abnormal behavior which leaks the internal data is identified as a normal behavior, resulting in a low accuracy of the detection result.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for detecting abnormal outgoing behavior of an intranet user, so as to improve the accuracy of detecting the abnormal outgoing behavior of the intranet user. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a method for detecting an abnormal outgoing behavior of an intranet user, where the method includes:
acquiring an outgoing behavior log reported by behavior audit equipment, wherein the outgoing behavior log comprises data information of outgoing data of an intranet user and outgoing time;
aiming at the intranet user, acquiring a first access control log reported by access control equipment in a preset time period before the outbound time, wherein the first access control log comprises access control information of the intranet user and resource information accessed by the intranet user, and the access control information comprises information that the intranet user is denied access or allowed access;
and counting the access controlled data of the intranet user based on the access control information in the first access control log, wherein the access controlled data comprises at least one of the following three data: the access frequency of the denied resources in the preset time period is the access frequency of the denied resources in the preset time period;
when the access behavior and the outgoing behavior of the intranet user are determined to deviate from a preset behavior baseline according to the data information and the access controlled data, determining that the intranet user has abnormal outgoing behavior, wherein the preset behavior baseline comprises at least one of the following three baselines: a first proportion baseline corresponding to the first proportion, a second proportion baseline corresponding to the second proportion, and an access frequency baseline corresponding to the access frequency.
In a second aspect, an embodiment of the present invention provides an apparatus for detecting an abnormal outgoing behavior of an intranet user, where the apparatus includes:
the system comprises an acquisition module, a behavior auditing device and a processing module, wherein the acquisition module is used for acquiring an outgoing behavior log reported by the behavior auditing device, and the outgoing behavior log comprises data information of outgoing data of an intranet user and outgoing time; aiming at the intranet user, acquiring a first access control log reported by access control equipment in a preset time period before the outbound time, wherein the first access control log comprises access control information of the intranet user and resource information accessed by the intranet user, and the access control information comprises information that the intranet user is denied access or allowed access;
a statistics module, configured to count, based on the access control information in the first access control log, access controlled data of the intranet user, where the access controlled data includes at least one of the following three types of data: the access frequency of the denied resources in the preset time period is the access frequency of the denied resources in the preset time period;
the detection module is configured to determine that an abnormal outgoing behavior exists in the intranet user when it is determined that the access behavior and the outgoing behavior of the intranet user deviate from a preset behavior baseline according to the data information and the access controlled data, where the preset behavior baseline includes at least one of the following three baselines: a first proportion baseline corresponding to the first proportion, a second proportion baseline corresponding to the second proportion, and an access frequency baseline corresponding to the access frequency.
In a third aspect, the present invention provides a detection apparatus, including a processor and a machine-readable storage medium, the machine-readable storage medium storing machine-executable instructions capable of being executed by the processor, the processor being caused by the machine-executable instructions to perform the method steps provided in the first aspect of the present invention.
In a fourth aspect, embodiments of the present invention provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to perform the method steps provided by the first aspect of embodiments of the present invention.
According to the method and device for detecting the abnormal outgoing behavior of the intranet user, provided by the embodiment of the invention, the first access control log reported by the access control device in the preset time period before the outgoing time of the intranet user outgoing data in the outgoing behavior log is obtained by obtaining the outgoing behavior log reported by the behavior audit device, aiming at the intranet user, the access controlled data of the intranet user is counted based on the access control information in the first access control log, and the intranet user is determined to have the abnormal outgoing behavior when the access behavior and the outgoing behavior of the intranet user are determined to deviate from the preset behavior baseline according to the data information and the access controlled data of the outgoing data. The outgoing behavior of an intranet user can be identified through behavior auditing equipment, the access controlled data generated by actively controlling the access of the intranet user in a preset time period before the occurrence of the outgoing behavior is issued to the outside through access control equipment is counted, whether the intranet user has abnormal outgoing behavior or not is detected by combining data information in outgoing behavior logs and the counted access controlled data, a first access control log reported by the access control equipment is a set of access control information generated by actively controlling the access of the intranet user when the intranet user accesses, the access behavior of the intranet user is reflected, the outgoing behavior logs reported by the behavior auditing equipment are combined, the access controlled data of the intranet user in the preset time period before the occurrence of the outgoing behavior of the intranet user is counted, the outgoing behavior and the access behavior of the intranet user are comprehensively considered, and the detected normal outgoing behavior is effectively avoided, and the accuracy of detecting the abnormal outgoing behavior of the intranet user is improved by combining the corresponding abnormal access behavior condition.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting an abnormal outgoing behavior of an intranet user according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for detecting an abnormal outgoing behavior of an intranet user according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an abnormal outgoing behavior detection apparatus for an intranet user according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the accuracy of detecting the abnormal outgoing behavior of the intranet user, the embodiment of the invention provides a method, a device, a detection device and a machine-readable storage medium for detecting the abnormal outgoing behavior of the intranet user. Next, a method for detecting an abnormal outgoing behavior of an intranet user according to an embodiment of the present invention is described first.
The execution main body of the method for detecting the abnormal outgoing behavior of the intranet user provided by the embodiment of the invention can be detection equipment for detecting the outgoing behavior of the intranet user, such as a network background server, a firewall, a switch and the like. The method for detecting the abnormal outgoing behavior of the intranet user provided by the embodiment of the invention can be implemented by at least one of software, a hardware circuit and a logic circuit arranged in an execution main body.
As shown in fig. 1, the method for detecting an abnormal outgoing behavior of an intranet user according to an embodiment of the present invention may include the following steps.
S101, an outgoing behavior log reported by behavior audit equipment is obtained, wherein the outgoing behavior log comprises data information of outgoing data of an intranet user and outgoing time.
The outgoing behavior log reported by the behavior auditing equipment specifically describes information such as which intranet user uses which host to send out how much data at what time. That is, in the outbound as log, an event type of the outbound data, data information of the outbound data, a data size of the outbound data, user information (user name, IP address) of the intranet user, a host identity (e.g., host MAC address), an outbound time of the outbound data, and the like may be included.
Specifically, the format of the outgoing behavior log may be as shown in table 1.
TABLE 1
Figure BDA0001942970560000051
The behavior audit equipment can be DLP equipment and is used for preventing data from leaking and ensuring information safety. In the embodiment of the invention, the behavior auditing device is used as identification equipment of the intranet user outgoing behavior, when the intranet user outgoing behavior occurs, the relevant information of the outgoing behavior is recorded in an outgoing log and reported to the detection device, and the detection device can determine which intranet user uses which host to send out the information of large data at what time based on the outgoing behavior log. Therefore, the behavior auditing device can be not only a DLP device, but also other devices capable of auditing the outgoing behavior of the intranet user and reporting an outgoing behavior log, and is not listed here one by one.
In order to more fully acquire the outgoing behavior of the intranet user, the detection device may read an outgoing behavior log reported by the behavior audit device within a period of time. The behavior auditing equipment can send the corresponding outgoing behavior log to the detection equipment every time the outgoing behavior is identified, and the detection equipment counts the outgoing behavior log within a period of time; the behavior auditing equipment can also count outgoing behaviors occurring within a period of time and send the counted outgoing behavior logs to the detection equipment.
S102, aiming at an intranet user, obtaining a first access control log reported by an access control device in a preset time period before an outbound time, wherein the first access control log comprises access control information of the intranet user and resource information accessed by the intranet user, and the access control information comprises information that the intranet user is denied access or allowed access.
The access control log reported by the access control device specifically describes which intranet user accesses which resource in the network, and whether the access is allowed or denied. That is, in the access control log, user information (user name, IP address) of the intranet user, resource information (access port number) of the access resource, access control information (permission or denial), access time, and the like may be included.
Specifically, the format of the access control log may be as shown in table 2.
TABLE 2
Figure BDA0001942970560000061
The access control device may be a VPN (Virtual Private Network) device, and in order to address the deficiency of the security defense system, the VPN device may be deployed in the Network, and the VPN device integrates single-point defense, thereby enhancing management of the users in the internal Network, implementing a uniform security defense strategy, and improving the active defense capability of the Network. Of course, the access control device may also be other devices capable of performing access control on the intranet user and reporting an access control log, which are not listed here.
The method comprises the steps that a first access control log of an intranet user reported by an access control device can be actively obtained for any intranet user in an outgoing behavior log reported by a behavior audit device, and relevant information that access is allowed or denied occurs in a preset time period before the intranet user outgoing behavior is found is recorded in the first access control log.
S103, counting the access controlled data of the intranet users based on the access control information in the first access control log, wherein the access controlled data comprises at least one of the following three data: the method comprises the steps of enabling the number of times of access refusal to account for a first proportion of the total number of times of access within a preset time period, enabling the number of resources of which access is refused to account for a second proportion of the total number of access resources within the preset time period, and enabling the access frequency of the resources of which access is refused within the preset time period.
The access control information in the first access control log indicates whether the intranet user is allowed or denied when accessing a certain resource, and if the intranet user has a large number of times of access denial, a large percentage of access denial times, a large number of access denial resources, or the like, it indicates that the intranet user is suspected of collecting data that may be sent out. Therefore, when the abnormal outgoing behavior of the intranet user is detected, access controlled data such as the access denied number of times and the access denied number of resources of the intranet user in a preset time period can be counted based on the access control information in the first access control log, and whether the user outgoing behavior is the abnormal outgoing behavior or not can be judged based on the access controlled data.
Wherein, the access controlled data comprises at least one of the following three data: the method comprises the steps of enabling the number of times of access refusal to account for a first proportion of the total number of times of access within a preset time period, enabling the number of resources of which access is refused to account for a second proportion of the total number of access resources within the preset time period, and enabling the access frequency of the resources of which access is refused within the preset time period.
As described above, the access-controlled data is obtained statistically based on the access control information that the intranet user access is denied or allowed in the first access control log, and the access-controlled data may include a first ratio of the number of times that access is denied to the total number of times that access is granted within a preset time period to the total number of times that access is granted, a second ratio of the number of resources that access is denied to the total number of access resources within the preset time period to the total number of access resources, and the access frequency of the resources that access is denied within the preset time period. And, the access controlled data may include at least one of the above data, and the more the access controlled data includes, the more accurate the final detection result.
Optionally, accessing the controlled data may further include: the number of times that the access is rejected and/or whether the access-allowed resource determined based on the resource information of the access-allowed resource and the data information is related to the intranet user outgoing data.
The access controlled data can comprise at least one of the three data, the times of access refusal and/or whether the access permitted resource is related to the data sent out by the intranet user.
The statistics of the data related to the refused access correspond to whether the intranet user is suspected to collect the data which may be sent out, and the statistics of the data related to the resources allowed to access and the data sent out by the intranet user correspond to the data which are sent out by the intranet user.
Specifically, the way of counting the number of times access is denied may be: and counting the times of access control information of the intranet user as access refused in a preset time period based on the access control information in the first access control log.
The way of counting the first proportion may be: based on the access control information in the first access control log, counting the times of access refusal and the total times of access of the intranet users in the preset time period, and calculating a first proportion of the times of access refusal to the total times.
The way of counting the second proportion may be: and counting the number of the access control information of the intranet user as the number of the access-denied resources and the total number of the access resources within a preset time period based on the access control information and the resource information in the first access control log, and calculating a second proportion of the number of the access-denied resources to the total number of the access resources.
The access frequency can be counted by: and counting the access frequency of the intranet user, which is the access-denied resource, in the access control information within the preset time period based on the access control information and the resource information in the first access control log.
The method for counting whether the access-allowed resource is related to the data sent by the intranet user can be as follows: and determining whether the access control information is the resource allowed to be accessed based on the access control information and the resource information in the first access control log, and determining whether the resource allowed to be accessed is related to the data sent by the intranet user based on the resource information of the resource and the data information in the outgoing behavior log.
According to the access controlled data, because the access controlled data can include at least one of the above data, different statistical modes are correspondingly set: for the times that the access of the controlled data is rejected, directly counting from the first access control log, and counting the number of the table entries with the access control information of rejected, namely the times that the access is rejected; for the access controlled data as the first proportion, the access times which are rejected can be counted, and the total access times of the intranet users can be counted, and the first proportion can be obtained by dividing the access times by the access times; for the controlled access data with the second proportion, the fact that the intranet user is denied access to a certain resource can be identified from the first access control log, the number of the denied access resources is counted, the total number of the access resources is counted, and the second proportion can be obtained by dividing the denied access resources and the total number of the access resources; aiming at the fact that the access controlled data is access frequency, the fact that an intranet user is denied access to a certain resource can be identified from a first access control log, and the access frequency of the resource is counted; for whether the resource for which the access of the controlled data is allowed is related to the intranet user outgoing data, it can be identified from the first access control log that the intranet user is allowed to access a certain resource, the allowed resource information and the IP address can be extracted from the first access control log, based on the resource information and the IP address, a resource name can be correspondingly determined, for example, "a project review system", and the data information (i.e., file name) of the intranet user outgoing data, for example, "B detailed design. For example, if "B detailed design. doc" is determined as a detailed design review file of the product B in the project A through correlation analysis, then it can be determined that the access-allowed resource is related to the intranet user outgoing data.
S104, when determining that the access behavior and the outgoing behavior of the intranet user deviate from a preset behavior baseline according to the data information and the access controlled data, determining that the intranet user has abnormal outgoing behavior, wherein the preset behavior baseline comprises at least one of the following three baselines: a first proportion baseline corresponding to the first proportion, a second proportion baseline corresponding to the second proportion, and an access frequency baseline corresponding to the access frequency.
After the access controlled data are obtained through statistics, the access controlled data reflect the access behavior of the intranet user, and the data information in the first access control log reflects the outgoing behavior of the intranet user.
The preset behavior baseline is a baseline which is preset for judging whether the intranet user outgoing behavior is abnormal or not according to different access controlled data, for example, a preset number threshold of access refusal, a first proportion baseline, a second proportion baseline, an access frequency baseline, allowed resources related to the intranet user outgoing data and the like. The preset behavior baseline can be calculated according to historical data or set according to experience. The access behavior and the outgoing behavior of the intranet user can be determined by combining the data information and the access controlled data, if the access behavior and the outgoing behavior of the intranet user deviate from the preset behavior baseline, the probability that the outgoing behavior of the intranet user is the abnormal outgoing behavior is high, the abnormal outgoing behavior of the intranet user can be determined, and the detection personnel can be reminded to perform key supervision in an alarm prompting mode.
Optionally, the establishing of the preset behavior baseline specifically may include:
acquiring a second access control log reported by access control equipment in a specified historical time period, wherein the second access control log comprises access control information of an intranet user and resource information accessed by the intranet user;
respectively counting access control information of an intranet user in each preset sub-time period of a designated historical time period, wherein the access control information comprises the number of times that access is denied and the total number of times of access, calculating a first proportion of the number of times that access is denied in each preset sub-time period to the total number of times, and establishing a first proportion base line based on each first proportion;
respectively counting the number of the access control information which is the number of the access-denied resources and the total number of the access resources in each preset sub-time period of the designated historical time period by the intranet user, calculating a second proportion of the number of the access-denied resources in each preset sub-time period to the total number of the access resources, and establishing a second proportion base line based on each second proportion;
and respectively counting the access frequency of the access control information of the denied resources within each preset sub-time period of the designated historical time period by the intranet user, and establishing an access frequency baseline based on each access frequency.
The preset behavior baseline can be established based on historical access control data of the access control device, the preset behavior baseline mainly comprises a first proportion baseline corresponding to a first proportion, a second proportion baseline corresponding to a second proportion, an access frequency baseline corresponding to an access frequency and the like, the specified historical time period is usually set to be longer, to ensure the accuracy of the preset behavior baseline, the specified historical time period can be set to 3 months, 6 months, etc. in general, the preset sub-time period is obtained by dividing the specified historical time period, e.g., a day, a week, a month, etc., a plurality of first ratios, a plurality of second ratios, a plurality of access frequencies may be available based on the respective preset sub-periods, the connection lines of the plurality of first ratios can be defined as a first ratio baseline, the connection lines of the plurality of second ratios can be defined as a second ratio baseline, and the connection lines of the plurality of access frequencies can be defined as an access frequency baseline. The specific statistical manner is similar to the statistical calculation manner for accessing the controlled data, and is not described herein again.
Optionally, S104 may specifically include:
judging whether the access control information of the intranet user in a preset time period is that the number of times of access refusal is greater than a preset number threshold value, and if so, distributing a first weight;
judging whether the first proportion is larger than a first proportion baseline or not, and if so, distributing a second weight;
judging whether the second proportion is larger than a second proportion baseline, and if so, distributing a third weight;
judging whether the access frequency is greater than the access frequency baseline, and if so, distributing a fourth weight;
if the fact that the access allowed resources are related to the intranet user outgoing data is determined, a fifth weight is distributed;
and determining that the intranet user has abnormal outgoing behaviors according to the first weight, the second weight, the third weight, the fourth weight and the fifth weight.
For different access controlled data, whether the access controlled data is larger than a corresponding baseline or not can be judged based on a preset behavior baseline corresponding to the access controlled data, if so, a corresponding weight is assigned, and if so, a fixed weight is assigned; the assignment of the weight may also be based on the size of the access controlled data, with the greater the access controlled data, the greater the assigned weight. Whether the intranet user has abnormal outgoing behavior can be comprehensively judged based on the weights, for example, if one weight is larger than a preset threshold value, the intranet user is considered to have abnormal outgoing behavior; or, if the number of the weights greater than the preset threshold reaches a certain number, the intranet user outgoing behavior is considered to be abnormal; or, the weights are accumulated, and if the accumulation result is greater than a certain threshold value, the outbound behavior of the intranet user is considered to be abnormal.
Optionally, the step of determining that the intranet user has the abnormal outgoing behavior according to the first weight, the second weight, the third weight, the fourth weight, and the fifth weight may specifically include:
accumulating the first weight, the second weight, the third weight, the fourth weight and the fifth weight;
judging whether the accumulation result is greater than or equal to a preset threshold value;
and if the current time is greater than or equal to the preset time, determining that the abnormal outgoing behavior exists in the intranet user.
And if the access is rejected for multiple times, namely the accumulation result of the first weight, the second weight, the third weight and the fourth weight is larger, the suspected abnormal behavior that the user sends the collected data out is judged by combining the accumulation of the fifth weight and showing the correlation between the accessed resources and the sent-out data.
By applying the embodiment, the outgoing behavior log reported by the behavior audit device is obtained, the first access control log reported by the access control device in the preset time period before the outgoing time of the outgoing data of the intranet user in the outgoing behavior log is obtained for the intranet user, the access controlled data of the intranet user in the preset time period is counted based on the access control information in the first access control log, and the existence of the abnormal outgoing behavior of the intranet user is determined when the access behavior and the outgoing behavior of the intranet user are determined to deviate from the preset behavior baseline according to the data information and the access controlled data of the outgoing data. The outgoing behavior of an intranet user can be identified through behavior auditing equipment, the access controlled data generated by actively controlling the access of the intranet user in a preset time period before the occurrence of the outgoing behavior is issued to the outside through access control equipment is counted, whether the intranet user has abnormal outgoing behavior or not is detected by combining data information in outgoing behavior logs and the counted access controlled data, a first access control log reported by the access control equipment is a set of access control information generated by actively controlling the access of the intranet user when the intranet user accesses, the access behavior of the intranet user is reflected, the outgoing behavior logs reported by the behavior auditing equipment are combined, the access controlled data of the intranet user in the preset time period before the occurrence of the outgoing behavior of the intranet user is counted, the outgoing behavior and the access behavior of the intranet user are comprehensively considered, and the detected normal outgoing behavior is effectively avoided, and the accuracy of detecting the abnormal outgoing behavior of the intranet user is improved by combining the corresponding abnormal access behavior condition.
In the following, a method for detecting an abnormal outgoing behavior of an intranet user according to an embodiment of the present invention is described with reference to a specific example, and as shown in fig. 2, the method may include the following steps.
Firstly, an outgoing behavior log reported by a behavior audit device is obtained.
And secondly, acquiring a first access control log reported by the access control equipment in a preset time period before the outgoing time aiming at the intranet user.
Thirdly, respectively calculating access controlled data of the intranet users in a preset time period based on the access control information and the resource information in the first access control log:
1. the number of times of access being denied S1, a weight W1 is set;
2. a first proportion of the number of times of access refusal to the total number of times S2, setting a weight W2;
3. setting a weight W3 according to a second proportion S3 of the number of the resources with access refused to the total number of the access resources;
4. the access frequency of the denied resource S4, setting weight W4;
5. whether the access of the allowed resources is related to the data sent by the intranet user is S5, and the weight W5 is set.
Wherein, W1+ W2+ W3+ W4+ W5 is 1.
Fourthly, counting preset behavior baselines in the appointed historical time period:
1. a first proportional baseline P2 of the total number of times access was denied;
2. a second proportion baseline P3 of the number of the resources with refused access to the total number of the accessed resources;
3. access frequency baseline P4 for the denied resource.
And fifthly, reading a preset time threshold P1.
And sixthly, respectively calculating the score of each piece of accessed controlled data:
1. if S1> P1, the weight is V1 ═ W1, otherwise V1 ═ 0;
2. if S2> P2, the weight is V2 ═ W2, otherwise V2 ═ 0;
3. if S3> P3, the weight is V3 ═ W3, otherwise V3 ═ 0;
4. if S4> P4, the weight is V4 ═ W4, otherwise V4 ═ 0;
5. if S5 is yes, the weight is V5 — W5, otherwise V5 — 0.
And seventhly, calculating V, namely V1+ V2+ V3+ V4+ V5.
And eighthly, judging whether the V is greater than or equal to 0.6 or not by assuming that the preset threshold is 0.6.
And ninthly, if so, judging that the intranet user has abnormal outgoing behaviors.
According to the scheme, the first access control log reported by the access control equipment and the outgoing behavior log reported by the behavior auditing equipment are combined, the behavior auditing equipment is used for actively detecting the data outgoing behavior of the intranet user, the suspected frequent data collection of the intranet user is judged when the access is refused for many times through the first access control log of the access control equipment, the suspected abnormal behavior of the user outgoing the collected data is judged by combining the resources accessed by the access control and the correlation of the outgoing data, and the accuracy of abnormal behavior detection is improved.
Corresponding to the above method embodiment, an embodiment of the present invention provides an apparatus for detecting an abnormal outgoing behavior of an intranet user, where as shown in fig. 3, the apparatus may include:
an obtaining module 310, configured to obtain an outgoing behavior log reported by a behavior audit device, where the outgoing behavior log includes data information of outgoing data of an intranet user and outgoing time; for the intranet user, obtaining a first access control log reported by virtual private network access control equipment in a preset time period before the outbound time, wherein the first access control log comprises access control information of the intranet user and resource information accessed by the intranet user, and the access control information comprises information that the intranet user is denied access or allowed access;
a statistics module 320, configured to count, based on the access control information in the first access control log, access controlled data of the intranet user, where the access controlled data includes at least one of the following three types of data: the access frequency of the denied resources in the preset time period is the access frequency of the denied resources in the preset time period;
a detection module 330, configured to determine that an abnormal outgoing behavior exists in the intranet user when it is determined that the access behavior and the outgoing behavior of the intranet user deviate from a preset behavior baseline according to the data information and the access controlled data, where the preset behavior baseline includes at least one of the following three baselines: a first proportion baseline corresponding to the first proportion, a second proportion baseline corresponding to the second proportion, and an access frequency baseline corresponding to the access frequency.
Optionally, the obtaining module 310 may be further configured to obtain a second access control log reported by the access control device in a specified historical time period, where the second access control log includes access control information of the intranet user and resource information accessed by the intranet user;
the statistics module 320 may be further configured to:
respectively counting access control information of the intranet user in each preset sub-time period of the designated historical time period, wherein the access control information comprises the number of times that access is denied and the total number of times of access, calculating a first proportion of the number of times that access is denied in each preset sub-time period to the total number of times, and establishing a first proportion base line based on each first proportion;
respectively counting access control information of the intranet user in each preset sub-time period of the appointed historical time period, wherein the access control information comprises the number of the access-denied resources and the number of total access resources, calculating a second proportion of the number of the access-denied resources in each preset sub-time period to the number of the total access resources, and establishing a second proportion baseline based on each second proportion;
and respectively counting the access frequency of the access control information of the intranet user in each preset sub-time period of the appointed historical time period, wherein the access control information is the access frequency of the resource which is denied to access, and establishing an access frequency baseline based on each access frequency.
Optionally, the accessing the controlled data may further include: the number of times of access refusal is carried out, and/or whether the resource with access permission determined based on the resource information of the resource with access permission and the data information is related to the data sent out by the intranet user.
Optionally, the detection module 330 may be specifically configured to:
judging whether the access control information of the intranet user in the preset time period is that the number of times of access refusal is greater than a preset number threshold value or not, and if so, distributing a first weight;
judging whether the first proportion is larger than the first proportion baseline or not, and if so, distributing a second weight;
judging whether the second proportion is larger than the second proportion baseline or not, and if so, distributing a third weight;
judging whether the access frequency is greater than the access frequency baseline, and if so, distributing a fourth weight;
if the resources allowed to access are determined to be related to the intranet user outgoing data, distributing a fifth weight;
and determining that the intranet user has abnormal outgoing behaviors according to the first weight, the second weight, the third weight, the fourth weight and the fifth weight.
Optionally, the detection module 330 may be specifically configured to:
accumulating the first weight, the second weight, the third weight, the fourth weight, and the fifth weight;
judging whether the accumulation result is greater than or equal to a preset threshold value;
and if the current time is greater than or equal to the preset time, determining that the abnormal outgoing behavior exists in the intranet user.
By applying the embodiment, the outgoing behavior log reported by the behavior audit device is obtained, the first access control log reported by the access control device in the preset time period before the outgoing time of the outgoing data of the intranet user in the outgoing behavior log is obtained for the intranet user, the access controlled data of the intranet user in the preset time period is counted based on the access control information in the first access control log, and the existence of the abnormal outgoing behavior of the intranet user is determined when the access behavior and the outgoing behavior of the intranet user are determined to deviate from the preset behavior baseline according to the data information and the access controlled data of the outgoing data. The outgoing behavior of an intranet user can be identified through behavior auditing equipment, the access controlled data generated by actively controlling the access of the intranet user in a preset time period before the occurrence of the outgoing behavior is issued to the outside through access control equipment is counted, whether the intranet user has abnormal outgoing behavior or not is detected by combining data information in outgoing behavior logs and the counted access controlled data, a first access control log reported by the access control equipment is a set of access control information generated by actively controlling the access of the intranet user when the intranet user accesses, the access behavior of the intranet user is reflected, the outgoing behavior logs reported by the behavior auditing equipment are combined, the access controlled data of the intranet user in the preset time period before the occurrence of the outgoing behavior of the intranet user is counted, the outgoing behavior and the access behavior of the intranet user are comprehensively considered, and the detected normal outgoing behavior is effectively avoided, and the accuracy of detecting the abnormal outgoing behavior of the intranet user is improved by combining the corresponding abnormal access behavior condition.
The embodiment of the present invention further provides a detection apparatus, as shown in fig. 4, including a processor 401 and a machine-readable storage medium 402, where the machine-readable storage medium 402 stores machine-executable instructions capable of being executed by the processor 401, and the processor 401 is caused by the machine-executable instructions to perform all steps of the method for detecting abnormal outgoing behavior of an intranet user according to the embodiment of the present invention.
The computer-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-volatile Memory), such as at least one disk Memory. Alternatively, the computer readable storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
In this embodiment, the processor 401, by reading machine executable instructions stored in the machine-readable storage medium 402, is caused by the machine executable instructions to enable: the outgoing behavior of an intranet user can be identified through behavior auditing equipment, the access controlled data generated by actively controlling the access of the intranet user in a preset time period before the occurrence of the outgoing behavior is issued to the outside through access control equipment is counted, whether the intranet user has abnormal outgoing behavior or not is detected by combining data information in outgoing behavior logs and the counted access controlled data, a first access control log reported by the access control equipment is a set of access control information generated by actively controlling the access of the intranet user when the intranet user accesses, the access behavior of the intranet user is reflected, the outgoing behavior logs reported by the behavior auditing equipment are combined, the access controlled data of the intranet user in the preset time period before the occurrence of the outgoing behavior of the intranet user is counted, the outgoing behavior and the access behavior of the intranet user are comprehensively considered, and the detected normal outgoing behavior is effectively avoided, and the accuracy of detecting the abnormal outgoing behavior of the intranet user is improved by combining the corresponding abnormal access behavior condition.
In addition, the embodiment of the present invention provides a machine-readable storage medium, which stores machine-executable instructions, and when the machine-executable instructions are called and executed by a processor, the processor is caused to execute all the steps of the method for detecting the abnormal outgoing behavior of the intranet user provided by the embodiment of the present invention.
In this embodiment, when running, the machine-readable storage medium executes the machine executable instruction of the method for detecting the abnormal outgoing behavior of the intranet user according to the embodiment of the present invention, so that the following can be implemented: the outgoing behavior of an intranet user can be identified through behavior auditing equipment, the access controlled data generated by actively controlling the access of the intranet user in a preset time period before the occurrence of the outgoing behavior is issued to the outside through access control equipment is counted, whether the intranet user has abnormal outgoing behavior or not is detected by combining data information in outgoing behavior logs and the counted access controlled data, a first access control log reported by the access control equipment is a set of access control information generated by actively controlling the access of the intranet user when the intranet user accesses, the access behavior of the intranet user is reflected, the outgoing behavior logs reported by the behavior auditing equipment are combined, the access controlled data of the intranet user in the preset time period before the occurrence of the outgoing behavior of the intranet user is counted, the outgoing behavior and the access behavior of the intranet user are comprehensively considered, and the detected normal outgoing behavior is effectively avoided, and the accuracy of detecting the abnormal outgoing behavior of the intranet user is improved by combining the corresponding abnormal access behavior condition.
For the embodiments of the detection device and the machine-readable storage medium, the content of the related method is substantially similar to that of the foregoing method embodiments, so that the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus, the detection device and the machine-readable storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some parts of the description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A method for detecting abnormal outgoing behavior of an intranet user is characterized by comprising the following steps:
acquiring an outgoing behavior log reported by behavior audit equipment, wherein the outgoing behavior log comprises data information of outgoing data of an intranet user and outgoing time;
aiming at the intranet user, acquiring a first access control log reported by access control equipment in a preset time period before the outbound time, wherein the first access control log comprises access control information of the intranet user and resource information accessed by the intranet user, and the access control information comprises information that the intranet user is denied access or allowed access;
and counting the access controlled data of the intranet user based on the access control information in the first access control log, wherein the access controlled data comprises at least one of the following three data: the access frequency of the denied resources in the preset time period is the access frequency of the denied resources in the preset time period;
when the access behavior and the outgoing behavior of the intranet user are determined to deviate from a preset behavior baseline according to the data information and the access controlled data, determining that the intranet user has an abnormal outgoing behavior, wherein the preset behavior baseline is a baseline which is preset for judging whether the outgoing behavior of the intranet user is abnormal or not according to different access controlled data and comprises at least one of the following three baselines: a first proportion baseline corresponding to the first proportion, a second proportion baseline corresponding to the second proportion, and an access frequency baseline corresponding to the access frequency.
2. The method of claim 1, wherein the establishing of the pre-set behavior baseline comprises:
acquiring a second access control log reported by the access control equipment in a specified historical time period, wherein the second access control log comprises access control information of the intranet user and resource information accessed by the intranet user;
respectively counting access control information of the intranet user in each preset sub-time period of the designated historical time period, wherein the access control information comprises the number of times that access is denied and the total number of times of access, calculating a first proportion of the number of times that access is denied in each preset sub-time period to the total number of times, and establishing a first proportion base line based on each first proportion;
respectively counting access control information of the intranet user in each preset sub-time period of the appointed historical time period, wherein the access control information comprises the number of the access-denied resources and the number of total access resources, calculating a second proportion of the number of the access-denied resources in each preset sub-time period to the number of the total access resources, and establishing a second proportion baseline based on each second proportion;
and respectively counting the access frequency of the access control information of the intranet user in each preset sub-time period of the appointed historical time period, wherein the access control information is the access frequency of the resource which is denied to access, and establishing an access frequency baseline based on each access frequency.
3. The method of claim 1, wherein accessing controlled data further comprises: the number of times of access refusal is carried out, and/or whether the resource with access permission determined based on the resource information of the resource with access permission and the data information is related to the data sent out by the intranet user.
4. The method according to claim 3, wherein the determining that the intranet user has abnormal outgoing behavior when determining that the access behavior and the outgoing behavior of the intranet user deviate from a preset behavior baseline according to the data information and the access controlled data comprises:
judging whether the access control information of the intranet user in the preset time period is that the number of times of access refusal is greater than a preset number threshold value or not, and if so, distributing a first weight;
judging whether the first proportion is larger than the first proportion baseline or not, and if so, distributing a second weight;
judging whether the second proportion is larger than the second proportion baseline or not, and if so, distributing a third weight;
judging whether the access frequency is greater than the access frequency baseline, and if so, distributing a fourth weight;
if the resources allowed to access are determined to be related to the intranet user outgoing data, distributing a fifth weight;
and determining that the intranet user has abnormal outgoing behaviors according to the first weight, the second weight, the third weight, the fourth weight and the fifth weight.
5. The method according to claim 4, wherein the determining that the intranet user has abnormal outgoing behavior according to the first weight, the second weight, the third weight, the fourth weight and the fifth weight includes:
accumulating the first weight, the second weight, the third weight, the fourth weight, and the fifth weight;
judging whether the accumulation result is greater than or equal to a preset threshold value;
and if the current time is greater than or equal to the preset time, determining that the abnormal outgoing behavior exists in the intranet user.
6. An apparatus for detecting abnormal outgoing behavior of an intranet user, the apparatus comprising:
the system comprises an acquisition module, a behavior auditing device and a processing module, wherein the acquisition module is used for acquiring an outgoing behavior log reported by the behavior auditing device, and the outgoing behavior log comprises data information of outgoing data of an intranet user and outgoing time; aiming at the intranet user, acquiring a first access control log reported by access control equipment in a preset time period before the outbound time, wherein the first access control log comprises access control information of the intranet user and resource information accessed by the intranet user, and the access control information comprises information that the intranet user is denied access or allowed access;
a statistics module, configured to count, based on the access control information in the first access control log, access controlled data of the intranet user, where the access controlled data includes at least one of the following three types of data: the access frequency of the denied resources in the preset time period is the access frequency of the denied resources in the preset time period;
the detection module is configured to determine that an abnormal outgoing behavior exists in the intranet user when it is determined that the access behavior and the outgoing behavior of the intranet user deviate from a preset behavior baseline according to the data information and the access controlled data, where the preset behavior baseline is a baseline preset for determining whether the outgoing behavior of the intranet user is abnormal for different access controlled data, and includes at least one of the following three baselines: a first proportion baseline corresponding to the first proportion, a second proportion baseline corresponding to the second proportion, and an access frequency baseline corresponding to the access frequency.
7. The apparatus of claim 6,
the obtaining module is further configured to obtain a second access control log reported by the access control device within a specified historical time period, where the second access control log includes access control information of the intranet user and resource information accessed by the intranet user;
the statistic module is further configured to:
respectively counting access control information of the intranet user in each preset sub-time period of the designated historical time period, wherein the access control information comprises the number of times that access is denied and the total number of times of access, calculating a first proportion of the number of times that access is denied in each preset sub-time period to the total number of times, and establishing a first proportion base line based on each first proportion;
respectively counting access control information of the intranet user in each preset sub-time period of the appointed historical time period, wherein the access control information comprises the number of the access-denied resources and the number of total access resources, calculating a second proportion of the number of the access-denied resources in each preset sub-time period to the number of the total access resources, and establishing a second proportion baseline based on each second proportion;
and respectively counting the access frequency of the access control information of the intranet user in each preset sub-time period of the appointed historical time period, wherein the access control information is the access frequency of the resource which is denied to access, and establishing an access frequency baseline based on each access frequency.
8. The apparatus of claim 6, wherein the accessing controlled data further comprises: the number of times of access refusal is carried out, and/or whether the resource with access permission determined based on the resource information of the resource with access permission and the data information is related to the data sent out by the intranet user.
9. The apparatus according to claim 8, wherein the detection module is specifically configured to:
judging whether the access control information of the intranet user in the preset time period is that the number of times of access refusal is greater than a preset number threshold value or not, and if so, distributing a first weight;
judging whether the first proportion is larger than the first proportion baseline or not, and if so, distributing a second weight;
judging whether the second proportion is larger than the second proportion baseline or not, and if so, distributing a third weight;
judging whether the access frequency is greater than the access frequency baseline, and if so, distributing a fourth weight;
if the resources allowed to access are determined to be related to the intranet user outgoing data, distributing a fifth weight;
and determining that the intranet user has abnormal outgoing behaviors according to the first weight, the second weight, the third weight, the fourth weight and the fifth weight.
10. The apparatus according to claim 9, wherein the detection module is specifically configured to:
accumulating the first weight, the second weight, the third weight, the fourth weight, and the fifth weight;
judging whether the accumulation result is greater than or equal to a preset threshold value;
and if the current time is greater than or equal to the preset time, determining that the abnormal outgoing behavior exists in the intranet user.
CN201910029939.3A 2019-01-11 2019-01-11 Method and device for detecting abnormal outgoing behavior of intranet user Active CN109525611B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910029939.3A CN109525611B (en) 2019-01-11 2019-01-11 Method and device for detecting abnormal outgoing behavior of intranet user

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910029939.3A CN109525611B (en) 2019-01-11 2019-01-11 Method and device for detecting abnormal outgoing behavior of intranet user

Publications (2)

Publication Number Publication Date
CN109525611A CN109525611A (en) 2019-03-26
CN109525611B true CN109525611B (en) 2021-03-12

Family

ID=65799453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910029939.3A Active CN109525611B (en) 2019-01-11 2019-01-11 Method and device for detecting abnormal outgoing behavior of intranet user

Country Status (1)

Country Link
CN (1) CN109525611B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365698A (en) * 2019-07-29 2019-10-22 杭州数梦工场科技有限公司 Methods of risk assessment and device
CN111277606B (en) * 2020-02-10 2022-04-15 北京邮电大学 Detection model training method, detection method and device, and storage medium
CN113971187A (en) * 2020-07-24 2022-01-25 中移物联网有限公司 Service monitoring method and device
CN112507384B (en) * 2020-12-22 2022-10-04 北京明朝万达科技股份有限公司 Method and device for processing data outgoing behavior

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104778415A (en) * 2015-02-06 2015-07-15 北京北信源软件股份有限公司 Computer behavior-based data anti-leakage system and method
CN107169361A (en) * 2017-06-15 2017-09-15 深信服科技股份有限公司 The detection method and system of a kind of leaking data
CN108011881A (en) * 2017-12-05 2018-05-08 北京明朝万达科技股份有限公司 It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system
CN108965346A (en) * 2018-10-10 2018-12-07 上海工程技术大学 One kind is fallen Host Detection method
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device
CN109040110A (en) * 2018-08-31 2018-12-18 新华三信息安全技术有限公司 A kind of outgoing behavioral value method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104778415A (en) * 2015-02-06 2015-07-15 北京北信源软件股份有限公司 Computer behavior-based data anti-leakage system and method
CN107169361A (en) * 2017-06-15 2017-09-15 深信服科技股份有限公司 The detection method and system of a kind of leaking data
CN108011881A (en) * 2017-12-05 2018-05-08 北京明朝万达科技股份有限公司 It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system
CN108989150A (en) * 2018-07-19 2018-12-11 新华三信息安全技术有限公司 A kind of login method for detecting abnormality and device
CN109040110A (en) * 2018-08-31 2018-12-18 新华三信息安全技术有限公司 A kind of outgoing behavioral value method and device
CN108965346A (en) * 2018-10-10 2018-12-07 上海工程技术大学 One kind is fallen Host Detection method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Data and Information Leakage Prevention Within the Scope of Information Security;BARBARA HAUER;《 IEEE Access 》;20151207;第3卷;480-481 *
Design of internal information leakage detection system considering the privacy violation;Jinhyung Kim; Hyung Jong Kim;《2010 International Conference on Information and Communication Technology Convergence (ICTC)》;20101223;2554-2565 *
打造企业内部数据的安全堡垒;李振彪;《计算机安全与维护》;20150718;123-124 *

Also Published As

Publication number Publication date
CN109525611A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
CN109525611B (en) Method and device for detecting abnormal outgoing behavior of intranet user
US10878102B2 (en) Risk scores for entities
US7526806B2 (en) Method and system for addressing intrusion attacks on a computer system
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
CN105577608B (en) Network attack behavior detection method and device
US9817969B2 (en) Device for detecting cyber attack based on event analysis and method thereof
CN110809010B (en) Threat information processing method, device, electronic equipment and medium
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
US10193900B2 (en) Methods and apparatus to identify an internet protocol address blacklist boundary
CN111224920B (en) Method, device, equipment and computer storage medium for preventing illegal login
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
CN110875907A (en) Access request control method and device
CN1297101C (en) Technique of detecting denial of service attacks
CN111314300B (en) Malicious scanning IP detection method, system, device, equipment and storage medium
CN114301706B (en) Defense method, device and system based on existing threat in target node
CN108282446A (en) Identify the method and apparatus of scanner
CN109474623B (en) Network security protection and parameter determination method, device, equipment and medium thereof
CN115632884B (en) Network security situation perception method and system based on event analysis
CN111625700A (en) Anti-grabbing method, device, equipment and computer storage medium
CN116389147A (en) Method and device for blocking network attack, electronic equipment and storage medium
CN114189361B (en) Situation awareness method, device and system for defending threat
Schneidewind Metrics for mitigating cybersecurity threats to networks
CN112507384A (en) Method and device for processing data outgoing behavior
CN101610172A (en) A kind of mthods, systems and devices of reporting attack logs
Leu et al. Detecting DoS and DDoS attacks using chi-square

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant