CN110059984A - Security risk recognition methods, device, equipment and storage medium - Google Patents
Security risk recognition methods, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110059984A CN110059984A CN201910364748.2A CN201910364748A CN110059984A CN 110059984 A CN110059984 A CN 110059984A CN 201910364748 A CN201910364748 A CN 201910364748A CN 110059984 A CN110059984 A CN 110059984A
- Authority
- CN
- China
- Prior art keywords
- risk
- user
- scene
- behavioral data
- various actions
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000003542 behavioural effect Effects 0.000 claims abstract description 94
- 238000007726 management method Methods 0.000 claims description 91
- 230000006399 behavior Effects 0.000 claims description 74
- 230000009471 action Effects 0.000 claims description 64
- 238000013480 data collection Methods 0.000 claims description 44
- 238000012502 risk assessment Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 14
- 238000004364 calculation method Methods 0.000 claims description 5
- 239000012141 concentrate Substances 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims 2
- 238000004458 analytical method Methods 0.000 abstract description 33
- 238000005457 optimization Methods 0.000 abstract description 7
- 230000008520 organization Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 241001269238 Data Species 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006872 improvement Effects 0.000 description 3
- 230000005764 inhibitory process Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 239000012491 analyte Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000007639 printing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000004378 air conditioning Methods 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 230000009172 bursting Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000007115 recruitment Effects 0.000 description 1
- 230000004884 risky behavior Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Landscapes
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention provides security risk recognition methods, device, equipment and storage mediums, the daily record data reported by the other equipment of acquisition or platform, the same user of the comprehensive analysis behavioral data under different scenes respectively, such as, Internet scene, access Intranet scene, access Administrative Area and device context are accessed, obtains the risk information of each user.Finally the risk information according to each user obtains risk identification result.The system utilizes the user behavior under each scene in safety management platform collection system, it can be from the security risk of global each user of angle analysis, obtained analysis result is more acurrate, can find potential security risk in advance, and company is facilitated to carry out risk management and control and management optimization.
Description
Technical field
The invention belongs to network technique field more particularly to security risk recognition methods, device, equipment and storage mediums.
Background technique
As network technology develops rapidly, almost each enterprise, tissue be unable to do without network.Employee needs to access daily respectively
The data to match with oneself post are planted, using various office equipment or even internet of things equipment, for example, being using various gate inhibitions
System, accesses all kinds of servers and system, accesses internet, into the relevant region of all kinds of work, using printer, scanner,
The various peripheral hardwares such as movable storage device.
For enterprise, tissue, there may be security risks for the behavior of employee, such as divulge a secret, steal, doing destruction.Example
Such as, employee causes certain loss to company by transmitting outgoing intra-company data on mail or post;For another example, Yuan Gong
Contain sensitive information in the file of printing, alternatively, access by various methods, obtain equipment except oneself some permission,
Data.These potential security risks be all based on " people ", therefore, how to identify there may be the people of security risk at
The problem of for urgent need to resolve.
Summary of the invention
In view of this, the object of the present invention is to provide security risk recognition methods, device, equipment and storage medium,
By analyzing the Activity recognition of user, there may be the users of security risk out.Its specific technical solution is as follows:
In a first aspect, the present invention provides a kind of security risk recognition methods, comprising:
Obtain behavioral data collection of the user under various actions scene;
The behavioral data for determining the same user under various actions scene is concentrated from the behavioral data;
For each user, analyzes behavioral data of the user under various actions scene and obtain the risk letter of the user
Breath;
Risk information according to each user obtains risk identification result.
It is described to be directed to each user in a kind of possible implementation of first aspect, the user is analyzed in various rows
The risk information of the user is obtained for the behavioral data under scene, comprising:
For each user, behavioral data of the user under various actions scene is input to every kind of risk classifications
Corresponding risk analysis model is analyzed, and risk classifications existing for the user and the corresponding risk point of the risk classifications are obtained
Number, which characterizes the user, and there are the degrees of risk of the risk classifications risk;
According to the corresponding risk score of risk classifications existing for the user and the corresponding default weight of the risk classifications, obtain
The integrated risk score of the user, the integrated risk score characterize integrated risk degree existing for the user.
In a kind of possible implementation of first aspect, the risk information according to each user obtains risk identification
As a result, comprising:
According to the sequence of the integrated risk score from high to low, preset quantity user is risk subscribers before determining;
Alternatively,
It is determined for any risk classifications according to the sequence of the corresponding risk score of the risk classifications from high to low
There are the risk subscribers of the risk classifications.
In a kind of possible implementation of first aspect, the behavioral data for obtaining user under various actions scene
Collection, comprising:
It is all under behavior scene to receive each user that the behavioral data collection terminal in various actions scene is sent
Behavioral data;
Alternatively,
Behavioral data corresponding to the user under various actions scene there are potential risk is received, described there are potential risks
User divided by behavioral data of the behavioral data collection terminal in behavior scene to each user under behavior scene
Analysis obtains.
In a kind of possible implementation of first aspect, described concentrate from the behavioral data determines that the same user exists
Behavioral data under various actions scene, comprising:
Obtain user identifier of the same user in different behavior scenes;
For any user, identify the user in various rows according to user identifier of the user in various actions scene
For the behavioral data under scene.
In a kind of possible implementation of first aspect, the method also includes:
Risk management is issued to data collection terminal associated with the risk identification result according to the risk identification result
Strategy, so that the data collection terminal executes the risk management policy.
In a kind of possible implementation of first aspect, the method also includes:
The risk identification result is issued to data collection terminal associated with the risk identification result, so that the data
Collection terminal implements the risk management policy to match with the risk identification result.
Second aspect, the present invention also provides a kind of security risks to identify equipment, comprising: memory and processor;
Computer program is stored in the memory, the processor executes the reality of the computer program in the memory
Existing following steps:
Obtain behavioral data collection of the user under various actions scene;
The behavioral data for determining the same user under various actions scene is concentrated from the behavioral data;
For each user, analyzes behavioral data of the user under various actions scene and obtain the risk letter of the user
Breath;
Risk information according to each user obtains risk identification result.
In a kind of possible implementation of second aspect, the processor is used to be directed to each user, analyzes the use
When behavioral data of the family under various actions scene obtains the risk information of the user, it is specifically used for:
For each user, behavioral data of the user under various actions scene is input to every kind of risk classifications
Corresponding risk analysis model is analyzed, and risk classifications existing for the user and the corresponding risk point of the risk classifications are obtained
Number, which characterizes the user, and there are the degrees of risk of the risk classifications risk;
According to the corresponding risk score of risk classifications existing for the user and the corresponding default weight of the risk classifications, obtain
The integrated risk score of the user, the integrated risk score characterize integrated risk degree existing for the user.
In a kind of possible implementation of second aspect, the processor is used to obtain according to the risk information of each user
When to risk identification result, it is specifically used for:
According to the sequence of the integrated risk score from high to low, preset quantity user is risk subscribers before determining;
Alternatively,
It is determined for any risk classifications according to the sequence of the corresponding risk score of the risk classifications from high to low
There are the risk subscribers of the risk classifications.
In a kind of possible implementation of second aspect, the processor is for obtaining user under various actions scene
Behavioral data collection when, be specifically used for:
It is all under behavior scene to receive each user that the behavioral data collection terminal in various actions scene is sent
Behavioral data;
Alternatively,
Behavioral data corresponding to the user under various actions scene there are potential risk is received, described there are potential risks
User divided by behavioral data of the behavioral data collection terminal in behavior scene to each user under behavior scene
Analysis obtains.
In a kind of possible implementation of second aspect, the processor is used to concentrate from the behavioral data and determine together
When behavioral data of one user under various actions scene, it is specifically used for:
Obtain user identifier of the same user in different behavior scenes;
For any user, identify the user in various rows according to user identifier of the user in various actions scene
For the behavioral data under scene.
In a kind of possible implementation of second aspect, when the processor executes the calculation procedure in the memory
It is also used to:
Risk management is issued to data collection terminal associated with the risk identification result according to the risk identification result
Strategy, so that the equipment executes the risk management policy.
In a kind of possible implementation of second aspect, when the processor executes the calculation procedure in the memory
It is also used to:
The risk identification result is issued to data collection terminal associated with the risk identification result, so that described set
The standby risk management policy for implementing to match with the risk identification result.
The third aspect, the present invention also provides a kind of security risk identification devices, comprising:
Module is obtained, for obtaining behavioral data collection of the user under various actions scene;
Determining module, for concentrating the behavior number for determining the same user under various actions scene from the behavioral data
According to;
Risk analysis module analyzes behavioral data of the user under various actions scene for being directed to each user
Obtain the risk information of the user;
Risk Results obtain module, obtain risk identification result for the risk information according to each user.
Fourth aspect is stored with computer program, institute the present invention also provides a kind of storage medium on the storage medium
It states and realizes that the security risk as described in any possible implementation of first aspect is known when computer program is executed by processor
Other method.
Security risk recognition methods provided by the invention, the daily record data reported by the other equipment of acquisition or platform are comprehensive
Close and analyze the same user behavioral data under different scenes respectively, for example, access Internet scene, access Intranet scene,
Administrative Area and device context are accessed, obtains the risk information of each user.Finally the risk information according to each user obtains
Risk identification result.The system, can be from the overall situation using the user behavior under each scene in safety management platform collection system
The security risk of each user of angle analysis, obtained analysis result is more acurrate, can find potential security risk in advance,
Company is facilitated to carry out risk management and control and management optimization.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is a kind of structural schematic diagram of security risk identifying system provided in an embodiment of the present invention;
Fig. 2 is a kind of security risk recognition methods flow chart provided in an embodiment of the present invention;
Fig. 3 is another security risk recognition methods flow chart provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of security risk identification equipment provided in an embodiment of the present invention;
Fig. 5 is a kind of block diagram of security risk identification device provided in an embodiment of the present invention.
Specific embodiment
Company personnel comes into workplace daily and leaves until coming off duty, and during which will use all kinds of access control systems, accesses all kinds of
Server and system access internet, and into the relevant region of all kinds of work, mimeograph documents are outer using movable storage device etc.
If using other office equipment or internet of things equipment.These behaviors can be divided into three kinds of scenes, i.e., access Internet scene,
Access Intranet scene, access Administrative Area and device context.There is security risk under these three scenes, for example, divulging a secret, stealing
Take, do destruction etc..Security risk under these scenes is based on " people ", and current technology scheme is one people's of analysis
When behavior whether there is security risk, trend trend, behavior of this people in a scene or part scene is only analyzed, is not had
There is behavior of the comprehensive analysis this person under whole scenes, therefore, the case where being easy to appear erroneous judgement.For example, A employee nearest one month
Interior more time has used the website and network application unrelated with work;A employee and B employee have copied some data using USB flash disk,
Printed some documents;C employee attempts to have accessed the service area of unauthorized;D employee and E employee, which entered, other should seldom go
Working region, abnormality used some internet of things equipment such as air-conditioning, switch, wiring board etc..If only considering access internet
User behavior under scene, the abnormal behaviour that just will appear C and D employee may not be found, and the behavior seriousness of A employee
It may judge situations such as insufficient.Security risk identifying schemes provided by the invention, the same user of comprehensive analysis is in different scenes
Under whole behaviors, obtain this user security risk portrait, to identify the user of high risk.
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Referring to Figure 1, a kind of structural schematic diagram of security risk identifying system provided in an embodiment of the present invention is shown, it should
System includes: extra exit gateway such as network log-in management gateway and next generation firewall, and EDR console, NAC, Internet of Things are set
Standby management platform and safety management platform;These equipment are not limited to physical equipment, virtual machine facility and cloudization deployment.
Safety management platform can dispose (publicly-owned cloud environment or privately owned cloud environment) beyond the clouds, or can also be deployed in this
Ground.All all kinds of gateways related with access internet, access Intranet, access Administrative Area and these three scenes of equipment in system
Equipment or console are all linked into safety management platform, network log-in management gateway as shown in Figure 1, next generation firewall, net
Network admission control software (Network Admission Control, NAC), terminal security detection and (the EDR control of response software
Platform), internet of things equipment management platform etc. and other related equipment, these equipment safety is linked by VPN or other means
Manage platform.
The main function of safety management platform is the log collecting the equipment being attached thereto and reporting, and analyzes access internet
Behavior, access Intranet behavior, internet of things equipment obtain the safety of personnel associated with the log received using data such as tracks
Risk portrait, and then identify high risk personnel.
Extra exit gateway, refers to the gateway for being deployed in network egress or data center outlet, and main function is
The internet behavior of organization internal personnel, security risk are analyzed, and correlation log is reported into safety management platform.
Wherein, extra exit gateway includes but is not limited to network log-in management gateway, next generation firewall.It can be according to being
At least one of both business demand of uniting deployment, for example, network log-in management gateway is only disposed, alternatively, only deployment is next-generation
Firewall, alternatively, network log-in management gateway and next generation firewall are all disposed.Wherein, it was both deployed in system shown in FIG. 1
Network log-in management gateway is deployed with next generation firewall again.
Terminal detection and response software (EDR console) are responsible for terminal security detection protection and the micro- isolation of terminal, in we
In case, security risk analysis mainly is carried out to corelation behaviour personal present on terminal, and report to safety management platform.
For example, it may be possible to may be that employee installs with virulent software to steal there are the personal corelation behaviour of security risk
Intra-company's data;Intra-company's data are caused to be stolen alternatively, carrying Virus in the software of user installation.
Network admittance controls software (NAC), is responsible for the safety of user and terminal in enterprise's Office Network, mainly to access Intranet
Terminal legality judged with guarantee access network user and terminal safety, and, to user access Intranet service
Business access is visual controllable on device, PC machine, identifies the daily record data there are security risk and reports to safety management platform.
Wherein, NAC can be disposed individually, or as a module of network log-in management, when NAC is integrated in internet behavior
When in management, need from core switch mirror image flow to show that there are security risks into NAC to analyze flowing of access
Daily record data.
Internet of things equipment manages platform, is mainly used for acquiring the data of the various internet of things equipment in Internet of Things, and to adopting
The data of collection are identified, are summarized, are analyzed, and orient personnel to the access track of internet of things equipment, and report to bursting tube
Platform, then analyzed by the comprehensive other categorical datas of safety management platform, finally obtain risk personnel.
When someone access gate inhibition, by camera, using internet of things equipment such as intelligent switch, intelligent sockets when, Internet of Things
Device management platform can obtain the use information of these internet of things equipment, and identified to these information, summarized and counted greatly
According to analysis etc., a people is obtained to the access track of internet of things equipment.
In one possible implementation of the present invention, Internet of Things management platform is further analyzed everyone and is set to Internet of Things
Standby access track identifies risk personnel and reports to safety management platform, by safety management platform according further to the people
The data of other behavior types of member obtain the risk portrait of the personnel.
In the alternatively possible implementation of the present invention, Internet of Things management platform makes the internet of things equipment being collected into
Safety management platform is directly reported to information, the data that safety management platform analyte network management platform reports, which identify, deposits
In the personnel of security risk, the risk portrait of the personnel is obtained according further to the data of other behavior types of the personnel.
In addition, safety management platform, extra exit gateway, Internet of Things management platform, terminal detection and sound in the system
It answers software, network admittance software etc. to be for the title for facilitating description to use, cannot limit the scope of the invention, it is all
It is all belonged to the scope of protection of the present invention with identical equipment in the realization function quintessence of above equipment or software or software.
Security risk identifying system provided in this embodiment, deployment secure manage platform, are received by the safety management platform
Collect other each equipment or daily record data that platform reports, the same user of the comprehensive analysis behavior number under different scenes respectively
According to for example, access Internet scene, access Intranet scene, access Administrative Area and device context, obtain the safety of each user
Risk portrait, finally identifies the user of high risk.The system is using user in safety management platform collection system in each field
Behavioral data under scape, from the security risk of global each user of angle analysis, therefore, obtained analysis result is more acurrate,
Potential security risk can be found in advance, and company is facilitated to carry out risk management and control and management optimization.
Fig. 2 is referred to, a kind of security risk recognition methods flow chart provided in an embodiment of the present invention is shown, this method is answered
For in safety management platform shown in FIG. 1, as shown in Fig. 2, method includes the following steps:
S110 obtains behavioral data collection of the user under various actions scene.
Safety management platform receive access the safety management platform each gateway it is (network log-in management gateway, next
For firewall) or platform (EDR console, NAC, internet of things equipment manage platform) daily record data for reporting.These gateways
Or platform, that is, behavioral data collection terminal.
In one possible implementation of the present invention, each gateway or platform all have security risk analysis ability,
By preliminary analysis, there may be the daily record datas of security risk to report to safety management platform out.Safety management platform is further comprehensive
Behavioral data of the same user under each scene is closed to analyze.In such manner, it is possible to greatly reduce safety management platform analysis
Data volume, meanwhile, reduce the hardware performance requirements of safety management platform, thus be reduced to safety management platform at
This.
In alternatively possible implementation of the invention, all log numbers that each gateway or platform will be collected into
According to safety management platform is reported to, this mode reduces the performance requirement of each gateway or platform in system, each gateway
Equipment or platform need to only collect corresponding daily record data and be reported to safety management platform.
S120 finds out behavioral data of the same user under various actions scene from behavioral data concentration.
User identifier includes but is not limited to the terminal user name of user, the account in each Intranet system, access control system
Fingerprint, access card mark, face etc..These user identifiers and user information (e.g., name, worker number, post etc.) corresponding storage
Into safety management platform.
After safety management platform receives behavioral data, the user identifier of behavior data correlation is parsed, according to pre-
Corresponding relationship between the user identity information first stored and user information finds packet from the behavioral data under each scene
The behavioral data of the corresponding user identity information containing the same user determines that these behavioral datas belong to the behavior of the same user
Data.
S130 analyzes behavioral data of the user under various actions scene, obtains the user's for each user
Risk information.
Behavioral data of each user under various actions scene is analyzed using risk analysis model, obtains the wind of the user
Dangerous information, wherein risk information can be risk portrait, and risk portrait includes the integrated risk score of the user.Integrated risk
Score is obtained for the risk score of various risk classifications with corresponding weight calculation based on user.
For example, risk classifications include but is not limited to data theft, leakage of data, inefficient operation, abnormal operation, leaving office risk
Deng.
For example, some user, there are data theft risk, risk score is 10 points, and the weight of data theft risk classifications is
0.5;The user is there are inefficient operation risk simultaneously, and risk score is 8 points, and the weight of inefficient operation risk classifications is 0.1, then
The integrated risk score of the user is 10 × 0.5+8 × 0.1=5.8 points.
The corresponding weight of each risk classifications can be set according to the business demand of organization internal, be transported safely to organization internal
It is higher to seek its bigger weight of influence degree, it is lower to its weight that organization internal safe operation influence degree is smaller.
In addition, can also include that the user obtains for the risk of each single item risk classifications in the risk portrait of each user
Point.
In one embodiment of the invention, corresponding risk analysis model can be designed for every kind of risk classifications, often
One or more risk decision conditions are all set in kind risk analysis model, for the risk with multiple risk decision conditions
Analysis model, it is also necessary to set the weight and combination (e.g., "or", "and" etc.) of multiple risk decision conditions.Wherein, risk
Decision condition is determined according to feature possessed by risk classifications.
For data theft, corresponding risk analysis model is to steal model, steals the risk decision condition packet in model
Include but be not limited to: the behavior with the presence or absence of outgoing significant data, whether there is printing at the behavior with the presence or absence of copy significant data
Behavior with sensitive data data, with the presence or absence of use the behavior of illegal software, with the presence or absence of the interior netting index of access unauthorized
According to behavior, if exist and attempt to crack the behavior etc. of Intranet operation system.Moreover, stealing model regulation meets wherein 3 wind
When dangerous decision condition, it is believed that there are data theft risks by the user.For example, the day that safety management platform is reported according to security gateway
The analysis of will data show that A employee's more time within nearest a period of time has used the website and network application unrelated with work,
Meanwhile the daily record data analysis reported according to NAC show that A employee also uses movable storage device to copy some data, therefore
Determine that there may be the risks for stealing data by A employee.
For inefficient operation, corresponding risk analysis type is inefficient model, and the risk in inefficient model determines item
Part includes but is not limited to: with the presence or absence of the behavior of the personal visit internet site and application unrelated with work, if existing makes
With the behavior of illegality equipment, with the presence or absence of the Administrative Area of access or the internet of things equipment used and the unmatched behavior that works
Deng.And when user behavior meets wherein any one condition, determining the user, there are inefficient operation risks.
For abnormal operation, corresponding risk classifications be abnormal operation model, and corresponding risk decision condition include but
It is not limited to: the Administrative Area or the internet of things equipment used with the presence or absence of access and the unmatched behavior that works, if existing makes
With the behavior etc. of illegality equipment (such as carry-on WiFi).And the behavior of user determines the user when meeting any one above-mentioned condition
There are abnormal operation risks.For example, the various internet of things equipment of each Administrative Area reported by analyte network management platform
The information of acquisition determines that some employee enters the office for the region such as leading body at a higher level that this should not be introduced, and opens this and do
Public indoor lamp, determines that there are abnormal behaviours by the employee at this time.
Equally, for leaving office risk, corresponding risk classifications are leaving office model, and the risk decision condition of the leaving office model
Including but not limited to: the behavior with the presence or absence of browsing recruitment website, the behavior with the presence or absence of inefficient operation and with the presence or absence of stealing
The behavior etc. of internal data;The user is thought when the behavior of user meets any 2 or 3 therein, and there are leaving office risks.
S140 obtains risk identification result according to the risk information of each user.
In one possible implementation of the present invention, risk identification result can be it is based on people this dimension as a result,
I.e. analysis obtains the risk information of each user, then, according to the sequence of risk from high to low, the high wind of preset quantity before finding out
The user of danger.
For example, organization internal business demand can be based on, different weights is set for different risk classifications, then, for
The same user after analyzing various risk classifications existing for the user, calculates the integrated risk score of the user;According to comprehensive
It closes the sequence of risk score from high to low to be ranked up, preset quantity user is high risk user before then determining.Present count
Amount can sets itself according to actual needs, for example, 5.
Wherein, integrated risk score is higher, shows that the existing risk hidden danger of this people is bigger;Integrated risk score is got over
It is low, show that risk hidden danger existing for this people is smaller.
In the alternatively possible implementation of the present invention, risk identification result can be that this is one-dimensional based on risk classifications
Degree, for example, obtain risk classifications existing for each user and corresponding risk score, then, for every kind of risk classifications, according to
The sequence of risk score from high to low is to there are the users of this kind of risk classifications to be ranked up, and preset quantity user is true before obtaining
It is set to the corresponding risk subscribers of this kind of risk classifications.
Security risk recognition methods provided in this embodiment, the daily record data reported by the other equipment of acquisition or platform,
The same user of comprehensive analysis is respectively under access Internet scene, access Intranet scene, access Administrative Area and device context
Behavior, obtain everyone risk information.Finally the risk information according to each user obtain risk identification as a result, for example,
Identify high risk user.The system utilizes the user behavior under each scene in safety management platform collection system, Neng Goucong
The security risk of global each user of angle analysis, obtained analysis result is more acurrate, can find potential safety in advance
Risk facilitates company to carry out risk management and control and management optimization.
Fig. 3 is referred to, another security risk recognition methods flow chart provided in an embodiment of the present invention, this method are shown
Applied in safety management platform shown in FIG. 1, as shown in figure 3, further include on the basis of this method embodiment shown in Fig. 2 with
Lower step:
The analysis of the user of security risk will be present as a result, returning to that risk identification result is associated sets with this in S210
It is standby, so that the equipment executes corresponding risk management policy.
Obtained risk identification result is handed down to each gateway, next generation firewall, NAC, EDR by safety management platform
Console or internet of things equipment manage platform, these gateways or Platform Analysis go out risk row associated with the function of oneself
For, and execute corresponding risk management policy.For example, it was discovered that theft inside information data user after, corresponding gateway or its
Its equipment can be with the corresponding risk management policy in exploiting field, for example, limiting the user accesses respective server, to eliminate the risk
Hidden danger;For another example, when find some employee there are when the behavior of inefficient operation, limit the network speed etc. of the employee access internet.
S220, alert, the risk identification result in the warning message comprising identifying.
In a kind of possible implementation of the invention, after safety management platform obtains risk identification result, phase is issued
The warning message answered.
For example, sending warning message to administrator.Comprising the risk identification as a result, so that administrator is timely in warning message
It was found that existing security risk in tissue, and the risk identification result is reported be managed improvement or place to related personnel in time
It sets.
What the present embodiment did not limit S210 and S220 executes sequence, can execute side by side, alternatively, S220 is first carried out, then
Execute S210.
Security risk recognition methods provided in this embodiment is being identified there are after the user of security risk, for this point
Result alert is analysed, so that administrative staff is made to find the factor there are security risk in time, and, take corresponding pipe
Reason measure eliminates safe hidden trouble, so that enterprise carries out risk management and control and management optimization.
Corresponding to above-mentioned security risk recognition methods embodiment, present invention also provides security risk identification equipment to implement
Example.
Fig. 4 is referred to, a kind of structural schematic diagram of security risk identification equipment provided in an embodiment of the present invention is shown, it should
Security risk identification equipment can be safety management platform shown in FIG. 1.
The equipment includes memory 110 and processor 120;Wherein, it is stored with computer program in the memory 110, it should
Processor 120 executes the computer program in the memory 110 and realizes following steps:
Obtain behavioral data collection of the user under various actions scene;
The behavioral data for determining the same user under various actions scene is concentrated from the behavioral data;
For each user, analyzes behavioral data of the user under various actions scene and obtain the risk letter of the user
Breath;
Risk information according to each user obtains risk identification result.
In one embodiment of the invention, processor 120 can receive all of each behavioral data collection terminal collection
Daily record data.
In alternatively possible implementation, received processor 120 is each behavioral data collection terminal by preliminary
Analyze there may be the daily record data of security risk, each behavioral data collection terminal needs to have in such application scenarios
Standby security risk analysis ability.
For example, behavioral data collection terminal can be each gateway connecting with security risk identification equipment (on for example,
Net behavior management gateway, next generation firewall) or platform (EDR console, NAC, internet of things equipment manage platform) etc..
In one embodiment of the invention, processor 120 is for determining the same user each in subordinate act data set
It is specifically used for when planting the behavioral data under behavior scene:
User identifier of the same user in different behavior scenes is obtained, for any user, according to the user each
User identifier in kind behavior scene identifies behavioral data of the user under various actions scene.
Wherein, user identifier includes but is not limited to the terminal user name of user, the account in each Intranet system, gate inhibition system
Fingerprint, access card mark, face of system etc..These user identifiers and user information (e.g., name, worker number, post etc.) are corresponding
Memory 110 is stored, processor 120 can read these user identifiers from memory 110.
In one embodiment of the invention, processor 120 is used to be directed to each user, analyzes the user in various rows
When obtaining the risk information of the user for the behavioral data under scene, it is specifically used for:
For each user, behavioral data of the user under various actions scene is input to every kind of risk classifications
Corresponding risk analysis model is analyzed, and risk classifications existing for the user and the corresponding risk point of the risk classifications are obtained
Number, which characterizes the user, and there are the degrees of risk of the risk classifications risk;
According to the corresponding risk score of risk classifications existing for the user and the corresponding default weight of the risk classifications, obtain
The integrated risk score of the user, the integrated risk score characterize integrated risk degree existing for the user.
Wherein it is possible to for every kind of corresponding risk analysis model of risk classifications design, in every kind of risk analysis model all
One or more risk decision conditions are set with, for the risk analysis model with multiple risk decision conditions, it is also necessary to set
The weight and combination (e.g., "or", "and" etc.) of fixed multiple risk decision conditions.Wherein, risk decision condition is according to risk
Feature possessed by type determines.
The corresponding weight of each risk classifications can be set according to the business demand of organization internal, be transported safely to organization internal
It is higher to seek its bigger weight of influence degree, it is lower to its weight that organization internal safe operation influence degree is smaller.
In one possible implementation, risk identification result can be based on people this dimension as a result, at this point, place
When reason device 120 is used to obtain risk identification result according to the risk information of each user, it is specifically used for: according to integrated risk score
Sequence from high to low, preset quantity user is risk subscribers before determining.
In alternatively possible implementation, risk identification result be can be based on this dimension of risk classifications, at this point,
When processor 120 is used to obtain risk identification result according to the risk information of each user, it is specifically used for: for any risk
Type determines that there are the risk of risk classifications use according to the sequence of the corresponding risk score of the risk classifications from high to low
Family.
It in one possible implementation of the present invention, can after security risk identification equipment obtains risk identification result
To issue corresponding risk management policy to relevant data collection terminal, under such application scenarios, processor 120 executes memory
It is also used to when the computer program stored in 110: according to the risk identification result to associated with the risk identification result
Data collection terminal issues risk management policy, so that the equipment executes the risk management policy.
In the alternatively possible implementation of the present invention, each data collection terminal can be analyzed associated with oneself function
Risk behavior and execute corresponding risk management policy.Under such application scenarios, processor 120 executes 110 memory of memory
It is also used to when the computer program of storage: risk identification result being issued to data associated with the risk identification result and is acquired
End, so that the data collection terminal implements the risk management policy to match with the risk identification result.
Processor herein can be CPU, alternatively, MCU, alternatively, can also be the combination of CPU and MCU.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
Risk analysis equipment provided in this embodiment, the daily record data reported by the other equipment of acquisition or platform are comprehensive
Analyze row of the same user respectively under access Internet scene, access Intranet scene, access Administrative Area and device context
To obtain everyone risk information.Finally the risk information according to each user obtains risk identification as a result, for example, identification
High risk user out.The system, can be from the overall situation using the user behavior under each scene in safety management platform collection system
The security risk of each user of angle analysis, obtained analysis result is more acurrate, can find potential security risk in advance,
Company is facilitated to carry out risk management and control and management optimization.
On the other hand, the present invention also provides security risk identification device embodiment, Fig. 5 is referred to, the present invention is shown
A kind of block diagram for security risk identification device that embodiment provides, the device include: to obtain module 210, determining module 220, wind
Dangerous analysis module 230 and Risk Results obtain module 240.
The acquisition module 210, for obtaining behavioral data collection of the user under various actions scene.
In one embodiment of the invention, which can receive each data in various actions scene
All behavioral datas of each user that collection terminal is sent under behavior scene.
In other embodiments of the invention, each data collection terminal can preliminary analysis go out to have a risky behavior
Data, and will likely have risky behavioral data and be sent to the acquisition module.
The determining module 220, for determining behavior of the same user under various actions scene in subordinate act data set
Data.
In one embodiment of the invention, which includes: acquisition submodule and identification submodule;
The acquisition submodule, for obtaining user identifier of the same user in different behavior scenes.
The identification submodule is known for being directed to any user according to user identifier of the user in various actions scene
It Chu not behavioral data of the user under various actions scene.
The risk analysis module 230 analyzes behavior of the user under various actions scene for being directed to each user
Data obtain the risk information of the user.
In one embodiment of the invention, which includes that analysis submodule and risk score obtain
Submodule.
The analysis submodule, it is for being directed to each user, behavioral data of the user under various actions scene is equal
It is input to the corresponding risk analysis model of every kind of risk classifications to be analyzed, obtains risk classifications existing for the user and the risk
The corresponding risk score of type.
Wherein, which characterizes the user there are the degrees of risk of the risk classifications risk.
The risk score obtains submodule, for according to the corresponding risk score of risk classifications existing for the user and the wind
The corresponding default weight of dangerous type, obtains the integrated risk score of the user.
Wherein, which characterizes integrated risk degree existing for the user.
The Risk Results obtain module 240, obtain risk identification result for the risk information according to each user.
In one possible implementation of the present invention, risk identification result can be it is based on people this dimension as a result,
After the integrated risk score for analyzing each user, according to the sequence of integrated risk score from high to low, preceding present count is determined
Measuring a user is risk subscribers.
In alternatively possible implementation of the invention, risk identification result can be that this is one-dimensional based on risk classifications
Degree, according to the sequence of the corresponding risk score of the risk classifications from high to low, is determined to exist and be somebody's turn to do for any risk classifications
The risk subscribers of risk classifications.
After identifying risk subscribers, corresponding risk management policy can be executed for the risk classifications of the risk subscribers,
For example, it was discovered that corresponding gateway or other equipment can be with the corresponding risk managements in exploiting field after the user of theft inside information data
Strategy, for example, limiting the user accesses respective server, to eliminate the risk hidden danger;For another example, when discovery, some employee exists
When the behavior of inefficient operation, the network speed etc. of the employee access internet is limited.
In one embodiment of the invention, above-mentioned security risk identification device can also issue module including first, institute
It states first and issues module for data collection terminal associated with the risk identification result issuing wind according to risk identification result
Dangerous management strategy, so that the data collection terminal executes the risk management policy.
In yet another embodiment of the present invention, above-mentioned security risk identification device can also issue module including second,
This second issues module for risk identification result to be issued to data collection terminal associated with the risk identification result, so that
The data collection terminal implements the risk management policy to match with the risk identification result.
Security risk identification device provided in this embodiment, the daily record data reported by the other equipment of acquisition or platform,
The same user of comprehensive analysis is respectively under access Internet scene, access Intranet scene, access Administrative Area and device context
Behavior, obtain everyone risk information.Finally the risk information according to each user obtain risk identification as a result, for example,
Identify high risk user.The system utilizes the user behavior under each scene in safety management platform collection system, Neng Goucong
The security risk of global each user of angle analysis, obtained analysis result is more acurrate, can find potential safety in advance
Risk facilitates company to carry out risk management and control and management optimization.
Another aspect, the embodiment of the invention also provides a kind of storage medium, which is stored with computer program,
When the computer program is executed by processor, method and step described in above-mentioned security risk recognition methods embodiment is realized.
For the various method embodiments described above, for simple description, therefore, it is stated as a series of action combinations, but
Be those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because according to the present invention, certain
A little steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know that, it is retouched in specification
The embodiment stated belongs to preferred embodiment, and related actions and modules are not necessarily necessary for the present invention.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight
Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.
For device class embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place ginseng
See the part explanation of embodiment of the method.
Step in each embodiment method of the application can be sequentially adjusted, merged and deleted according to actual needs.
Device in each embodiment of the application and the module in terminal and submodule can merge according to actual needs,
It divides and deletes.
In several embodiments provided herein, it should be understood that disclosed terminal, device and method, Ke Yitong
Other modes are crossed to realize.For example, terminal embodiment described above is only schematical, for example, module or submodule
Division, only a kind of logical function partition, there may be another division manner in actual implementation, for example, multiple submodule or
Module may be combined or can be integrated into another module, or some features can be ignored or not executed.Another point is shown
The mutual coupling, direct-coupling or communication connection shown or discussed can be through some interfaces, between device or module
Coupling or communication connection are connect, can be electrical property, mechanical or other forms.
Module or submodule may or may not be physically separated as illustrated by the separation member, as mould
The component of block or submodule may or may not be physical module or submodule, it can and it is in one place, or
It may be distributed on multiple network modules or submodule.Some or all of mould therein can be selected according to the actual needs
Block or submodule achieve the purpose of the solution of this embodiment.
In addition, each functional module or submodule in each embodiment of the application can integrate in a processing module
In, it is also possible to modules or submodule physically exists alone, it can also be integrated with two or more modules or submodule
In a module.Above-mentioned integrated module or submodule both can take the form of hardware realization, can also use software function
Energy module or the form of submodule are realized.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
The foregoing description of the disclosed embodiments can be realized those skilled in the art or using the present invention.To this
A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein can
Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited
It is formed on the embodiments shown herein, and is to fit to consistent with the principles and novel features disclosed in this article widest
Range.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered
It is considered as protection scope of the present invention.
Claims (16)
1. a kind of security risk recognition methods characterized by comprising
Obtain behavioral data collection of the user under various actions scene;
The behavioral data for determining the same user under various actions scene is concentrated from the behavioral data;
For each user, analyzes behavioral data of the user under various actions scene and obtain the risk information of the user;
Risk information according to each user obtains risk identification result.
2. analyzing the user various the method according to claim 1, wherein described be directed to each user
Behavioral data under behavior scene obtains the risk information of the user, comprising:
For each user, it is corresponding that behavioral data of the user under various actions scene is input to every kind of risk classifications
Risk analysis model analyzed, obtain risk classifications existing for the user and the corresponding risk score of the risk classifications, should
Risk score characterizes the user, and there are the degrees of risk of the risk classifications risk;
According to the corresponding risk score of risk classifications existing for the user and the corresponding default weight of the risk classifications, the use is obtained
The integrated risk score at family, the integrated risk score characterize integrated risk degree existing for the user.
3. according to the method described in claim 2, it is characterized in that, the risk information according to each user obtains risk knowledge
Other result, comprising:
According to the sequence of the integrated risk score from high to low, preset quantity user is risk subscribers before determining;
Alternatively,
Determine exist according to the sequence of the corresponding risk score of the risk classifications from high to low for any risk classifications
The risk subscribers of the risk classifications.
4. the method according to claim 1, wherein the behavior number for obtaining user under various actions scene
According to collection, comprising:
Receive all behaviors of each user of the behavioral data collection terminal transmission in various actions scene under behavior scene
Data;
Alternatively,
Behavioral data corresponding to the user under various actions scene there are potential risk is received, described there are the use of potential risk
Family analyze by behavioral data of the behavioral data collection terminal in behavior scene to each user under behavior scene
It arrives.
5. the method according to claim 1, wherein described concentrate from the behavioral data determines the same user
Behavioral data under various actions scene, comprising:
Obtain user identifier of the same user in different behavior scenes;
For any user, identify the user in various actions field according to user identifier of the user in various actions scene
Behavioral data under scape.
6. method according to claim 1-5, which is characterized in that the method also includes:
Risk management policy is issued to data collection terminal associated with the risk identification result according to the risk identification result,
So that the data collection terminal executes the risk management policy.
7. method according to claim 1-5, which is characterized in that the method also includes:
The risk identification result is issued to data collection terminal associated with the risk identification result, so that the data acquire
Implement the risk management policy to match with the risk identification result in end.
8. a kind of security risk identifies equipment characterized by comprising memory and processor;
Computer program is stored in the memory, the processor executes the computer program in the memory and realizes such as
Lower step:
Obtain behavioral data collection of the user under various actions scene;
The behavioral data for determining the same user under various actions scene is concentrated from the behavioral data;
For each user, analyzes behavioral data of the user under various actions scene and obtain the risk information of the user;
Risk information according to each user obtains risk identification result.
9. security risk according to claim 8 identifies equipment, which is characterized in that the processor is used to be directed to each
User is specifically used for when analyzing behavioral data of the user under various actions scene and obtaining the risk information of the user:
For each user, it is corresponding that behavioral data of the user under various actions scene is input to every kind of risk classifications
Risk analysis model analyzed, obtain risk classifications existing for the user and the corresponding risk score of the risk classifications, should
Risk score characterizes the user, and there are the degrees of risk of the risk classifications risk;
According to the corresponding risk score of risk classifications existing for the user and the corresponding default weight of the risk classifications, the use is obtained
The integrated risk score at family, the integrated risk score characterize integrated risk degree existing for the user.
10. security risk according to claim 9 identifies equipment, which is characterized in that the processor is used for according to each
When the risk information of user obtains risk identification result, it is specifically used for:
According to the sequence of the integrated risk score from high to low, preset quantity user is risk subscribers before determining;
Alternatively,
Determine exist according to the sequence of the corresponding risk score of the risk classifications from high to low for any risk classifications
The risk subscribers of the risk classifications.
11. security risk according to claim 8 identifies equipment, which is characterized in that the processor is for obtaining user
When behavioral data collection under various actions scene, it is specifically used for:
Receive all behaviors of each user of the behavioral data collection terminal transmission in various actions scene under behavior scene
Data;
Alternatively,
Behavioral data corresponding to the user under various actions scene there are potential risk is received, described there are the use of potential risk
Family analyze by behavioral data of the behavioral data collection terminal in behavior scene to each user under behavior scene
It arrives.
12. security risk according to claim 8 identifies equipment, which is characterized in that the processor is used for from the row
When to determine behavioral data of the same user under various actions scene in data set, it is specifically used for:
Obtain user identifier of the same user in different behavior scenes;
For any user, identify the user in various actions field according to user identifier of the user in various actions scene
Behavioral data under scape.
13. identifying equipment according to the described in any item security risks of claim 8-12, which is characterized in that the processor executes
It is also used to when calculation procedure in the memory:
Risk management policy is issued to data collection terminal associated with the risk identification result according to the risk identification result,
So that the equipment executes the risk management policy.
14. identifying equipment according to the described in any item security risks of claim 8-12, which is characterized in that the processor executes
It is also used to when calculation procedure in the memory:
The risk identification result is issued to data collection terminal associated with the risk identification result, so that the equipment is real
Grant the risk management policy that the risk identification result matches.
15. a kind of security risk identification device characterized by comprising
Module is obtained, for obtaining behavioral data collection of the user under various actions scene;
Determining module, for concentrating the behavioral data for determining the same user under various actions scene from the behavioral data;
Risk analysis module is analyzed behavioral data of the user under various actions scene and is obtained for being directed to each user
The risk information of the user;
Risk Results obtain module, obtain risk identification result for the risk information according to each user.
16. a kind of storage medium, which is characterized in that be stored with computer program, the computer program on the storage medium
Such as claim 1-7 described in any item security risk recognition methods are realized when being executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910364748.2A CN110059984A (en) | 2019-04-30 | 2019-04-30 | Security risk recognition methods, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910364748.2A CN110059984A (en) | 2019-04-30 | 2019-04-30 | Security risk recognition methods, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110059984A true CN110059984A (en) | 2019-07-26 |
Family
ID=67322084
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910364748.2A Pending CN110059984A (en) | 2019-04-30 | 2019-04-30 | Security risk recognition methods, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110059984A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
| CN110599004A (en) * | 2019-08-23 | 2019-12-20 | 阿里巴巴集团控股有限公司 | Risk control method, equipment, medium and device |
| CN110955395A (en) * | 2019-12-17 | 2020-04-03 | 珠海格力电器股份有限公司 | Risk assessment method and device for printing system and storage medium |
| CN112104618A (en) * | 2020-08-27 | 2020-12-18 | 深信服科技股份有限公司 | Information determination method, information determination device and computer readable storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080288330A1 (en) * | 2007-05-14 | 2008-11-20 | Sailpoint Technologies, Inc. | System and method for user access risk scoring |
| CN101895578A (en) * | 2010-07-06 | 2010-11-24 | 国都兴业信息审计系统技术(北京)有限公司 | Document monitor and management system based on comprehensive safety audit |
| CN103186637A (en) * | 2011-12-30 | 2013-07-03 | 中国移动通信集团广东有限公司 | Method and device for analyzing user behavior of BOSS database |
| CN105553940A (en) * | 2015-12-09 | 2016-05-04 | 北京中科云集科技有限公司 | Safety protection method based on big data processing platform |
| CN105721256A (en) * | 2016-04-25 | 2016-06-29 | 北京威努特技术有限公司 | Auditing data duplication eliminating method of distributed deploying and auditing platform |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| US20180082229A1 (en) * | 2015-05-13 | 2018-03-22 | Alibaba Group Holding Limited | Risk identification based on historical behavioral data |
| CN108156135A (en) * | 2017-12-05 | 2018-06-12 | 北京控制与电子技术研究所 | A kind of classified network information-leakage risk monitoring method |
| CN108711013A (en) * | 2018-05-24 | 2018-10-26 | 深圳市买买提信息科技有限公司 | Abnormal behaviour determines method, apparatus, equipment and storage medium |
| US20180375892A1 (en) * | 2017-06-23 | 2018-12-27 | Ido Ganor | Enterprise cyber security risk management and resource planning |
| CN109242280A (en) * | 2018-08-22 | 2019-01-18 | 泰康保险集团股份有限公司 | User behavior data processing method, device, electronic equipment and readable medium |
-
2019
- 2019-04-30 CN CN201910364748.2A patent/CN110059984A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080288330A1 (en) * | 2007-05-14 | 2008-11-20 | Sailpoint Technologies, Inc. | System and method for user access risk scoring |
| CN101895578A (en) * | 2010-07-06 | 2010-11-24 | 国都兴业信息审计系统技术(北京)有限公司 | Document monitor and management system based on comprehensive safety audit |
| CN103186637A (en) * | 2011-12-30 | 2013-07-03 | 中国移动通信集团广东有限公司 | Method and device for analyzing user behavior of BOSS database |
| US20180082229A1 (en) * | 2015-05-13 | 2018-03-22 | Alibaba Group Holding Limited | Risk identification based on historical behavioral data |
| CN105553940A (en) * | 2015-12-09 | 2016-05-04 | 北京中科云集科技有限公司 | Safety protection method based on big data processing platform |
| CN105721256A (en) * | 2016-04-25 | 2016-06-29 | 北京威努特技术有限公司 | Auditing data duplication eliminating method of distributed deploying and auditing platform |
| US20180375892A1 (en) * | 2017-06-23 | 2018-12-27 | Ido Ganor | Enterprise cyber security risk management and resource planning |
| CN107483448A (en) * | 2017-08-24 | 2017-12-15 | 中国科学院信息工程研究所 | A kind of network security detection method and detecting system |
| CN108156135A (en) * | 2017-12-05 | 2018-06-12 | 北京控制与电子技术研究所 | A kind of classified network information-leakage risk monitoring method |
| CN108711013A (en) * | 2018-05-24 | 2018-10-26 | 深圳市买买提信息科技有限公司 | Abnormal behaviour determines method, apparatus, equipment and storage medium |
| CN109242280A (en) * | 2018-08-22 | 2019-01-18 | 泰康保险集团股份有限公司 | User behavior data processing method, device, electronic equipment and readable medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110365698A (en) * | 2019-07-29 | 2019-10-22 | 杭州数梦工场科技有限公司 | Methods of risk assessment and device |
| CN110599004A (en) * | 2019-08-23 | 2019-12-20 | 阿里巴巴集团控股有限公司 | Risk control method, equipment, medium and device |
| CN110955395A (en) * | 2019-12-17 | 2020-04-03 | 珠海格力电器股份有限公司 | Risk assessment method and device for printing system and storage medium |
| CN112104618A (en) * | 2020-08-27 | 2020-12-18 | 深信服科技股份有限公司 | Information determination method, information determination device and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110059984A (en) | Security risk recognition methods, device, equipment and storage medium | |
| CN104246786B (en) | Field selection in mode discovery | |
| CN106846577A (en) | Personnel's discrepancy authority control method and device based on recognition of face | |
| CN100399750C (en) | System and method of facilitating the identification of a computer on a network | |
| CN109885562A (en) | A kind of big data intelligent analysis system based on cyberspace safety | |
| CN102394885B (en) | Information classification protection automatic verification method based on data stream | |
| US20090177675A1 (en) | Systems and Methods of Identity and Access Management | |
| CN109587124A (en) | Processing method, the device and system of electric power networks | |
| CN110505235A (en) | A kind of detection system and method for the malicious requests around cloud WAF | |
| CN102906756A (en) | Security threat detection associated with security events and actor category model | |
| CN107623691A (en) | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm | |
| CN106973051B (en) | Establish the method, apparatus and storage medium of detection Cyberthreat model | |
| CN100379201C (en) | Distributed hacker tracking system in controllable computer network | |
| Ozer et al. | A prevention and a traction system for ransomware attacks | |
| CN111147490A (en) | Directional fishing attack event discovery method and device | |
| CN106470203A (en) | Information getting method and device | |
| Shaabani et al. | Early identification of violent criminal gang members | |
| CN107358559A (en) | A kind of mobile personnel's information gathering feedback method, server and system | |
| CN106205188A (en) | A kind of based on parking stall, visual parking lot release management system | |
| CN106156736A (en) | A kind of inward and outward personnel manages monitoring method | |
| Xiao et al. | Alert verification based on attack classification in collaborative intrusion detection | |
| CN110246250A (en) | A kind of laboratory safety access management system | |
| Last et al. | Content-based methodology for anomaly detection on the web | |
| CN108965350A (en) | A kind of mail auditing method, device and computer readable storage medium | |
| CN115442159A (en) | Household routing-based risk management and control method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190726 |