CN110062046B - Data access full-path correlation auditing method - Google Patents

Abstract

The invention discloses a data access full-path correlation auditing method, which particularly relates to the technical field of data security, and comprises the following steps: firstly, establishing a front-and-back access relation of an intermediate node, generating all access logs, setting a node A to access a node B, setting a node B to access a node C, and determining which accesses of the node A to the node B and which accesses of the node B to the node C have a causal correlation; and then, associating a plurality of access logs with causal relationships, forwarded by a plurality of intermediate service processes, in the network access. The invention provides a method for associating data access full paths, which associates a plurality of access logs which are forwarded through a plurality of intermediate service processes and have causal relations in network access, and solves the problems that in the prior art, only access information between two nodes can be audited, the complete data access path cannot be tracked and restored, and a plurality of difficulties are brought to audit analysts.

Description

Data access full-path correlation auditing method

Technical Field

The invention relates to the technical field of data security, in particular to a full-path association auditing method for data access.

Background

In the network environment applying a great amount of micro services and distributed technologies, data access operation is initiated by a terminal entity and finally reaches data storage service through a plurality of application services, background services, middleware services and the like. Each intermediate service separates access links while promiscuously handling multiple requests of upper and lower level service nodes. The simple auditing system can only audit the access information between two nodes, cannot track and restore a complete data access path, and brings a lot of difficulties for auditing and analyzing personnel.

Disclosure of Invention

In order to overcome the above defects in the prior art, embodiments of the present invention provide a data access full path association auditing method, which associates multiple access logs with causal relationships and forwarded through multiple intermediate service processes in network access by providing a method for associating data access full paths, thereby solving the problems that in the prior art, only access information between two nodes can be audited, a complete data access path cannot be traced and restored, and a lot of difficulties are brought to audit analysts.

In order to achieve the purpose, the invention provides the following technical scheme: a data access full-path correlation auditing method comprises the following specific auditing steps:

s1, because in data access, a plurality of service layers are accessed to generate an original access node, a plurality of intermediate nodes and a final node, firstly, the access relations before and after the intermediate nodes are established, all access logs are generated, a node A is set to access a node B, the node B accesses a node C, and the access of the node A to the node B and the access of the node B to the node C are determined to have causal correlation relations;

s2, then associating a plurality of access logs with causal relationships forwarded by a plurality of intermediate service processes in the network access, specifically: on the basis of full flow audit, through 3 rounds of calculation, the access of each stage is related to describe a full path map of data access, and the method comprises the following steps;

s2.1, calculating a first round of calculation, namely counting the intermediate nodes by applying a correlation coefficient algorithm, calculating the correlation between the access to the intermediate nodes and the access sent by the intermediate nodes, determining the access to the intermediate node resource X, and triggering the intermediate nodes to access other node resources Y;

the correlation coefficient algorithm is as follows:

wherein cov (X, Y) is the covariance of X and Y, Var [ X ] is the variance of X, and Var [ Y ] is the variance of Y;

respectively acquiring the number of accesses to the resource X of the intermediate node and the number of accesses to the resource Y sent by the intermediate node according to the time interval;

calculating the access relation between the X resource and the Y resource by using a formula, and when the correlation coefficient r (X, Y) is less than 0.4, considering that the correlation between the X and the Y is weak, and excluding the access of the Y in the calculation of the correlation link of the X;

s2.2, performing second round of calculation, using the constraint relation of the time axis, excluding access which does not conform to the time constraint relation, and setting the request time of the resource X as Xq, the response time as Xr, the request time of the resource Y as Yq and the response time as YR, wherein the time axis constraint relation must satisfy: xq < Yq < Yr < Xr;

s2.3, performing third round of calculation, establishing a key dictionary table of X requests and responses on the basis of the second round of calculation, and setting Xz and a series of key dictionary tables Yz1, Yz2 and Yz3 … of Y requests and responses meeting time constraint conditions; firstly, removing keywords which do not appear in the dictionaries of Yz1, Yz2 and Yz3 … from the dictionary table of X, and then removing the requests of the remaining dictionaries after the X does not appear according to the access dictionary of Y;

and S2.4, obtaining the access sent from the intermediate node specifically triggered by each access of the intermediate node through three rounds of calculation, calculating subsequent accesses triggered by leading access until the last node triggering the access cannot be found from the original access node and each accessed node passing through, and connecting the calculated accesses in series in sequence to form a complete data access path and describe a full path map of the data access.

In a preferred embodiment, the node is a computer node through which or on which data in the data access flows.

The invention has the technical effects and advantages that:

the invention provides a method for associating data access full paths, which associates a plurality of access logs which are forwarded through a plurality of intermediate service processes and have causal relations in network access, and solves the problems that in the prior art, only access information between two nodes can be audited, the complete data access path cannot be tracked and restored, and a plurality of difficulties are brought to audit analysts.

Drawings

FIG. 1 is an overall flowchart of example 2 of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1:

a data access full-path correlation auditing method comprises the following specific auditing steps:

s1, because in data access, a plurality of service layers are accessed to generate an original access node, a plurality of intermediate nodes and a final node, firstly, the access relations before and after the intermediate nodes are established, all access logs are generated, a node A is set to access a node B, the node B accesses a node C, and the access of the node A to the node B and the access of the node B to the node C are determined to have causal correlation relations;

s2, then associating a plurality of access logs with causal relationships forwarded by a plurality of intermediate service processes in the network access, specifically: on the basis of full flow audit, through 3 rounds of calculation, the access of each stage is related to describe a full path map of data access, and the method comprises the following steps;

s2.1, calculating a first round of calculation, namely counting the intermediate nodes by applying a correlation coefficient algorithm, calculating the correlation between the access to the intermediate nodes and the access sent by the intermediate nodes, determining the access to the intermediate node resource X, and triggering the intermediate nodes to access other node resources Y;

the correlation coefficient algorithm is as follows:

wherein cov (X, Y) is the covariance of X and Y, Var [ X ] is the variance of X, and Var [ Y ] is the variance of Y;

respectively acquiring the number of accesses to the resource X of the intermediate node and the number of accesses to the resource Y sent by the intermediate node according to the time interval;

calculating the access relation between the X resource and the Y resource by using a formula, and when the correlation coefficient r (X, Y) is less than 0.4, considering that the correlation between the X and the Y is weak, and excluding the access of the Y in the calculation of the correlation link of the X;

s2.2, performing second round of calculation, using the constraint relation of the time axis, excluding access which does not conform to the time constraint relation, and setting the request time of the resource X as Xq, the response time as Xr, the request time of the resource Y as Yq and the response time as YR, wherein the time axis constraint relation must satisfy: xq < Yq < Yr < Xr;

s2.3, performing third round of calculation, establishing a key dictionary table of X requests and responses on the basis of the second round of calculation, and setting Xz and a series of key dictionary tables Yz1, Yz2 and Yz3 … of Y requests and responses meeting time constraint conditions; firstly, removing keywords which do not appear in the dictionaries of Yz1, Yz2 and Yz3 … from the dictionary table of X, and then removing the requests of the remaining dictionaries after the X does not appear according to the access dictionary of Y;

and S2.4, obtaining the access sent from the intermediate node specifically triggered by each access of the intermediate node through three rounds of calculation, calculating subsequent accesses triggered by leading access until the last node triggering the access cannot be found from the original access node and each accessed node passing through, and connecting the calculated accesses in series in sequence to form a complete data access path and describe a full path map of the data access.

The node is specifically a computer node through which or on which data in data access flows or is retained.

The implementation mode is specifically as follows: by providing the method for associating the data access full paths, the multiple access logs which are forwarded through the multiple intermediate service processes and have causal relations in network access are associated, and the problems that in the prior art, only access information between two nodes can be audited, the complete data access path cannot be tracked and restored, and a plurality of difficulties are brought to audit analysts are solved.

Example 2:

according to the data access full-path correlation auditing method shown in fig. 1, the specific auditing steps are as follows:

on the basis of full flow audit, through 3 rounds of calculation, the access of each stage is related to describe a full path map of data access, and the method comprises the following steps;

s2.1, calculating a first round of calculation, namely counting the intermediate nodes by applying a correlation coefficient algorithm, calculating a correlation relation between the access to the intermediate nodes and the access sent by the intermediate nodes, and triggering the access of the node A to the Y resource by causally correlating the access of the node A to the resource X;

the correlation coefficient algorithm is as follows:

wherein cov (X, Y) is the covariance of X and Y, Var [ X ] is the variance of X, and Var [ Y ] is the variance of Y;

respectively acquiring the number of accesses to the resource X of the intermediate node and the number of accesses to the resource Y sent by the intermediate node according to the time interval;

calculating the access relation between the X resource and the Y resource by using a formula, and when the correlation coefficient r (X, Y) is less than 0.4, considering that the correlation between the X and the Y is weak, and excluding the access of the Y in the calculation of the correlation link of the X;

s2.2, performing second round of calculation, using the constraint relation of a time axis, excluding the accesses which do not conform to the time constraint relation, and regarding the primary access X1 of X, Y accesses meeting the time constraint comprise Y1, Y2, Y3 and the like;

and S2.3, performing third round of calculation, establishing a key dictionary table of X requests and responses on the basis of the second round of calculation, wherein Y2 is matched with the X1 request response key words in Y1, Y2 and Y3.

The points to be finally explained are: first, in the description of the present application, it should be noted that, unless otherwise specified and limited, the terms "mounted," "connected," and "connected" should be understood broadly, and may be a mechanical connection or an electrical connection, or a communication between two elements, and may be a direct connection, and "upper," "lower," "left," and "right" are only used to indicate a relative positional relationship, and when the absolute position of the object to be described is changed, the relative positional relationship may be changed;

secondly, the method comprises the following steps: in the drawings of the disclosed embodiments of the invention, only the structures related to the disclosed embodiments are referred to, other structures can refer to common designs, and the same embodiment and different embodiments of the invention can be combined with each other without conflict;

and finally: the above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that are within the spirit and principle of the present invention are intended to be included in the scope of the present invention.

Claims (2)

1. A data access full-path correlation auditing method is characterized in that: the concrete auditing steps are as follows:

s1, because in data access, a plurality of service layers are accessed to generate an original access node, a plurality of intermediate nodes and a final node, firstly, the access relations before and after the intermediate nodes are established, all access logs are generated, a node A is set to access a node B, the node B accesses a node C, and the access of the node A to the node B and the access of the node B to the node C are determined to have causal correlation relations;

s2, then associating a plurality of access logs with causal relationships forwarded by a plurality of intermediate service processes in the network access, specifically: on the basis of full flow audit, through 3 rounds of calculation, the access of each stage is related to describe a full path map of data access, and the method comprises the following steps;

s2.1, calculating a first round of calculation, namely counting the intermediate nodes by applying a correlation coefficient algorithm, calculating the correlation between the access to the intermediate nodes and the access sent by the intermediate nodes, determining the access to the intermediate node resource X, and triggering the intermediate nodes to access other node resources Y;

the correlation coefficient algorithm is as follows:

wherein cov (X, Y) is the covariance of X and Y, Var [ X ] is the variance of X, and Var [ Y ] is the variance of Y;

respectively acquiring the number of accesses to the resource X of the intermediate node and the number of accesses to the resource Y sent by the intermediate node according to the time interval;

calculating the access relation between the X resource and the Y resource by using a formula, and when the correlation coefficient r (X, Y) is less than 0.4, considering that the correlation between the X and the Y is weak, and excluding the access of the Y in the calculation of the correlation link of the X;

s2.2, performing second round of calculation, using the constraint relation of the time axis, excluding access which does not conform to the time constraint relation, and setting the request time of the resource X as Xq, the response time as Xr, the request time of the resource Y as Yq and the response time as YR, wherein the time axis constraint relation must satisfy: xq < Yq < Yr < Xr;

s2.3, performing third round of calculation, establishing a key dictionary table of X requests and responses on the basis of the second round of calculation, and setting Xz and a series of key dictionary tables Yz1, Yz2 and Yz3 … of Y requests and responses meeting time constraint conditions; firstly, removing keywords which do not appear in the dictionaries of Yz1, Yz2 and Yz3 … from the dictionary table of X, and then removing the requests of the remaining dictionaries after the X does not appear according to the access dictionary of Y;

and S2.4, obtaining the access sent from the intermediate node specifically triggered by each access of the intermediate node through three rounds of calculation, calculating subsequent accesses triggered by leading access until the last node triggering the access cannot be found from the original access node and each accessed node passing through, and connecting the calculated accesses in series in sequence to form a complete data access path and describe a full path map of the data access.

2. The data access full path correlation auditing method according to claim 1, characterized by: the node is specifically a computer node through which or on which data in data access flows or is retained.

Images