CN110457349A - The monitoring method and monitoring device of information outflow - Google Patents

The monitoring method and monitoring device of information outflow Download PDF

Info

Publication number
CN110457349A
CN110457349A CN201910590401.XA CN201910590401A CN110457349A CN 110457349 A CN110457349 A CN 110457349A CN 201910590401 A CN201910590401 A CN 201910590401A CN 110457349 A CN110457349 A CN 110457349A
Authority
CN
China
Prior art keywords
information
current
outflow
scoring
appraisal result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910590401.XA
Other languages
Chinese (zh)
Other versions
CN110457349B (en
Inventor
简军
邹金根
汤奇朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Renrenyuntu Information Technology Co Ltd
Original Assignee
Beijing Renrenyuntu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Renrenyuntu Information Technology Co Ltd filed Critical Beijing Renrenyuntu Information Technology Co Ltd
Priority to CN201910590401.XA priority Critical patent/CN110457349B/en
Publication of CN110457349A publication Critical patent/CN110457349A/en
Application granted granted Critical
Publication of CN110457349B publication Critical patent/CN110457349B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24568Data stream processing; Continuous queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Abstract

The present invention provides the monitoring methods and monitoring device of a kind of outflow of information, the monitoring method comprises determining that the current frequency integral of the information of current outflow data platform, current frequency integral be currently flowed out based on information the corresponding time with information n-th flow out the corresponding time between time interval obtain, wherein the outflow of information n-th is occurred before information currently flows out;It is scored according to current frequency integral the current outflow of information, obtains current appraisal result;Determine whether the current outflow of information is abnormal according to current appraisal result.The time data quantization that technical solution of the present invention can flow out information, so that the monitoring process of information outflow is more timely, accurate.

Description

The monitoring method and monitoring device of information outflow
Technical field
The present invention relates to information security fields, and in particular to a kind of monitoring method and monitoring device of information outflow.
Background technique
The outflow of information can be divided into normal outflow and abnormal outflow in data platform (such as database, website etc.), Middle abnormal outflow may cause adverse effect to data platform or user, such as some sensitive informations are leaked etc..Therefore, The safety of network interaction not only can be improved in the outflow of monitoring information, but also brings for data operation maintenance personnel with can be convenient Decision-making foundation.Existing monitoring method is difficult to accurately judge that whether information outflow is normal, and then is difficult in data platform Information abnormity makes early warning when flowing out in time.
Summary of the invention
In view of this, being enabled to the embodiment of the invention provides the monitoring method and monitoring device of a kind of outflow of information The monitoring process of information outflow is more timely, accurate.
In a first aspect, the embodiment provides a kind of monitoring methods of information outflow, comprising: determine current outflow The current frequency of the information of data platform integrates, and current frequency integral is that corresponding time and information the is currently flowed out based on information N times flow out the acquisition of the time interval between the corresponding time, and wherein information n-th outflow is sent out before information currently flows out Raw;It is scored according to current frequency integral the current outflow of information, obtains current appraisal result;According to current scoring knot Fruit determines whether the current outflow of information is abnormal.
In some embodiments of the invention, the value range of current appraisal result is greater than 0 and to be less than or equal to 1.
In some embodiments of the invention, the time that information currently flows out is t, and the outflow of information n-th is that information is last Outflow, the time of information last time outflow are p, and current frequency integral is indicated with S:
Wherein, e is the truth of a matter of natural logrithm.
In some embodiments of the invention, the monitoring method of first aspect further include: determined according to the sensitive grade of information The sensitive integral of information, wherein scored according to current frequency integral the current outflow of information, obtain the knot that currently scores Fruit, comprising: it is scored according to current frequency integral and sensitive integral the current outflow of information, obtains current appraisal result, Wherein, sensitive integral indicates that current appraisal result is indicated with T, T=S with mm
In some embodiments of the invention, determine whether the current outflow of information is abnormal according to current appraisal result, comprising: It is recorded according to current appraisal result and history scoring and determines whether the current outflow of information is abnormal, the stream that wherein information currently flows out To the scoring of place and history record corresponding information to flow to place identical.
In some embodiments of the invention, the current outflow for determining information is recorded according to current appraisal result and history scoring It is whether abnormal, comprising: current scoring vector is determined according to current appraisal result, wherein the number that information currently flows out is b, when Preceding scoring vector is b-a dimensional vector, is made of a times to the b times corresponding b-a scoring, and b is greater than a;According to the information last time The appraisal result of outflow determines preposition scoring vector, wherein the number of information last time outflow is b-1, and preposition scoring vector is B-a dimensional vector is made of the a-1 times to the b-1 times corresponding b-a scoring;Calculate current scoring vector sum it is preposition score to Similarity between amount;Determine whether the current outflow of information is abnormal according to similarity.
In some embodiments of the invention, the current outflow for determining information is recorded according to current appraisal result and history scoring It is whether abnormal, further includes: to determine the mode of the scoring in history scoring record;When current appraisal result is greater than mode, then really The current outflow for determining information is abnormal;When current appraisal result is less than mode, then commented on before executing the current scoring vector sum of calculating Divide the similarity between vector;When similarity is greater than threshold value, it is determined that the current outflow of information is abnormal.
In some embodiments of the invention, the monitoring method of first aspect further include: in the absence of mode, it is determined that go through The median of scoring in commentary on historical events or historical records member record;When current appraisal result is greater than median, it is determined that the outflow of information is abnormal, In when history scoring record there are when the mode of multiple and different numerical value, then take the mode with minimum value as mode.
Second aspect, the embodiment provides a kind of monitoring devices of information outflow, comprising: first determines mould Block, the current frequency integral of the information for determining current outflow data platform, current frequency integral is currently flowed based on information Out the corresponding time with information n-th flow out the corresponding time between time interval obtain, wherein information n-th outflow is Occur before information currently flows out;Grading module, for being commented according to current frequency integral the current outflow of information Point, obtain current appraisal result;Second determining module, for determining whether the current outflow of information is different according to current appraisal result Often.
In some embodiments of the invention, the value range of current appraisal result is greater than 0 and to be less than or equal to 1.
In some embodiments of the invention, the time that information currently flows out is t, and the outflow of information n-th is that information is last Outflow, the time of information last time outflow are p, and current frequency integral is indicated with S:
Wherein, e is the truth of a matter of natural logrithm.
In some embodiments of the invention, the first determining module is also used to determine the quick of information according to the sensitive grade of information Sense integral, grading module are used to score to the current outflow of information according to current frequency integral and sensitive integral, be worked as Preceding appraisal result, wherein sensitivity integral indicates that current appraisal result is indicated with T, T=S with mm
In some embodiments of the invention, the second determining module is used for true according to current appraisal result and history scoring record Whether the current outflow for determining information is abnormal, and what wherein information currently flowed out, which flow to place, scores with history and record corresponding information It is identical to flow to place.
In some embodiments of the invention, the second determining module is used for: according to current appraisal result determine currently score to Amount, wherein the number that information currently flows out is b, and the current vector that scores is b-a dimensional vector, by a times to the b times corresponding b-a A scoring composition, b are greater than a;Preposition scoring vector is determined according to the appraisal result that the information last time flows out, wherein one in information The number of secondary outflow is b-1, and preposition scoring vector is b-a dimensional vector, by the a-1 times to the b-1 times corresponding b-a scoring group At;Calculate the similarity between the current preposition scoring vector of scoring vector sum;According to similarity determine information it is current outflow be No exception.
In some embodiments of the invention, the second determining module is also used to: determining the crowd of the scoring in history scoring record Number;When current appraisal result is greater than mode, it is determined that the current outflow of information is abnormal;When current appraisal result is less than mode When, then execute the similarity calculated between the current preposition scoring vector of scoring vector sum;When similarity is greater than threshold value, it is determined that The current outflow of information is abnormal.
In some embodiments of the invention, the second determining module is also used to: in the absence of mode, it is determined that history scoring The median of scoring in record;When current appraisal result is greater than median, it is determined that the outflow of information is abnormal, wherein when going through Commentary on historical events or historical records member record then takes the mode with minimum value as mode there are when the mode of multiple and different numerical value.
The third aspect, the embodiment provides a kind of computer readable storage medium, storage medium is stored with meter Calculation machine program, computer program are used to execute the monitoring method of the outflow of information described in above-mentioned first aspect.
Fourth aspect, the embodiment provides a kind of electronic equipment, comprising: processor;For storage processor The memory of executable instruction, wherein processor is used to execute the monitoring method of the outflow of information described in above-mentioned first aspect.
The embodiment of the invention provides the monitoring methods and monitoring device of a kind of outflow of information, by flowing out number using information Determine that the current frequency that information currently flows out integrates according to the time data of platform, and based on the time interval of information outflow, thus The time data quantization that information can be flowed out, so that the monitoring process of information outflow is more timely, accurate.
Detailed description of the invention
Fig. 1 show the system architecture signal of the monitoring system for the information outflow that an exemplary embodiment of the invention provides Figure.
Fig. 2 show the flow diagram of the monitoring method of the information outflow of one embodiment of the invention offer.
Fig. 3 show another embodiment of the present invention provides information outflow monitoring method flow diagram.
Fig. 4 show the structural schematic diagram of the monitoring device of the information outflow of one embodiment of the invention offer.
Fig. 5 show the frame of the electronic equipment of the monitoring for information outflow shown in an exemplary embodiment of the invention Figure.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that the described embodiment is only a part of the embodiment of the present invention, instead of all the embodiments.Based on this Embodiment in invention, every other reality obtained by those of ordinary skill in the art without making creative efforts Example is applied, shall fall within the protection scope of the present invention.
It is current data O&M, data protection urgent need solution to monitoring and early warning that Information abnormity in data platform flows out One of the problem of.Mainly the outflow of information in data platform is monitored by two ways at present, one is rule-based Monitor mode, another kind is the monitor mode based on data visualization.Rule-based monitor mode is to pass through configuration information Access authority so that the outflow of information is monitored, this access authority, which can be, to be accessed, be also possible to limitation visit Number is asked, for example, same identification card number can only access once daily.This rule-based monitor mode is more inflexible, it is difficult to The flexibly and accurately outflow of monitoring information.Monitor mode based on data visualization is by artificially checking and analyzing information outflow Initial data so that the outflow of information is monitored, this monitor mode speed is relatively slow, real-time is poor, higher cost.
Fig. 1 show the system architecture signal of the monitoring system for the information outflow that an exemplary embodiment of the invention provides Figure, it illustrates the application scenarios that the outflow of the information on a kind of pair of server 10 is monitored.As shown in Figure 1, the monitoring system System includes server 10, server 20 and terminal 30.Server 10 can be data platform, such as can be Hadoop and put down Platform.Terminal 30 can be the electronic equipments such as mobile phone, computer.
In an exemplary scene, user can access server 10 by terminal 30, when information is flowed out from server 10 When, server 20 can to the information in server 10 flow out process be monitored, and then Information abnormity outflow when make it is pre- It is alert.In the exemplary scene, the monitoring to information outflow is using bypass type monitor mode.I.e. by except server 10 Server 20 is monitored the information outflow on server 10, will not impact to server 10, highly-safe.
In another exemplary scene, server 10 and server 20 can be same server, i.e. the prison of information outflow Control system includes server 10 and terminal 30.User accesses server 10 by terminal 30, when information is flowed out from server 10, Server 10 itself can the outflow process to information be monitored, and then Information abnormity outflow when make early warning.Show at this In example property scene, the monitoring to information outflow is using monitoring formula monitor mode.Pass through server 10 or insertion server 10 In equipment on server 10 information outflow be monitored, can in real time, rapidly provide information spill out to.
It should be noted which is shown only for the purpose of facilitating an understanding of the spirit and principles of the present invention for above-mentioned application scenarios, this Embodiment is not limited to this for invention.On the contrary, the embodiment of the present invention can be applied to any scene that may be applicable in.
It is flowed out below with the information for including data platform (server 10), terminal (terminal 30) and server (server 30) Monitoring system for, specific description is done to the embodiment of the present invention.
Fig. 2 show the flow diagram of the monitoring method of the information outflow of one embodiment of the invention offer.Such as Fig. 2 institute Show, this method includes following content.
110: determining the current frequency integral of the information of current outflow data platform, current frequency integral is worked as based on information Preceding outflow corresponding time with information n-th flow out the corresponding time between time interval obtain, wherein information n-th stream It is to occur before information currently flows out out.
Specifically, for the same information in data platform, which flows out the outflow data of data platform every time, can be with It is recorded on terminal or data platform, which may include the delivery time of information.For example, information n-th is from number Time according to platform outflow is tN, the information the Q times time flowed out from data platform is tQ, the outflow of information n-th is in information the Occur before Q outflow, i.e. tQGreater than tN。tQAnd tNUnit can be second, millisecond or other suitable units, the present invention Embodiment does not limit this.
Server can be based on the Q times time interval (t flowed out with n-th of informationQ-tN) determine information the Q times outflow Frequency integrator.The frequency integrator can be time interval (tQ-tN) obtain after the certain function of input.The frequency integrator Size can be used for the abnormal conditions of characterization information n-th outflow, for example, frequency integrator is bigger, the abnormal possibility of information outflow Property is bigger.
In the present embodiment, Q and N is integer, and the difference of Q and N can be 1,2,3 or other values, the embodiment of the present invention It does not limit this.
When the difference of Q and N is 1, i.e., information the Q time and n-th outflow are the adjacent outflow of information twice, at this time due to The outflow data of the information of consideration are compact, frequency integrator can relatively accurately characterization information the Q times outflow abnormal feelings Condition.
Information the Q times outflow can currently flow out for information.
120: being scored according to current frequency integral the current outflow of information, obtain current appraisal result.
Specifically, directly current frequency can be integrated and is used as current appraisal result;Current frequency can also be integrated into The certain processing of row obtains current appraisal result, such as current frequency integral handles to obtain current scoring knot by specific function Fruit.
130: determining whether the current outflow of information is abnormal according to current appraisal result.
Specifically, current appraisal result can be score value, can determine that the current outflow of information is according to the size of score value No exception;Current appraisal result is also possible to grade classification, such as current appraisal result can be two kinds of " normal ", "abnormal" feelings Condition, server directly can determine whether the current outflow of information is abnormal according to the result.
The embodiment of the invention provides a kind of information outflow monitoring method, by using information flow out data platform when Between data, and determine that the current frequency that information currently flows out integrates based on the time interval of information outflow, so as to by information The time data quantization of outflow, so that the monitoring process of information outflow is more timely, accurate.
An embodiment according to the present invention, the value range of current appraisal result are greater than 0 and to be less than or equal to 1.
Specifically, current appraisal result is score value, and information flows out data platform every time and all corresponds to an appraisal result.According to The sequence that time is incremented by, the appraisal result that information flows out every time can form a several column or row vector.At data Reason process avoids data fluctuations excessive, can maintain the unification of the ordered series of numbers or row vector in terms of content, i.e., appraisal result is arranged In certain value range, as appraisal result is greater than 0 and is less than or equal to 1.
An embodiment according to the present invention, the time that information currently flows out are t, and the outflow of information n-th is to flow the information last time Out, the time of information last time outflow is p, and current frequency integral is indicated with S:
Wherein, e is the truth of a matter of natural logrithm.
In the present embodiment, current frequency integral is that the time interval based on the outflow of adjacent information twice obtains.That is, letter The current outflow of breath is information the Q times outflow, and the time of information the Q times outflow is t (tQ), the time of information n-th outflow is p (tN).The value that the difference of Q and N is 1, S is greater than 0 and less than 1.
An embodiment according to the present invention, the method for Fig. 2 further include: the sensitivity product of information is determined according to the sensitive grade of information Point, wherein 120 include: to be scored according to current frequency integral and sensitive integral the current outflow of information, is currently commented Divide result, wherein sensitivity integral indicates that current appraisal result is indicated with T, T=S with mm
Specifically, in embodiments of the present invention, different information is separately monitored.Due to different letters Breath, significance level or sensitive grade are different, therefore when being monitored to a kind of information, will reflect the factor of its sensitive grade Take into account, the accuracy of monitored results can be improved.
For example, identification card number, the name of client is important information, and flight number, air flight times are opposite in air ticket website In identification card number and name then without so important, i.e. when the sensitive grade of identification card number and name is higher than flight number and flight Between.
In one embodiment, the sensitive higher grade of information, and the value of m is bigger.In the identical situation of frequency integrator S, Sensitive higher grade information, appraisal result T is higher, i.e. the outflow of the information is more likely abnormal outflow.
For example, information can be divided according to following four sensitivity grade: insensitive, general sensitive, sensitive, Yi Jifei It is often sensitive.The corresponding sensitive integral of this four sensitivity grades can be 0,1,2,3 respectively.When the sensitive grade of information is unwise Sense, i.e., when sensitive integral is 0, the appraisal result T that user causes the information to flow out from data platform the access of the information is always It is 1.In other words, the outflow for the information that server is 0 to integral sensitive on data platform is without substantially monitoring.Work as letter When the sensitive integral of breath is not 0, the value of appraisal result T is greater than 0 and less than 1, and with the increase of time interval (t-p) And increase.
Frequency integrator S is increasing function, and increased trend gradually slows down, this can to avoid because time interval it is longer And the value of frequency integrator S is sharply increased, so that current information outflow is erroneously determined to abnormal the case where flowing out, Therefore there is good robustness.
Certainly, the sensitive grade of information can be divided otherwise, and different sensitivity grades are corresponding sensitive long-pending Divide to be set according to the actual situation, and it is not limited in the embodiment of the present invention.
An embodiment according to the present invention, 130 include: to record according to current appraisal result and history scoring and determine working as information Whether preceding outflow abnormal, what wherein information currently flowed out flow to place scores with history record corresponding information flow to place phase Together.
Specifically, information flows out delivery time and the information that the outflow data of data platform may include information every time Place is flowed to, server can carry out the outflow data for flowing to different location separating processing.For example, flowing to place in information When for A, the corresponding appraisal result of each outflow of information, the appraisal result may be constructed a several column or row vector.History Scoring record can be the ordered series of numbers or row vector, the partial evaluation result being also possible in the ordered series of numbers or row vector.
In the present embodiment, by the difference according to information flow direction place, the outflow of information is carried out to separate monitoring, it can be with It eliminates because of amount of access unbalanced the problem of bringing, and then improves the reliability of monitored results.
In one embodiment, it can be compared according to current appraisal result with the appraisal result in history scoring record, And then determine whether the current outflow of information is abnormal.
An embodiment according to the present invention, the current outflow for determining information according to current appraisal result and history scoring record are No exception, comprising: current scoring vector is determined according to current appraisal result, wherein the number that information currently flows out is b, currently Scoring vector is b-a dimensional vector, is made of a times to the b times corresponding b-a scoring, and b is greater than a;It is flowed according to the information last time Appraisal result out determines preposition scoring vector, wherein the number of information last time outflow is b-1, and preposition scoring vector is b-a Dimensional vector is made of the a-1 times to the b-1 times corresponding b-a scoring;Calculate the current scoring preposition scoring vector of vector sum it Between similarity;Determine whether the current outflow of information is abnormal according to similarity.
Specifically, be m for sensitive integral, each flow out for the information that flow to place be A is scored, appraisal result mark It is denoted asDeposit is labeled as SmRow vector in, wherein n be information outflow number.For example, being A and quick for flowing to place Sense integral flows out for 4 information the 500th, and appraisal result is denoted asRow vector SmIt can indicate are as follows:
WhereinIt can be the initial value of setting.
In the present embodiment, the value of b-a can be 10, and the b times information is flowed out, and the current vector that scores can be expressed asPreposition scoring vector can be expressed as
Certainly, the value of b-a is also possible to the other values other than 10, and it is not limited in the embodiment of the present invention.
In the present embodiment, Euclidean distance, mahalanobis distance, Spearman rank correlation coefficient, Pearson came phase can be passed through The methods of relationship number calculates the similarity between the current preposition scoring vector of scoring vector sum.If similarity is greater than preset threshold Value, then it is assumed that the current outflow of information is abnormal outflow.
An embodiment according to the present invention, the method for Fig. 2 further include: determined according to current appraisal result and history scoring record Whether the current outflow of information is abnormal, further includes: determines the mode of the scoring in history scoring record;When current appraisal result is big When mode, it is determined that the current outflow of information is abnormal;When current appraisal result is less than mode, then the current scoring of calculating is executed Similarity between the preposition scoring vector of vector sum;When similarity is greater than threshold value, it is determined that the current outflow of information is abnormal.
Specifically, current appraisal result can be compared with the mode of the appraisal result in history scoring record, when It when current appraisal result is greater than mode, that is, determines that the current outflow of information is abnormal, and does not have to obtain current scoring vector, and calculate Similarity between the current preposition scoring vector of scoring vector sum, can be improved the arithmetic speed of server.
Further, the method for Fig. 2 further include: in the absence of mode, it is determined that the scoring in history scoring record Median;When current appraisal result is greater than median, it is determined that the outflow of information is abnormal, wherein existing when history scores to record When the mode of multiple and different numerical value, then take the mode with minimum value as mode.
Fig. 3 show another embodiment of the present invention provides information outflow monitoring method flow diagram.Shown in Fig. 3 Embodiment is the specific example of embodiment illustrated in fig. 2, and to avoid repeating, something in common does not do specific explanations.As shown in figure 3, should Method includes following content.
210: determining the current frequency integral of the information of current outflow data platform.
220: determining that the sensitive of information integrates according to the sensitive grade of information.
Specifically, it 220 can execute, can also be performed simultaneously with 210 before or after 210.
230: being scored according to current frequency integral and sensitive integral the current outflow of information, obtain the knot that currently scores Fruit.
The calculating of current frequency integral, current appraisal result may refer to the description in above-mentioned Fig. 2, to avoid repeating, In This is repeated no more.
240: current scoring vector is determined according to current appraisal result.
The dimension of current scoring vector can be set according to actual needs.
250: preposition scoring vector is determined according to the appraisal result that the information last time flows out.
The dimension of preposition scoring vector is consistent with the current scoring dimension of vector.
With gradually increasing for information flow outdegree, SmThe appraisal result recorded in row vector can be also continuously increased.It is different The dimension for flowing out the current scoring vector of number can be the same or different.
In one embodiment, the dimension of the current scoring vectors of different outflow numbers is identical, at this time 250 can 210 it Preceding execution, such as preposition scoring vector can be current scoring vector corresponding when the outflow of information last time.
In another embodiment, the dimension of the current scoring vector of different outflow numbers can be different.For example, information The dimension for flowing out the current scoring vector that number is 10 times is 10, and the dimension of preposition scoring vector is also 10;Information flow outdegree Dimension for 100 current scoring vectors is 20, and the dimension of preposition scoring vector is also 20.It is recorded in history scoring record Appraisal result it is more when, the dimension of the current preposition scoring vector of scoring vector sum can be properly increased, utilize it more as far as possible Preceding outflow data, improve the accuracy of monitored results.
260: calculating the similarity between the current preposition scoring vector of scoring vector sum.
Calculating for similarity can be using the method mentioned in above-mentioned Fig. 2, or method similar therewith.
270: determining whether the current outflow of information is abnormal according to similarity.
Fig. 4 show the structural schematic diagram of the monitoring device 400 of the information outflow of one embodiment of the invention offer.Such as Fig. 4 Shown, device 400 includes: the first determining module 410, grading module 420 and the second determining module 430.
The current frequency integral of information of first determining module 410 for determining current outflow data platform, current frequency Integral be currently flowed out based on information the corresponding time with information n-th flow out the corresponding time between time interval obtain , wherein the outflow of information n-th is occurred before information currently flows out;Grading module 420 is used for according to current frequency product Divide and score the current outflow of information, obtains current appraisal result;Second determining module 430 is used for according to current scoring knot Fruit determines whether the current outflow of information is abnormal.
The embodiment of the invention provides a kind of information outflow monitoring device, by using information flow out data platform when Between data, and determine that the current frequency that information currently flows out integrates based on the time interval of information outflow, so as to by information The time data quantization of outflow, so that the monitoring process of information outflow is more timely, accurate.
An embodiment according to the present invention, the value range of current appraisal result are greater than 0 and to be less than or equal to 1.
An embodiment according to the present invention, the time that information currently flows out are t, and the outflow of information n-th is to flow the information last time Out, the time of information last time outflow is p, and current frequency integral is indicated with S:
Wherein, e is the truth of a matter of natural logrithm.
An embodiment according to the present invention, the first determining module 410 are also used to determine information according to the sensitive grade of information Sensitivity integral, grading module 420 are used to score to the current outflow of information according to current frequency integral and sensitive integral, obtain To current appraisal result, wherein sensitivity integral indicates that current appraisal result is indicated with T, T=S with mm
An embodiment according to the present invention, the second determining module 430 are used for according to current appraisal result and history scoring record Determine whether the current outflow of information is abnormal, what wherein information currently flowed out, which flow to place, scores with history and record corresponding information To flow to place identical.
An embodiment according to the present invention, the second determining module 430 are used for: according to current appraisal result determine currently score to Amount, wherein the number that information currently flows out is b, and the current vector that scores is b-a dimensional vector, by a times to the b times corresponding b-a A scoring composition, b are greater than a;Preposition scoring vector is determined according to the appraisal result that the information last time flows out, wherein one in information The number of secondary outflow is b-1, and preposition scoring vector is b-a dimensional vector, by the a-1 times to the b-1 times corresponding b-a scoring group At;Calculate the similarity between the current preposition scoring vector of scoring vector sum;According to similarity determine information it is current outflow be No exception.
An embodiment according to the present invention, the second determining module 430 are also used to: determining the crowd of the scoring in history scoring record Number;When current appraisal result is greater than mode, it is determined that the current outflow of information is abnormal;When current appraisal result is less than mode When, then execute the similarity calculated between the current preposition scoring vector of scoring vector sum;When similarity is greater than threshold value, it is determined that The current outflow of information is abnormal.
An embodiment according to the present invention, the second determining module 430 are also used to: in the absence of mode, it is determined that history is commented The median of scoring in member record;When current appraisal result is greater than median, it is determined that the outflow of information is abnormal, wherein when History scoring record then takes the mode with minimum value as mode there are when the mode of multiple and different numerical value.
It should be appreciated that the first determining module 410 in above-described embodiment, grading module 420 and the second determining module 430 Operations and functions can with reference to the information outflow that above-mentioned Fig. 2 and Fig. 3 are provided monitoring method in description, in order to avoid weight Multiple, details are not described herein.
Fig. 5 show the electronic equipment 500 of the monitoring for information outflow shown in an exemplary embodiment of the invention Block diagram.
Referring to Fig. 5, it further comprises one or more processors that electronic equipment 500, which includes processing component 510, and The memory resource as representated by memory 520, can be by the instruction of the execution of processing component 510, such as using journey for storing Sequence.The application program stored in memory 520 may include it is one or more each correspond to one group of instruction mould Block.In addition, processing component 510 is configured as executing instruction, to execute the monitoring method of above- mentioned information outflow.
Electronic equipment 500 can also include a power supply module be configured as execute electronic equipment 500 power management, one A wired or wireless network interface is configured as electronic equipment 500 being connected to network and input and output (I/O) interface. Electronic equipment 500, such as Windows Server can be operated based on the operating system for being stored in memory 520TM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTMOr it is similar.
A kind of non-transitorycomputer readable storage medium, when the instruction in storage medium is by above-mentioned electronic equipment 500 When processor executes, so that above-mentioned electronic equipment 500 is able to carry out a kind of monitoring method of information outflow, comprising: determine current The current frequency integral of the information of data platform is flowed out, current frequency integral is that corresponding time and letter are currently flowed out based on information Breath n-th flows out the acquisition of the time interval between the corresponding time, and wherein information n-th outflow is currently to flow out it in information Preceding generation;It is scored according to current frequency integral the current outflow of information, obtains current appraisal result;According to currently commenting Point result determines whether the current outflow of information is abnormal.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed The scope of the present invention.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention. And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited The various media that can store program ver-ify code such as reservoir (RAM, Random Access Memory), magnetic or disk.
It should be noted that in the description of the present invention, term " first ", " second ", " third " etc. are only used for description mesh , it is not understood to indicate or imply relative importance.In addition, in the description of the present invention, unless otherwise indicated, " multiple " It is meant that two or more.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, made any modification, equivalent replacement etc. be should all be included in the protection scope of the present invention.

Claims (18)

1. a kind of monitoring method of information outflow characterized by comprising
Determine the current frequency integral of the information of current outflow data platform, the current frequency integral is worked as based on the information Preceding outflow corresponding time flows out the acquisition of the time interval between the corresponding time with the information n-th, wherein the letter Breath n-th outflow is occurred before the information currently flows out;
It is scored according to current frequency integral the current outflow of the information, obtains current appraisal result;
Determine whether the current outflow of the information is abnormal according to the current appraisal result.
2. monitoring method according to claim 1, which is characterized in that the value range of the current appraisal result be greater than 0 and be less than or equal to 1.
3. monitoring method according to claim 2, which is characterized in that the time that the information currently flows out is t, the letter Ceasing n-th outflow is to flow out the information last time, and the time of the information last time outflow is p, the current frequency integral It is indicated with S:
Wherein, e is the truth of a matter of natural logrithm.
4. monitoring method according to claim 3, which is characterized in that further include:
The sensitive integral of the information is determined according to the sensitive grade of the information,
Wherein, described to be scored according to current frequency integral the current outflow of the information, obtain the knot that currently scores Fruit, comprising:
It is scored according to current frequency integral and the sensitive integral the current outflow of the information, obtains described work as Preceding appraisal result, wherein the sensitive integral indicates that the current appraisal result is indicated with T, T=S with mm
5. monitoring method according to any one of claim 1 to 4, which is characterized in that described according to the current scoring As a result determine whether the current outflow of the information is abnormal, comprising:
Determine whether the current outflow of the information is abnormal according to the current appraisal result and history scoring record, wherein described What information currently flowed out flow to place and history scoring record the corresponding information to flow to place identical.
6. monitoring method according to claim 5, which is characterized in that described to be commented according to the current appraisal result and history Member record determines whether the current outflow of the information is abnormal, comprising:
Current scoring vector is determined according to the current appraisal result, wherein the number that the information currently flows out is b, described Current scoring vector is b-a dimensional vector, is made of a times to the b times corresponding b-a scoring, b is greater than a;
Preposition scoring vector is determined according to the appraisal result that the information last time flows out, wherein the information last time outflow Number be b-1, the preposition scoring vector be b-a dimensional vector, by the a-1 times to the b-1 times corresponding b-a scoring group At;
Calculate the similarity between preposition scoring vector described in the current scoring vector sum;
Determine whether the current outflow of the information is abnormal according to the similarity.
7. monitoring method according to claim 6, which is characterized in that described to be commented according to the current appraisal result and history Member record determines whether the current outflow of the information is abnormal, further includes:
Determine the mode of the scoring in the history scoring record;
When the current appraisal result is greater than the mode, it is determined that the current outflow of the information is abnormal;
When the current appraisal result is less than the mode, then execute preposition described in the calculating current scoring vector sum Similarity between scoring vector;
When the similarity is greater than threshold value, it is determined that the current outflow of the information is abnormal.
8. monitoring method according to claim 7, which is characterized in that further include:
In the absence of the mode, it is determined that the median of the scoring in the history scoring record;
When the current appraisal result is greater than the median, it is determined that the outflow of the information is abnormal, wherein going through when described Commentary on historical events or historical records member record then takes the mode with minimum value as the mode there are when the mode of multiple and different numerical value.
9. a kind of monitoring device of information outflow characterized by comprising
First determining module, the current frequency integral of the information for determining current outflow data platform, the current frequency product It point is currently to flow out the corresponding time based on the information to flow out time interval between the corresponding time with the information n-th It obtains, wherein information n-th outflow is occurred before the information currently flows out;
Grading module is currently commented for being scored according to current frequency integral the current outflow of the information Divide result;
Second determining module, for determining whether the current outflow of the information is abnormal according to the current appraisal result.
10. monitoring device according to claim 9, which is characterized in that the value range of the current appraisal result is big In 0 and be less than or equal to 1.
11. monitoring device according to claim 10, which is characterized in that the time that the information currently flows out is t, described The outflow of information n-th is to flow out the information last time, and the time of the information last time outflow is p, the current frequency product Dividing is indicated with S:
Wherein, e is the truth of a matter of natural logrithm.
12. monitoring device according to claim 11, which is characterized in that first determining module is also used to according to The sensitive grade of information determines that the sensitive integral of the information, institute's scoring module are used for according to current frequency integral and institute It states sensitive integral to score to the current outflow of the information, obtains the current appraisal result, wherein the sensitive integral It is indicated with m, the current appraisal result is indicated with T, T=Sm
13. the monitoring device according to any one of claim 9 to 12, which is characterized in that second determining module is used In determining whether the current outflow of the information is abnormal according to the current appraisal result and history scoring record, wherein the letter Cease currently flow out flow to place and the history score record the corresponding information to flow to place identical.
14. monitoring device according to claim 13, which is characterized in that second determining module is used for:
Current scoring vector is determined according to the current appraisal result, wherein the number that the information currently flows out is b, described Current scoring vector is b-a dimensional vector, is made of a times to the b times corresponding b-a scoring, b is greater than a;
Preposition scoring vector is determined according to the appraisal result that the information last time flows out, wherein the information last time outflow Number be b-1, the preposition scoring vector be b-a dimensional vector, by the a-1 times to the b-1 times corresponding b-a scoring group At;
Calculate the similarity between preposition scoring vector described in the current scoring vector sum;
Determine whether the current outflow of the information is abnormal according to the similarity.
15. monitoring device according to claim 14, which is characterized in that second determining module is also used to:
Determine the mode of the scoring in the history scoring record;
When the current appraisal result is greater than the mode, it is determined that the current outflow of the information is abnormal;
When the current appraisal result is less than the mode, then execute preposition described in the calculating current scoring vector sum Similarity between scoring vector;
When the similarity is greater than threshold value, it is determined that the current outflow of the information is abnormal.
16. monitoring device according to claim 15, which is characterized in that second determining module is also used to:
In the absence of the mode, it is determined that the median of the scoring in the history scoring record;
When the current appraisal result is greater than the median, it is determined that the outflow of the information is abnormal, wherein going through when described Commentary on historical events or historical records member record then takes the mode with minimum value as the mode there are when the mode of multiple and different numerical value.
17. a kind of computer readable storage medium, the storage medium is stored with computer program, and the computer program is used for Execute the monitoring method of any information outflow of the claims 1 to 8.
18. a kind of electronic equipment, comprising:
Processor;
For storing the memory of the processor-executable instruction,
Wherein, the processor is used to execute the monitoring method of any information outflow of the claims 1 to 8.
CN201910590401.XA 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device Active CN110457349B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910590401.XA CN110457349B (en) 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910590401.XA CN110457349B (en) 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device

Publications (2)

Publication Number Publication Date
CN110457349A true CN110457349A (en) 2019-11-15
CN110457349B CN110457349B (en) 2022-04-05

Family

ID=68482055

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910590401.XA Active CN110457349B (en) 2019-07-02 2019-07-02 Information outflow monitoring method and monitoring device

Country Status (1)

Country Link
CN (1) CN110457349B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111143829A (en) * 2019-12-25 2020-05-12 北京天融信网络安全技术有限公司 Method and device for determining task risk degree, electronic equipment and storage medium
CN112291506A (en) * 2020-12-25 2021-01-29 北京电信易通信息技术股份有限公司 Method and system for tracing security vulnerability of streaming data in video conference scene

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101976061A (en) * 2010-08-06 2011-02-16 中国环境科学研究院 Method for constructing large environmental risk source monitoring system
CN102567340A (en) * 2010-12-09 2012-07-11 腾讯科技(深圳)有限公司 Method and device for filtering Microblog information
US20150186647A1 (en) * 2006-02-28 2015-07-02 Salvatore J. Stolfo Systems, methods, and media for outputting data based on anomaly detection
CN105588978A (en) * 2015-12-14 2016-05-18 安徽立卓智能电网科技有限公司 Beidou satellite communication technology-based method for intelligently detecting and processing acquired electric energy data
CN106326278A (en) * 2015-06-30 2017-01-11 阿里巴巴集团控股有限公司 Data exception judgment method and device
CN106790212A (en) * 2017-01-07 2017-05-31 北京坤腾畅联科技有限公司 The method and terminal device of the analysis detection man-in-the-middle attack based on temporal characteristics
CN106934291A (en) * 2015-12-29 2017-07-07 刘晓建 A kind of method of unidirectional information carrying means and intercomputer one-way transmission information
US20170324768A1 (en) * 2015-10-28 2017-11-09 Fractal Industries, Inc. Advanced cybersecurity threat mitigation using behavioral and deep analytics
CN109308242A (en) * 2018-09-06 2019-02-05 上海达梦数据库有限公司 A kind of dynamic monitoring and controlling method, device, equipment and storage medium
CN109815094A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 Monitoring method, device, equipment and the computer readable storage medium of tables of data
CN109840543A (en) * 2018-12-15 2019-06-04 中国大唐集团科学技术研究院有限公司 A kind of data monitoring and method for early warning based on neural network and sensitive information stream

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150186647A1 (en) * 2006-02-28 2015-07-02 Salvatore J. Stolfo Systems, methods, and media for outputting data based on anomaly detection
CN101976061A (en) * 2010-08-06 2011-02-16 中国环境科学研究院 Method for constructing large environmental risk source monitoring system
CN102567340A (en) * 2010-12-09 2012-07-11 腾讯科技(深圳)有限公司 Method and device for filtering Microblog information
CN106326278A (en) * 2015-06-30 2017-01-11 阿里巴巴集团控股有限公司 Data exception judgment method and device
US20170324768A1 (en) * 2015-10-28 2017-11-09 Fractal Industries, Inc. Advanced cybersecurity threat mitigation using behavioral and deep analytics
CN105588978A (en) * 2015-12-14 2016-05-18 安徽立卓智能电网科技有限公司 Beidou satellite communication technology-based method for intelligently detecting and processing acquired electric energy data
CN106934291A (en) * 2015-12-29 2017-07-07 刘晓建 A kind of method of unidirectional information carrying means and intercomputer one-way transmission information
CN106790212A (en) * 2017-01-07 2017-05-31 北京坤腾畅联科技有限公司 The method and terminal device of the analysis detection man-in-the-middle attack based on temporal characteristics
CN109308242A (en) * 2018-09-06 2019-02-05 上海达梦数据库有限公司 A kind of dynamic monitoring and controlling method, device, equipment and storage medium
CN109840543A (en) * 2018-12-15 2019-06-04 中国大唐集团科学技术研究院有限公司 A kind of data monitoring and method for early warning based on neural network and sensitive information stream
CN109815094A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 Monitoring method, device, equipment and the computer readable storage medium of tables of data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张春望: "《监控信息误报的分析判断及处理》", 《中国电力企业管理》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111143829A (en) * 2019-12-25 2020-05-12 北京天融信网络安全技术有限公司 Method and device for determining task risk degree, electronic equipment and storage medium
CN111143829B (en) * 2019-12-25 2022-04-26 北京天融信网络安全技术有限公司 Method and device for determining task risk degree, electronic equipment and storage medium
CN112291506A (en) * 2020-12-25 2021-01-29 北京电信易通信息技术股份有限公司 Method and system for tracing security vulnerability of streaming data in video conference scene

Also Published As

Publication number Publication date
CN110457349B (en) 2022-04-05

Similar Documents

Publication Publication Date Title
CN104756106B (en) Data source in characterize data storage system
CN111082966A (en) Positioning method and device based on batch alarm events, electronic equipment and medium
CN107566163A (en) A kind of alarm method and device of user behavior analysis association
CN110471821B (en) Abnormality change detection method, server, and computer-readable storage medium
CN110535702A (en) A kind of alarm information processing method and device
CN113592019B (en) Fault detection method, device, equipment and medium based on multi-model fusion
CN110162445A (en) The host health assessment method and device of Intrusion Detection based on host log and performance indicator
CN112559831A (en) Link monitoring method and device, computer equipment and medium
CN109993189A (en) A kind of network failure method for early warning, device and medium
CN111563016B (en) Log collection and analysis method and device, computer system and readable storage medium
CN106254137A (en) The alarm root-cause analysis system and method for supervisory systems
CN110457349A (en) The monitoring method and monitoring device of information outflow
CN114327983A (en) Log-based fault determination method, device, equipment and medium
CN113157659A (en) Log processing method and device
CN103514092A (en) Method for automatic testing of software system of ATM
CN110275992A (en) Emergency processing method, device, server and computer readable storage medium
CN111157245B (en) Supervision method and system for rail transit running gear bearing
CN109242165A (en) A kind of model training and prediction technique and device based on model training
CN114625406A (en) Application development control method, computer equipment and storage medium
CN108039971A (en) A kind of alarm method and device
CN112769615B (en) Anomaly analysis method and device
CN114708717A (en) Association alarm method and device for system monitoring
CN111654405B (en) Method, device, equipment and storage medium for fault node of communication link
KR102594207B1 (en) Security compliance automation method
CN116228312A (en) Processing method and device for large-amount point exchange behavior

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant