CN110750786B - Method and system for detecting abnormal access behavior of account to sensitive data - Google Patents

Method and system for detecting abnormal access behavior of account to sensitive data Download PDF

Info

Publication number
CN110750786B
CN110750786B CN201911045981.0A CN201911045981A CN110750786B CN 110750786 B CN110750786 B CN 110750786B CN 201911045981 A CN201911045981 A CN 201911045981A CN 110750786 B CN110750786 B CN 110750786B
Authority
CN
China
Prior art keywords
account
access
access behavior
similarity
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911045981.0A
Other languages
Chinese (zh)
Other versions
CN110750786A (en
Inventor
周晓勇
梁淑云
刘胜
马影
陶景龙
王启凡
魏国富
徐�明
殷钱安
余贤喆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN201911045981.0A priority Critical patent/CN110750786B/en
Publication of CN110750786A publication Critical patent/CN110750786A/en
Application granted granted Critical
Publication of CN110750786B publication Critical patent/CN110750786B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a method and a system for detecting the abnormal access behavior of an account to sensitive data, which comprises the following steps: s01, acquiring a database operation log; s02, analyzing SQL statements from the database operation log to generate records of the account accessing data table; s03, generating access behavior reference vectors of each account type; s04, generating an access behavior vector of each account; s05, outputting a similarity set of the specific account and all non-home account types by using a similarity algorithm; and S06, determining the abnormal access risk level according to the value size in the similarity set. The method has the advantages that the granularity of the traditional supervision mechanism is sunk from the database to the data table, and particularly for the table containing sensitive data, an effective means is provided for protecting the invisible assets and the user privacy of an enterprise; the historical data is used for generating a benchmark, so that the subjectivity of artificially determining the threshold is avoided; and the access risk is quantized, the risk level is output, the cosine similarity is simple and convenient to calculate, and the result has interpretability.

Description

Method and system for detecting abnormal access behavior of account to sensitive data
Technical Field
The invention relates to the technical field of computer data security, in particular to a method and a system for detecting abnormal access behaviors of sensitive data to an account.
Background
The data warehouse of the basic operator in the telecommunication industry has a large amount of sensitive data, such as user identification numbers, user addresses, user communication records and the like, and the data are stored in a database table and are largely used in the daily operation and analysis of the basic operator. Sensitive data is of high value, is a stealth asset for the underlying operator, and belongs to private information for the user (individual/unit). Therefore, the base operator needs to protect these data from leakage. However, many personnel, including internal staff and third-party manufacturers, can access the data, sensitive data leakage events happen frequently, and protection and tracing of sensitive data become a key work of basic operators with considerable difficulty.
Currently, a base operator generally uses account permissions to manage, that is, allocates database-level access permissions to each account accessing a database.
The management mode of account number authority does not limit the tables accessed by accounts in the library, so that people who have no trails can freely acquire data outside the working range of the job, and an effective supervision mechanism is lacked.
In order to overcome the defects, the invention provides that the access behavior benchmark of the data table level is determined based on the account number type, and the similarity degree of the specific account number and the benchmark is calculated by using the similarity degree, so that the risk level of the account number for accessing sensitive data is quantized, and an effective supervision mechanism is provided.
Disclosure of Invention
The invention aims to solve the technical problem of providing a method and a system for detecting the abnormal access behavior of an account to sensitive data aiming at a supervision mechanism lacking a management mode of account authority, so as to achieve the risk level of quantifying the access of the account to the sensitive data.
The invention solves the technical problems through the following technical means:
a detection method for abnormal access sensitive data behavior of an account number comprises the following steps:
s01, acquiring a database operation log;
s02, analyzing SQL statements from the database operation log to generate records of the account accessing data table;
s03, mixingGenerating a reference vector set U of access behaviors of all the sensitive tables of each account type by combining the known normal account information, account type information and sensitive table information according to the first access record accumulated in a time periodV-basic
S04, generating an access behavior vector set U of each account for all sensitive tables according to the second access records in the second time periodV-acct
S05, using a similarity algorithm to output the access behavior vector of the specific account and the similarity set of the access behavior reference vectors of all non-home account types; the non-home account number type is an absolute complement set of the existing account number type relative to the full set of account number types of the specific account number, namely: the method comprises the following steps that (1) PC is a non-home account type, U is a full set of account types, and P is a specific account preset account type;
and S06, determining the abnormal access risk level according to the value size in the similarity set.
Preferably, the step S03 specifically includes:
s0301, screening the first access records by using the normal account information, and selecting a first record subset of all normal accounts;
s0302, screening the first record subset by using the sensitive table information, and selecting out the second record subset of all the sensitive tables;
s0303, the account type information is used for carrying out type identification on accounts in the second record subset, grouping statistics is carried out according to the type identification, and statistical data with the account type as a statistical object and the access times of the sensitive table as statistical indexes, namely an access behavior reference vector set U, is generatedV-basic
Preferably, the step S04 specifically includes:
grouping and counting the second access records according to the account number to generate statistical data with the account number as a statistical object and the access times of the sensitive table as statistical indexes, namely an access behavior vector set UV-acct(ii) a The access behavior vector is a vector formed by taking the times of accessing each sensitive table as a component, and the vector takes a specific account number as a statistical subject so as to count the times, which are countedRepresentative is the access behavior of the account.
Preferably, in step S05, a cosine similarity meter algorithm is adopted, and the formula is as follows:
Figure GDA0003101405770000021
wherein: similarity is similarity, A is one of reference vectors of the access behaviors of the non-home account types, B is the access behavior vector of the specific account, theta is an included angle between A, B two vectors, Ai、BiIs A, B components of two vectors, and n is A, B dimensions of the two vectors.
Preferably, the specific process is as follows:
s0501, set U of access behavior vectors output from S04V-acctSelecting access behavior vector V of specific accountacct
S0502, removing the existing account number type P of the specific account number from the account number type complete set U as the non-home account number type PC;
s0503, access behavior reference vector set U output from S03V-basicSelecting an access behavior reference vector set U of all non-home account types PC of a specific accountV-basic-pc
S0504, reference vector set U for access behavior output of S0503V-basic-pcEach access behavior reference vector V inbasic-pcThe access behavior vector V of the specific account outputted by S0501 is calculatedacctSimilarity therebetween;
s0505, adding each similarity output by the S0504 into a set, and generating a similarity set U of the specific accountsim
Preferably, the step S06 specifically includes:
s0601, setting a risk grade interval;
s0602, the similarity set U of the specific account output in S05simTaking the maximum value SimmaxRepresents the highest risk for the account;
s0603, with S06Highest risk Sim of 02 outputmaxMatching the risk grade interval of S0601 and outputting corresponding risk grade Drisk
The invention also provides a detection system for the abnormal access of the account to the sensitive data, which comprises
The log acquisition module is used for acquiring a database operation log;
the SQL analysis module is used for analyzing SQL sentences from the database operation logs and generating records of the account accessing data table;
an account type level reference vector generation module, configured to combine the known normal account information, account type information, and sensitive table information with the first access record accumulated in the first time period to generate an access behavior reference vector set U of each account type for all sensitive tablesV-basic
An account level access behavior vector generation module, configured to generate an access behavior vector set U of each account for all sensitive tables according to a second access record in a second time periodV-acct
The similarity calculation module is used for outputting a similarity set of an access behavior vector of a specific account and access behavior reference vectors of all non-home account types by using a similarity calculation method; the non-home account number type is an absolute complement set of the existing account number type relative to the full set of account number types of the specific account number, namely: the method comprises the following steps that (1) PC is a non-home account type, U is a full set of account types, and P is a specific account preset account type;
and the risk grade calculation module is used for calculating the maximum value in the similarity set and outputting the risk grade to the highest risk according to the existing interval.
Preferably, the account type level reference vector generation module screens the first access records by using normal account information, and selects a first record subset of all normal accounts; screening the first record subset by using the sensitive table information, and selecting a second record subset of all the sensitive tables; finally, the account type information is used for carrying out type identification on the accounts in the second record subset, grouping statistics is carried out according to the type identification, and a pair with the account type as the statistic is generatedStatistical data with access times of elephant and sensitive table as statistical indexes, i.e. access behavior reference vector set UV-basic
Preferably, the account-level access behavior vector generation module performs group statistics on the second access record according to the accounts to generate statistical data with the accounts as statistical objects and the access times of the sensitive table as statistical indexes, that is, an access behavior vector set UV-acct(ii) a The access behavior vector is a vector formed by taking the number of times of accessing each sensitive table as a component, and the vector takes a specific account number as a statistical subject, so that the counted number represents the access behavior of the account number.
Preferably, the similarity calculation module adopts a cosine similarity algorithm, and the formula is as follows:
Figure GDA0003101405770000041
wherein: similarity is similarity, A is one of reference vectors of the access behaviors of the non-home account types, B is the access behavior vector of the specific account, theta is an included angle between A, B two vectors, Ai、BiIs A, B components of two vectors, and n is A, B dimensions of the two vectors.
The specific process is as follows:
s0501, set U of access behavior vectors output from S04V-acctSelecting access behavior vector V of specific accountacct
S0502, removing the existing account type A of the specific account from the account type complete set U as the non-home account type PC;
s0503, access behavior reference vector set U output from S03V-basicSelecting an access behavior reference vector set U of all non-home account types PC of a specific accountV-basic-pc
S0504, reference vector set U for access behavior output of S0503V-basic-pcEach access behavior reference vector V inbasic-pcAll calculate the access behavior direction of the specific account number output by S0501Quantity VacctSimilarity therebetween;
s0505, adding each similarity output by the S0504 into a set, and generating a similarity set U of the specific accountsim
The invention has the advantages that: the historical data is used for generating a benchmark, so that the subjectivity of artificially determining the threshold is avoided; and the access risk is quantized, the risk level is output, the cosine similarity is simple and convenient to calculate, and the result has interpretability. The granularity of the traditional supervision mechanism is sunk from a database to a data table, and an effective means is provided for protecting the invisible assets and the user privacy of an enterprise especially for the table containing sensitive data.
Drawings
Fig. 1 is a flow chart of a method for detecting an abnormal access behavior of an account to sensitive data according to an embodiment of the present invention;
fig. 2 is a block diagram of a structure of a system for detecting an abnormal access behavior of an account to sensitive data according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to the step diagram of fig. 1, the method for detecting the behavior of an account accessing sensitive data abnormally includes the following steps:
s01, acquiring a database operation log;
s02, analyzing SQL statements from the database operation log to generate records of the account accessing data table;
s03, combining the first access records accumulated in the first time period with the normal account information, the account type information and the sensitive table information to generate an access behavior reference vector set of each account type to all sensitive tables;
the first time period is an access record extraction time period for establishing an access behavior reference vector, and can be defined as three months without loss of generality.
The account type is defined by types with different access requirements on the sensitive table according to the work responsibility requirements, and includes but is not limited to database administrators, broad-form development, application development, data assurance and the like. The quality of account type division can be measured by the similarity of access behavior basic vectors between every two account types, and the smaller the similarity is, the higher the quality of account type division is. When the similarity between two account types is large, the two account types can be considered to be combined.
The normal account information is the screened and determined account subset with the access behavior conforming to the account type. By using the normal account subset, the established access behavior reference vector can be ensured to be real and reliable.
The account type information is data of corresponding relation between all accounts and the existing account types.
The sensitive table information is selected, determined and data table subset with sensitive data, such as user data table, bill expense table, call record table, network record table, etc.
The access behavior reference vector is a vector formed by taking the number of times of accessing each sensitive table as a component, and the reference vector is a total number or average number counted by taking all accounts under a certain account type as a statistical subject, which represents the access behavior of the account type, and is referred to table 1.
Table 1 access behavior reference vector sample data
Account type/sensitivity table User data sheet Bill fee meter Call recording meter Network access recording meter
Wide-table development 100 50 50 25
Application development 50 100 100 25
Data assurance 100 25 25 25
Database manager 0 0 0 0
S0301, screening the first access records by using the normal account information, and selecting a first record subset of all normal accounts;
s0302, screening the first record subset by using the sensitive table information, and selecting out the second record subset of all the sensitive tables;
s0303, the account type information is used for carrying out type identification on accounts in the second record subset, grouping statistics is carried out according to the type identification, and statistical data with the account type as a statistical object and the access times of the sensitive table as statistical indexes, namely an access behavior reference vector set U, is generatedV-basic
S04, generating an access behavior vector set of each account to all sensitive tables according to the second access records in the second time period;
grouping and counting the second access records according to the account number to generate statistical data with the account number as a statistical object and the access times of the sensitive table as statistical indexes, namely an access behavior vector set UV-acct
The second time period is an access record extraction time period for establishing the access behavior vector of the specific account, and can be defined as one day without loss of generality.
The access behavior vector is a vector formed by taking the times of accessing each sensitive table as a component, and the vector takes a specific account number as a statistical subject, so that the counted times represent the access behavior of the account number.
S05, using a similarity algorithm to output the access behavior vector of the specific account and the similarity set of the access behavior reference vectors of all non-home account types;
the non-home account type is an absolute complement set of the preset account type of the specific account and the full set of the account types, namely, PC is U-P, wherein PC is the non-home account type, U is the full set of the account types, and P is the preset account type of the specific account.
The similarity calculation method uses cosine similarity. Cosine similarity measures similarity between vectors by calculating cosine values of an included angle between the two vectors, and generally, the value range of the cosine similarity is-1 to 1. In the embodiment of the present invention, a cosine similarity value between an access behavior vector of a specific account and an access behavior reference vector of a certain account type is in a range from 0 to 1, and when the value approaches 1, the similarity between the access behavior of the specific account and the account type is high, and when the value approaches 0, the similarity between the access behavior of the specific account and the account type is low.
The cosine similarity is calculated as follows:
Figure GDA0003101405770000071
wherein: similarity is similarity, A, B is the two vectors of the input, θ is the angle between A, B two vectors, Ai、BiIs A, B components of two vectors, and n is A, B dimensions of the two vectors.
S0501, set U of access behavior vectors output from S04V-acctSelecting access behavior vector V of specific accountacct
S0502, removing the existing account number type P of the specific account number from the account number type complete set U as the non-home account number type PC;
s0503, access behavior reference vector set U output from S03V-basicSelecting an access behavior reference vector set U of all non-home account types PC of a specific accountV-basic-pc
S0504, reference vector set U for access behavior output of S0503V-basic-pcEach access behavior reference vector V inbasic-pcThe access behavior vector V of the specific account outputted by S0501 is calculatedacctSimilarity therebetween;
s0505, adding each similarity output by the S0504 into a set, and generating a similarity set U of the specific accountsim
And S06, if the value in the similarity set is larger, the abnormal access risk level is higher, the maximum value in the set can be selected to represent the highest risk, and the risk grade can be output to the highest risk according to the preset interval.
S0601, setting risk grade interval without loss of generality, e.g., [0,0.3) low risk, [0.3,0.6] medium risk, (0.6,1] high risk;
s0602, feature output to S05Similarity set U of fixed account numberssimTaking the maximum value SimmaxRepresents the highest risk for the account;
s0603, highest risk Sim output as S0602maxMatching the risk grade interval of S0601 and outputting corresponding risk grade Drisk
Referring to fig. 2, the present invention also discloses a system for detecting the behavior of an account accessing sensitive data abnormally, which includes:
the log acquisition module is used for acquiring a database operation log;
the SQL analysis module is used for analyzing SQL sentences from the database operation logs and generating records of the account accessing data table;
an account type level reference vector generation module, configured to combine the known normal account information, account type information, and sensitive table information with the first access record accumulated in the first time period to generate an access behavior reference vector set U of each account type for all sensitive tablesV-basic
An account level access behavior vector generation module, configured to generate an access behavior vector set U of each account for all sensitive tables according to a second access record in a second time periodV-acct
The similarity calculation module is used for outputting a similarity set of an access behavior vector of a specific account and access behavior reference vectors of all non-home account types by using a similarity calculation method; the non-home account number type is an absolute complement set of the existing account number type relative to the full set of account number types of the specific account number, namely: the method comprises the following steps that (1) PC is a non-home account type, U is a full set of account types, and P is a specific account preset account type;
and the risk grade calculation module is used for calculating the maximum value in the similarity set and outputting the risk grade to the highest risk according to the existing interval.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (5)

1. A detection method for abnormal access sensitive data behavior of an account is characterized in that: the method comprises the following steps:
s01, acquiring a database operation log;
s02, analyzing SQL statements from the database operation log to generate records of the account accessing data table;
s03, combining the first access records accumulated in the first time period with the known normal account information, account type information and sensitive table information to generate an access behavior reference vector set U of each account type to all sensitive tablesV-basic
The step S03 specifically includes:
s0301, screening the first access records by using the normal account information, and selecting a first record subset of all normal accounts;
s0302, screening the first record subset by using the sensitive table information, and selecting out the second record subset of all the sensitive tables;
s0303, the account type information is used for carrying out type identification on accounts in the second record subset, grouping statistics is carried out according to the type identification, and statistical data with the account type as a statistical object and the access times of the sensitive table as statistical indexes, namely an access behavior reference vector set U, is generatedV-basic
S04, generating an access behavior vector set U of each account for all sensitive tables according to the second access records in the second time periodV-acct
The step S04 specifically includes:
grouping and counting the second access records according to the account number to generate statistical data with the account number as a statistical object and the access times of the sensitive table as statistical indexes, namely an access behavior vector set UV-acct(ii) a The access behavior vector is a vector formed by taking the times of accessing each sensitive table as a component, and the vector is a special vectorThe account number is taken as a statistical subject, so that the counted times represent the access behavior of the account number;
s05, using a similarity algorithm to output the access behavior vector of the specific account and the similarity set of the access behavior reference vectors of all non-home account types; the non-home account number type is an absolute complement set of the existing account number type relative to the full set of account number types of the specific account number, namely: the method comprises the following steps that (1) PC is a non-home account type, U is a full set of account types, and P is a specific account preset account type;
in step S05, a cosine similarity meter algorithm is adopted, and the formula is as follows:
Figure FDA0003198267450000011
wherein: similarity is similarity, A is one of reference vectors of the access behaviors of the non-home account types, B is the access behavior vector of the specific account, theta is an included angle between A, B two vectors, Ai、BiA, B, n being the dimension of A, B two vectors;
and S06, determining the abnormal access risk level according to the value size in the similarity set.
2. The method for detecting the abnormal access sensitive data behavior of the account according to claim 1, wherein: the specific process is as follows:
s0501, set U of access behavior vectors output from S04V-acctSelecting access behavior vector V of specific accountacct
S0502, removing the existing account number type P of the specific account number from the account number type complete set U as the non-home account number type PC;
s0503, access behavior reference vector set U output from S03V-basicSelecting an access behavior reference vector set U of all non-home account types PC of a specific accountV-basic-pc
S0504, access behavior benchmark for S0503 outputVector set UV-basic-pcEach access behavior reference vector V inbasic-pcThe access behavior vector V of the specific account outputted by S0501 is calculatedacctSimilarity therebetween;
s0505, adding each similarity output by the S0504 into a set, and generating a similarity set U of the specific accountsim
3. The method for detecting the abnormal access sensitive data behavior of the account according to claim 2, wherein: the step S06 specifically includes:
s0601, setting a risk grade interval;
s0602, the similarity set U of the specific account output in S05simTaking the maximum value SimmaxRepresents the highest risk for the account;
s0603, highest risk Sim output as S0602maxMatching the risk grade interval of S0601 and outputting corresponding risk grade Drisk
4. A detection system for the abnormal access of an account to sensitive data behaviors is characterized in that: comprises that
The log acquisition module is used for acquiring a database operation log;
the SQL analysis module is used for analyzing SQL sentences from the database operation logs and generating records of the account accessing data table;
an account type level reference vector generation module, configured to combine the known normal account information, account type information, and sensitive table information with the first access record accumulated in the first time period to generate an access behavior reference vector set U of each account type for all sensitive tablesV-basic
An account level access behavior vector generation module, configured to generate an access behavior vector set U of each account for all sensitive tables according to a second access record in a second time periodV-acct
The similarity calculation module is used for outputting a similarity set of an access behavior vector of a specific account and access behavior reference vectors of all non-home account types by using a similarity calculation method; the non-home account number type is an absolute complement set of the existing account number type relative to the full set of account number types of the specific account number, namely: the method comprises the following steps that (1) PC is a non-home account type, U is a full set of account types, and P is a specific account preset account type;
the risk grade calculation module is used for calculating the maximum value in the similarity set and outputting the risk grade to the highest risk according to the existing interval;
the account type level reference vector generation module screens the first access records by using normal account information, and selects a first record subset of all normal accounts; screening the first record subset by using the sensitive table information, and selecting a second record subset of all the sensitive tables; finally, account type information is used for carrying out type identification on accounts in the second record subset, grouping statistics is carried out according to the type identification, and statistical data with account types as statistical objects and sensitive table access times as statistical indexes, namely an access behavior reference vector set U is generatedV-basic
The account-level access behavior vector generation module performs grouping statistics on the second access records according to accounts to generate statistical data with the accounts as statistical objects and the access times of the sensitive table as statistical indexes, namely an access behavior vector set UV-acct(ii) a The access behavior vector is a vector formed by taking the times of accessing each sensitive table as a component, and the vector takes a specific account number as a statistical subject, so that the counted times represent the access behavior of the account number;
the similarity calculation module adopts a cosine similarity algorithm, and the formula is as follows:
Figure FDA0003198267450000031
wherein: similarity is similarity, A is one of reference vectors of the access behaviors of the non-home account types, B is the access behavior vector of the specific account, theta is an included angle between A, B two vectors, Ai、BiA, B is twoThe components of the vector, n, are A, B dimensions of two vectors.
5. The system for detecting the abnormal access behavior of the account to the sensitive data according to claim 4, wherein: the similarity calculation module comprises the following specific processes:
set of access behavior vectors U from outputV-acctSelecting access behavior vector V of specific accountacct
Removing an existing account type A of a specific account from a full set U of account types as a non-home account type PC;
set of access behavior reference vectors U from the outputV-basicSelecting an access behavior reference vector set U of all non-home account types PC of a specific accountV-basic-pc
Set of reference vectors U for access behavior of outputV-basic-pcEach access behavior reference vector V inbasic-pcAll calculate the output access behavior vector V of the specific accountacctSimilarity therebetween;
adding each output similarity into a set to generate a similarity set U of a specific accountsim
CN201911045981.0A 2019-10-30 2019-10-30 Method and system for detecting abnormal access behavior of account to sensitive data Active CN110750786B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911045981.0A CN110750786B (en) 2019-10-30 2019-10-30 Method and system for detecting abnormal access behavior of account to sensitive data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911045981.0A CN110750786B (en) 2019-10-30 2019-10-30 Method and system for detecting abnormal access behavior of account to sensitive data

Publications (2)

Publication Number Publication Date
CN110750786A CN110750786A (en) 2020-02-04
CN110750786B true CN110750786B (en) 2021-09-14

Family

ID=69281246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911045981.0A Active CN110750786B (en) 2019-10-30 2019-10-30 Method and system for detecting abnormal access behavior of account to sensitive data

Country Status (1)

Country Link
CN (1) CN110750786B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111652626B (en) * 2020-06-18 2023-03-24 支付宝(杭州)信息技术有限公司 Method and device for realizing service
CN112416895A (en) * 2020-11-16 2021-02-26 杭州安恒信息技术股份有限公司 Database information processing method and device, readable storage medium and electronic equipment
CN112836223A (en) * 2021-02-01 2021-05-25 长沙市到家悠享网络科技有限公司 Data processing method, device and equipment
CN117014224B (en) * 2023-09-12 2024-01-30 联通(广东)产业互联网有限公司 Network attack defense method and system based on Gaussian process regression
CN117574362B (en) * 2024-01-15 2024-04-30 广东茉莉数字科技集团股份有限公司 Method and system for resolving abnormal data of dactylogyrus account

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11409770B2 (en) * 2015-03-26 2022-08-09 Oracle International Corporation Multi-distance similarity analysis with tri-point arbitration
CN106210044B (en) * 2016-07-11 2019-06-11 焦点科技股份有限公司 A kind of any active ues recognition methods based on access behavior
CN108446546A (en) * 2018-03-20 2018-08-24 深信服科技股份有限公司 Abnormal access detection method, device, equipment and computer readable storage medium
CN108932426B (en) * 2018-06-27 2022-05-03 平安科技(深圳)有限公司 Unauthorized vulnerability detection method and device
CN109885554A (en) * 2018-12-20 2019-06-14 顺丰科技有限公司 Method of Database Secure Audit method, system and computer readable storage medium

Also Published As

Publication number Publication date
CN110750786A (en) 2020-02-04

Similar Documents

Publication Publication Date Title
CN110750786B (en) Method and system for detecting abnormal access behavior of account to sensitive data
EP3306512B1 (en) Account theft risk identification method, identification apparatus, and prevention and control system
TW201629824A (en) Anomaly detection using adaptive behavioral profiles
CN107579956B (en) User behavior detection method and device
Becker et al. Fraud detection in telecommunications: History and lessons learned
US7693767B2 (en) Method for generating predictive models for a business problem via supervised learning
US7937321B2 (en) Managed service for detection of anomalous transactions
US20050086529A1 (en) Detection of misuse or abuse of data by authorized access to database
US20020147694A1 (en) Retraining trainable data classifiers
US20100257092A1 (en) System and method for predicting a measure of anomalousness and similarity of records in relation to a set of reference records
CN110990242B (en) Method and device for determining fluctuation abnormality of user operation times
CN109446768B (en) Application access behavior abnormity detection method and system
CN109684863A (en) Data leakage prevention method, device, equipment and storage medium
CN112291261A (en) Network security log audit analysis method driven by knowledge graph
CN109242658B (en) Suspicious transaction report generation method, suspicious transaction report generation system, suspicious transaction report generation computer device and suspicious transaction report storage medium
CN113032824B (en) Low-frequency data leakage detection method and system based on database flow logs
CN117235731B (en) Big data monitoring and early warning system for secret equipment
US20230396640A1 (en) Security event management system and associated method
CN116720194A (en) Method and system for evaluating data security risk
CN110990867A (en) Database-based data leakage detection model modeling method and device, and leakage detection method and system
CN111861734B (en) Test evaluation system and method for three-party data source
Eling et al. Time dynamics of cyber risk
CN111626586B (en) Data quality detection method, device, computer equipment and storage medium
CN112150036B (en) Method and device for detecting gas theft of boiler gas user based on data driving
CN117726435B (en) Image data management method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant