CN111143824B - Method and device for determining redundancy permission, computer equipment and readable storage medium - Google Patents

Method and device for determining redundancy permission, computer equipment and readable storage medium Download PDF

Info

Publication number
CN111143824B
CN111143824B CN201911415388.0A CN201911415388A CN111143824B CN 111143824 B CN111143824 B CN 111143824B CN 201911415388 A CN201911415388 A CN 201911415388A CN 111143824 B CN111143824 B CN 111143824B
Authority
CN
China
Prior art keywords
access
session
page
access record
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911415388.0A
Other languages
Chinese (zh)
Other versions
CN111143824A (en
Inventor
沈韵
张泽洲
魏勇
简明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911415388.0A priority Critical patent/CN111143824B/en
Publication of CN111143824A publication Critical patent/CN111143824A/en
Application granted granted Critical
Publication of CN111143824B publication Critical patent/CN111143824B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention provides a method and a device for determining redundancy permission, computer equipment and a readable storage medium. The method comprises the following steps: acquiring historical access information of a target subject; analyzing historical access information to obtain a plurality of sessions, wherein the sessions comprise a plurality of access records, the access records comprise access addresses and page operations performed when the access addresses are accessed, and the last access record in the sessions is a session target of the sessions; determining a redundant conversation target according to the occurrence probability of the conversation target in the conversation targets of a plurality of conversations, wherein the smaller the occurrence probability of the conversation target is, the larger the probability of the conversation target as the redundant conversation target is; and in the permission set of the target subject, determining redundant permission according to the redundant session target. By the method and the device, the redundant authority can be determined in the authority set, the minimum authority set is ensured, and the safety is ensured.

Description

Method and device for determining redundancy permission, computer equipment and readable storage medium
Technical Field
The present invention relates to the field of permission processing technologies, and in particular, to a method and an apparatus for determining redundant permission, a computer device, and a computer-readable storage medium.
Background
In order to embody differentiated security management, different rights management is set for different users. In the prior art, corresponding authority sets are set for different users, and when access control is performed, access belonging to the range of the authority sets is released, and access not belonging to the range of the authority sets is intercepted.
When judging whether one access belongs to the access in the permission set, the inventor finds that when the number of the permissions in the permission set is large, an attack surface is easy to expand, and the system security is unreliable.
Therefore, it is an urgent technical problem in the art to provide a method, an apparatus, a computer device and a readable storage medium for determining redundant authorities in an authority set, and manage the authority set according to the redundant authorities, so as to ensure a minimum authority set and improve system security.
Disclosure of Invention
The present invention provides a method, an apparatus, a computer device and a computer readable storage medium for determining redundancy permission, which are used to solve the above technical problems in the prior art.
In one aspect, the present invention provides a method for determining redundancy authority.
The method for determining the redundancy authority comprises the following steps: acquiring historical access information of a target subject; analyzing historical access information to obtain a plurality of sessions, wherein the sessions comprise a plurality of access records, the access records comprise access addresses and page operations performed when the access addresses are accessed, and the session targets of the sessions are the access records in the sessions; determining a redundant conversation target according to the occurrence probability of the conversation target in the conversation targets of a plurality of conversations, wherein the smaller the occurrence probability of the conversation target is, the larger the probability of the conversation target as the redundant conversation target is; and in the permission set of the target subject, determining redundant permission according to the redundant session target.
Further, the session target of the session is the last access record in the session. The step of parsing the historical access information to obtain a plurality of sessions comprises: acquiring an access address in historical access information; acquiring page operation performed on a page when an access address is accessed; generating an access record according to the access address and the page operation corresponding to the access address; and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold as a session.
Further, after the step of obtaining the access address in the historical access information, the step of parsing the historical access information to obtain a plurality of sessions further comprises: calculating the dwell time of the page on the page when the access address is accessed; the step of generating the access record according to the access address and the page operation corresponding to the access address specifically comprises the following steps: generating an access record according to the access address, the page operation corresponding to the access address and the page retention time; the method for using the plurality of access records with the similarity larger than the preset similarity threshold as a session comprises the following steps: and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold value and the page dwell time within a preset dwell time range as a session.
Further, the step of using the similarity greater than the preset similarity threshold, the page dwell time within the preset dwell time range, and the adjacent access records as a session includes: step S1: acquiring an access record as a first access record according to the access time sequence; step S2: judging whether the dwell time of the page in the first access record is within a preset dwell time range or not, and judging whether the access record set comprises the access record or not, wherein when the dwell time of the page is within the preset dwell time range and the access record set comprises the access record, the step S3 is executed, when the dwell time of the page is within the preset dwell time range and the access record set does not comprise the access record, the step S5 is executed, when the dwell time of the page is not within the preset dwell time range and the access record set comprises the access record, the step S7 is executed, and when the dwell time of the page is not within the preset dwell time range and the access record set does not comprise the access record, the step S1 is returned; step S3: calculating the similarity between the first access record and the latest access record in the access record set; step S4: judging whether the similarity is greater than or equal to a preset similarity threshold, wherein when the similarity is greater than or equal to the preset similarity threshold, executing step S5, and when the similarity is less than the preset similarity threshold, executing step S6; step S5: writing the first access record into the access record set, and returning to step S1; step S6: the access record set is output to get a session, the access record set is emptied, the first access record is added to the access record set, and the process returns to step S1. Step S7: the access record set is output to get a session, the access record set is emptied, and the process returns to step S1.
Further, the similarity is a hamming distance or an editing distance of access addresses of two adjacent access records.
Further, if the residence time of the page corresponding to the access address is different, the corresponding preset residence time ranges are different, and the preset residence time ranges are calculated by adopting the following steps: obtaining an access record comprising an access address corresponding to the retention time of the page, and obtaining a similar access record; and calculating a preset stay time range according to the stay time of the page of the similar access record.
Further, the step of calculating the preset stay time range according to the page stay time of the similar access record comprises the following steps: drawing a box line graph according to the page staying time of the similar access records; calculating a first quartile Q1, a third quartile Q3 and a quartile distance QR of the box plot; the preset residence time range (. delta.) was calculated using the following formulatimemin,δtimemax):δtimemin=Q1-a*QR,δtimemaxQ3+ b QR, where a and b are dimensionless coefficients.
In another aspect, to achieve the above object, the present invention provides a device for determining redundancy authority.
The device for determining the redundancy authority comprises: the acquisition module is used for acquiring historical access information of the target subject; the analysis module is used for analyzing the historical access information to obtain a plurality of conversations, wherein the conversations comprise a plurality of access records, the access records comprise access addresses and page operations carried out when the access addresses are accessed, and the conversation targets of the conversations in the conversations are the access records of the conversations; the first determining module is used for determining a redundant conversation target in conversation targets of a plurality of conversations according to the occurrence probability of the conversation targets, wherein the smaller the occurrence probability of the conversation targets is, the larger the probability of the conversation targets as the redundant conversation targets is; and a second determining module, configured to determine a redundancy permission according to the redundancy session target in the permission set of the target subject.
To achieve the above object, the present invention also provides a computer device, which includes a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method when executing the computer program.
To achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above method.
The method, the device, the computer equipment and the readable storage medium for determining the redundancy permission, provided by the invention, are used for obtaining a plurality of sessions by analyzing historical access information of a target main body, taking the last access record in each session as a session target, namely taking the last access address in each session and page operation performed when the access address is accessed as the session target, and determining the redundancy session target according to the occurrence probability of the session target in the plurality of session targets, wherein the smaller the occurrence probability of the session target is, the greater the probability that the session target is taken as the redundancy session target is, and finally determining the redundancy permission in the permission set according to the redundancy session target. According to the invention, the redundant authority can be determined in the authority set of the target subject, and then the redundant authority in the authority set can be processed, including deleting the redundant authority in the authority set, ensuring the minimum authority set, improving the system safety, or setting the priority to the authority in the authority set, reducing the priority of the redundant authority, and the like, so that the influence of the authority judgment on the access speed is reduced.
Drawings
Various additional advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart of a method for determining redundancy permission according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for determining redundancy permission according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for determining redundancy permission according to a third embodiment of the present invention;
fig. 4 is a block diagram of a device for determining redundancy permission according to a fourth embodiment of the present invention; and
fig. 5 is a hardware configuration diagram of a computer device according to a fifth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to determine redundant authorities in an authority set, so that the authority set can be reduced, and the influence of authority judgment on access speed is reduced, the invention provides a method and a device for determining redundant authorities, computer equipment and a readable storage medium. In the method for determining the redundancy authority, historical access information of a target main body is obtained first, a plurality of conversations are obtained by analyzing the historical access information, each conversation comprises a plurality of access records, one access record comprises an access address and page operation carried out when the access address is accessed, and the last access record in the conversation is a conversation target of the conversation; in a plurality of conversation targets of the conversation, a redundant conversation target is determined according to the occurrence probability of the conversation target, wherein the smaller the occurrence probability of the conversation target is, the higher the probability that the conversation target is taken as the redundant conversation target is, that is, for a target subject, the probability of accessing an access address corresponding to the redundant conversation target and performing corresponding page operation is relatively small, at this time, in a permission set of the target subject, a redundant permission is determined according to the redundant conversation target, and then the redundant permission in the permission set can be processed, including deleting the redundant permission in the permission set, so that the minimum permission set is ensured, and the safety of the system is improved. Or priority is set for the authority in the authority set, the priority of the redundant authority is reduced, and the like, so that the influence of the authority judgment on the access speed is reduced.
The following detailed description will discuss specific embodiments of a method, an apparatus, a computer device and a readable storage medium for determining redundancy rights provided by the present invention.
Example one
An embodiment of the present invention provides a method for determining a redundant authority to determine a redundant authority in an authority set for a certain target subject, so as to process the redundant authority and reduce an influence of authority judgment on an access speed, specifically, fig. 1 is a flowchart of the method for determining a redundant authority according to the embodiment of the present invention, and as shown in fig. 1, the method for determining a redundant authority according to the embodiment includes the following steps S101 to S104.
Step S101: and acquiring historical access information of the target subject.
The target subject may be an access subject calibrated by a user name or identification information of the terminal device, and an authority set is set for the access subject, for example, for a user calibrated by the user name, only a range corresponding to the authority set can be accessed when accessing the target system; for another example, for a terminal specified by the identification information, when the user accesses the target system through the terminal, only the range corresponding to the set of permissions can be accessed. Alternatively, historical access information generated by the target subject accessing the target system over a period of time may be collected from logs or the like of the terminal device, an intermediate control device (e.g., firewall, proxy device), or a server device.
Step S102: the historical access information is parsed for a plurality of sessions.
The session comprises a plurality of access records, each access record comprises an access address and a page operation performed when the access address is accessed, and the last access record in the session is a session target of the session.
A session refers to a process in which a target subject communicates with an interactive system, and a session may include one or more interactions between the target subject and the interactive system, for example, a tcp connection is established, but an HTTP request may be sent, or a plurality of HTTP requests may be sent, where one request forms one access record, that is, one session includes several access records. Each HTTP request corresponds to an access address, and the user can perform one or more page operations on a page displayed by the access address.
Optionally, in a session, the last access record is used as a session target of the session to identify the purpose of the user to start the session.
Optionally, in step S102, the step of parsing the historical access information to obtain a plurality of sessions specifically includes: obtaining an access address in historical access information; acquiring page operation performed on a page when an access address is accessed; generating an access record according to the access address and the page operation corresponding to the access address; and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold as a session.
Specifically, the access features may be matched and extracted from the historical access information by using feature information of the access address according to a feature matching method, for example, the feature information may be a specific character http, ftp, or the like, or may be a character string satisfying a specific format, for example, a character string satisfying a format of "xxx. After each access address url is obtained, page operations on a page corresponding to the access address url may be further obtained, and a plurality of page operations form a page operation set Ω op ═ (op)1,op2,op3....) one access record Ri=(urli,Ωopi). For generated access record R1,R1,R3,R4.., whether the access records belong to the same session is determined by calculating the similarity of the adjacent access records, and the similarity is larger than a preset similarity threshold and the adjacent access records are taken as one session. Further optionally, when calculating the similarity of two adjacent access records, two accesses are calculated respectivelyThe recorded hamming distance or the editing distance of the access address can adopt the calculation mode in the prior art as to the specific calculation mode of the hamming distance and the editing distance, and the description is omitted here.
Step S103: and determining redundant session targets according to the occurrence probability of the session targets in the session targets of the multiple sessions.
Wherein, the smaller the occurrence probability of the conversation object, the greater the probability that the conversation object is used as a redundant conversation object
In the above step S102, after each session is determined, the last access record in each session is taken as the session target of the session, N session targets can be obtained for the historical access information obtained in step S101, the same session target and different session targets also exist in the N session targets, the N session targets are further counted to determine the number of each session target, then the ratio of the number of each session target to N is calculated for each session target to obtain the occurrence probability of the session target, the smaller the occurrence probability of the session target, the greater the probability of the session target being a redundant session target, optionally, the occurrence probability is compared with a predetermined probability threshold, and if the occurrence probability is smaller than the predetermined probability threshold, the smaller the occurrence probability representing the session target is taken as the redundant session target.
Step S104: and in the permission set of the target subject, determining redundant permission according to the redundant session target.
After the redundant session object is determined in step S103, step S104 determines the redundant authority in the authority set according to the redundant session object, for example, if the authority in the authority set is the authority to access a certain access address, the authority corresponding to the access address in the redundant session object may be determined as the redundant authority; for another example, if the right in the right set is a right to access a certain type of resource, the right of the resource accessed by the access address in the corresponding redundant session target may be determined as a redundant right.
In the method for determining redundancy permission provided in this embodiment, a plurality of sessions are obtained by parsing from the historical access information of the target subject, the last access record in each session is used as a session target, that is, the last access address in each session and the page operation performed when the access address is accessed are used as session targets, among the plurality of session targets, a redundancy session target is determined according to the occurrence probability of the session target, the session target with a small occurrence probability can be used as a redundancy session target, and finally, the redundancy permission in the permission set is determined according to the redundancy session target. By adopting the method for determining the redundant authority provided by the embodiment, the redundant authority can be determined in the authority set of the target main body, and then the redundant authority in the authority set can be processed, including deleting the redundant authority in the authority set, ensuring the minimum authority set, improving the system safety, or setting the priority to the authority in the authority set, reducing the priority of the redundant authority, and the like, so that the influence of the authority judgment on the access speed is reduced.
Example two
The second embodiment of the present invention provides a method for determining a preferred redundant permission, so as to determine a redundant permission in a permission set for a certain target subject, where some technical features are the same as those of the first embodiment, and reference may be made to the first embodiment for specific description and corresponding technical effects. Furthermore, in the embodiment, the abnormal access records are judged according to the retention time of the page, so that the influence of the abnormal access records on the session is reduced, the accuracy of determining the session is improved, and the accuracy of determining the redundancy authority is further improved. Specifically, fig. 2 is a flowchart of a method for determining a redundancy permission according to a second embodiment of the present invention, and as shown in fig. 2, the method for determining a redundancy permission according to the second embodiment includes steps S201 to S208 as follows.
Step S201: and acquiring historical access information of the target subject.
Step S202: and acquiring the access address in the historical access information.
Step S203: and acquiring page operation performed on the page when the access address is accessed.
Step S204: the page dwell time on the page when the access address is accessed is calculated.
Step S205: and generating an access record according to the access address, the page operation corresponding to the access address and the page retention time.
In step S203, a plurality of page operations performed on the page when the access address is accessed are obtained, and the plurality of page operations form a page operation set Ω op ═ (op)1,op2,op3...), then in this step S205, url is determined according to the access addressiPage operation omega op corresponding to access addressiAnd a page dwell time ΔiGenerating an access record Ri=(urli,Ωopi,Δi)。
Step S206: and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold value and the page dwell time within a preset dwell time range as a session.
Through the step, the dwell time of the pages of the access records in the session is within the preset dwell time range, so that abnormal access in the session is eliminated.
Optionally, the page dwell time corresponding to different access addresses is different from the corresponding preset dwell time range. For different access addresses, the content displayed on the page is different from the operable content, and the adaptive page dwell time range is set for different access addresses, so that the accuracy of abnormal access judgment can be improved.
Further optionally, the preset dwell time range is calculated by: obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and calculating a preset stay time range according to the stay time of the pages of the similar access records.
It can be seen that, when the relationship between the page dwell time in one access record and the preset dwell time range is judged, the preset dwell time range is calculated according to the page dwell time of other access records (namely similar access records) with the same access address as the access record, so that the calculation accuracy of the preset dwell time range is improved.
Further optionally, the step of calculating the preset stay time range according to the page stay time of the similar access record includes: based on multiple similar visitsInquiring the recorded page residence time to draw a box line graph; calculating a first quartile Q1, a third quartile Q3 and a quartile distance QR of the box plot; the preset residence time range (. delta.) was calculated using the following formulatimemin,δtimemax):δtimemin=Q1-a*QR,δtimemaxQ3+ b QR, where a and b are both dimensionless coefficients.
For the boxplot, the first quartile Q1, also called the "smaller quartile", is equal to the 25 th% of all values of the page dwell time arranged from small to large. The second quartile Q2, also known as the median, is equal to the 50% number of all values of the page dwell time, arranged from small to large. The third quartile Q3, also known as the "larger quartile," is equal to the 75% of all values of the page dwell time, arranged from small to large. The difference between the third quartile and the first quartile is also called as a quartile distance QR. Optionally, a and b are both 1.5.
Step S207: among the session targets of the plurality of sessions, a session target having an occurrence probability smaller than a predetermined probability threshold is determined as a redundant session target.
For a session, comprising several access records RiThe session is Record ═ R1,R2.R3,...Ri,Ri+1,......RMAX]Wherein R isMAX=(urlMAX,ΩopMAX,ΔMAX) Is the session target. At multiple session targets RMAX1,RMAX2,RMAX3,RMAX4,RMAX5,RMAX6,......RMAXNIn which the same session object, e.g. R, is determinedMAX1、RMAX3And RMAX6The number of the session targets is 3 for the same session target, and finally the occurrence probability of each session target can be calculated according to the number of each session target and the total number N of the session targets.
Step S208: and in the permission set of the target subject, determining redundant permission according to the redundant session target.
By adopting the method for determining the redundancy permission provided by the embodiment, the access record comprises the retention time of the page, the access record with the retention time of the page exceeding the preset retention time range of the page is taken as the abnormal access record, and meanwhile, the abnormal access record does not comprise the session, so that the influence of the abnormal access record on the session can be reduced, the accuracy of determining the session is improved, and the accuracy of determining the redundancy permission is further improved. Furthermore, when the abnormal access record is judged, different page retention time ranges are set for different access addresses, so that the accuracy of judging the abnormal access record can be improved; furthermore, the page staying time range is determined according to the page staying time of the similar access records, and the accuracy of the page staying time range can be improved.
EXAMPLE III
A third embodiment of the present invention provides a method for determining a preferred redundant right, so as to determine a redundant right in a right set for a certain target subject, where some technical features are the same as those of the first and second embodiments, and reference may be made to the first and second embodiments for specific description and corresponding technical effects. Further, in the third embodiment, the access record is obtained according to the access time to perform the judgment of each session circularly, so that the judgment logic is simple and the accuracy is high. Specifically, fig. 3 is a flowchart of a method for determining a redundancy authority according to a third embodiment of the present invention, and as shown in fig. 3, the method for determining a redundancy authority according to the third embodiment includes steps S301 to S314 as follows.
Step S301: and acquiring historical access information of the target subject.
Step S302: and acquiring the access address in the historical access information.
Step S303: and acquiring page operation performed on the page when the access address is accessed.
Step S304: the page dwell time on the page when the access address is accessed is calculated.
Step S305: and generating an access record according to the access address, the page operation corresponding to the access address and the page retention time.
Step S306: one access record is acquired as a first access record in the access time sequence.
Optionally, for the acquired historical access information, the step S306 may be executed after each access record is generated, or the step S306 may be executed after all access records are generated, and both manners are within the protection scope of the present invention.
When step S306 is executed, the access records are obtained according to the access time sequence, and the access records can be obtained according to the positive sequence of the access time, that is, the access record with the early access time is obtained first, and the access record with the late access time is obtained later; or, the access records may be obtained in the reverse order of the access time, which is not described herein again.
For convenience of description, the currently acquired access record is named as the first access record, and the "first" herein does not constitute a limitation on the order of access records.
Step S307: and judging whether the dwell time of the page in the first access record is within a preset dwell time range, and judging whether the access record set comprises the access record.
For the currently acquired first access record, a relationship between the page dwell time and a preset dwell time range is determined, where the preset dwell time range is used to identify a dwell time length range in which a user normally accesses an access address, and accesses outside the range belong to abnormal accesses, that is, the page dwell time is greater than a maximum value of the preset dwell time range, or the page dwell time is less than a minimum value of the preset dwell time range, both of which represent that the access belongs to abnormal accesses, for example, the page dwell time caused by a background response fault is too long, and for example, the page dwell time caused by a user misoperation is too short.
Meanwhile, whether the access record set comprises the access record or not is judged aiming at the current access record set. When the first access record is the first access record in the historical access information, firstly, an empty access record set is created.
And after judging the page dwell time and the access record set, executing different steps based on different judgment results, wherein when the page dwell time is not within the preset dwell time range and the access record set does not include an access record (corresponding to the NN in fig. 3), returning to the step S306, and acquiring a new access record for judgment. For other cases, the following steps are performed respectively, and the detailed description is given below.
Step S308: and calculating the similarity between the first access record and the latest access record in the access record set.
By the judgment of the above step S307, when the page staying time is within the preset staying time range and the access record (corresponding to YY in fig. 3) is included in the access record set, the step S308 is performed. In this step S308, the similarity between the first access record and the latest access record in the access record set, that is, the similarity between the first access record and the access record adjacent to the first access record in the access record set is calculated.
Step S309: and judging whether the similarity is greater than or equal to a preset similarity threshold value.
The similarity threshold is used to identify whether two access records belong to the same session, wherein when the similarity is greater than or equal to a preset similarity threshold (corresponding to Y in fig. 3), it indicates that the two access records are similar and belong to the same session, and step S310 is executed. When the similarity of the two access records is smaller than the preset similarity threshold (corresponding to N in fig. 3), it indicates that the two access records are not similar and do not belong to the same session, and the following step S311 is executed.
Step S310: the first access record is written to the set of access records.
After step S310 is executed, the process returns to step S306.
By the judgment of the step S307, when the page staying time is within the preset staying time range and the access record set does not include an access record (corresponding to YN in fig. 3), it indicates that the previous session is ended, a new session is opened, and the first access record belongs to the first access record in the new session, so that the step S310 is executed, and after the first access record is written into the access record set, the step S306 is returned, and an access record is obtained again for judgment.
Through the judgment of the step S309, when the similarity is greater than or equal to the preset similarity threshold, it indicates that the first access record and the access record in the current access record set belong to the same session, so the step S310 is executed, and after the first access record is written into the access record set, the step S306 is returned to, and an access record is obtained again for judgment.
Step S311: outputting the access record set to obtain a session, emptying the access record set, and adding the first access record into the access record set.
After step S311 is executed, the process returns to step S306.
Through the judgment of the step S309, when the similarity is smaller than the preset similarity threshold, it indicates that the first access record does not belong to the same session as the access record in the current access record set, so that executing the step S310, the access record set is output to obtain a session, the access record set is emptied, the previous session is ended, a new session is opened, the first access record is written into the emptied access record set, so that the first access record becomes the first access record in the new session, and then returning to the step S306, and a new access record is obtained for judgment.
Step S312: and outputting the access record set to obtain a session, and emptying the access record set.
After step S312 is executed, the process returns to step S306.
By the judgment of the step S307, when the page staying time is not within the preset staying time range and the access record set includes the access record (corresponding to NY in fig. 3), it indicates that the previous session is ended, a new session is opened, the first access record is an abnormal access record, and the first access record is discarded, so that the step S312 is executed, the access record set is output first to obtain a session, then the access record set is cleared, the previous session is ended, a new session is opened, and then the step S306 is returned to, and an access record is obtained again for judgment.
Step S313: among the session targets of the plurality of sessions, a session target having an occurrence probability smaller than a predetermined probability threshold is determined as a redundant session target.
After all the access records are processed, step S313 is executed.
Through the loop from the step S306 to the step S312, a plurality of sessions corresponding to the historical access information can be obtained, the last access record (i.e. the access record with the latest access time) in each session is used as a session target, and a redundant session target is determined through the step.
Step S314: and in the permission set of the target subject, determining redundant permission according to the redundant session target.
Example four
Corresponding to the first embodiment, a fourth embodiment of the present invention provides a device for determining a redundancy permission, and reference may be made to the above for corresponding technical features and technical effects, which are not described herein again. Fig. 4 is a device for determining redundancy permission according to a fourth embodiment of the present invention, and as shown in fig. 4, the device includes an obtaining module 401, an analyzing module 402, a first determining module 403, and a second determining module 404.
The acquiring module 401 is configured to acquire historical access information of a target subject; the analysis module 402 is configured to analyze the historical access information to obtain multiple sessions, where a session includes a plurality of access records, each access record includes an access address and a page operation performed when the access address is accessed, and a last access record in the session is a session target of the session; a first determining module 403, configured to determine, in session targets of multiple sessions, a redundant session target according to an occurrence probability of the session target, where the smaller the occurrence probability of the session target, the greater the probability that the session target is a redundant session target; and a second determining module 404, configured to determine, in the set of permissions of the target subject, a redundant permission according to the redundant session target.
Optionally, in an embodiment, the parsing module 402 includes a first obtaining unit, a second obtaining unit, a generating unit, and a determining unit, where the first obtaining unit is configured to obtain an access address in the historical access information; the second acquisition unit is used for acquiring page operation performed on the page when the access address is accessed; the generating unit is used for generating an access record according to the access address and the page operation corresponding to the access address; and the determining unit is used for taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold as a session.
Optionally, in an embodiment, the parsing module 402 further includes a calculating unit, configured to calculate a page staying time on the page when the access address is accessed after the first obtaining unit obtains the access address in the historical access information; the generating unit is also used for generating an access record according to the access address, the page operation corresponding to the access address and the page retention time; the determining unit is further configured to use a plurality of adjacent access records with the similarity greater than a preset similarity threshold and the page dwell time within a preset dwell time range as a session.
Optionally, in an embodiment, when the determining unit uses the similarity greater than the preset similarity threshold, the page staying time is within the preset staying time range, and the adjacent access records as a session, the specifically executed steps include: step S1: acquiring an access record as a first access record according to the access time sequence; step S2: judging whether the dwell time of the page in the first access record is within a preset dwell time range or not, and judging whether the access record set comprises the access record or not, wherein when the dwell time of the page is within the preset dwell time range and the access record set comprises the access record, the step S3 is executed, when the dwell time of the page is within the preset dwell time range and the access record set does not comprise the access record, the step S5 is executed, when the dwell time of the page is not within the preset dwell time range and the access record set comprises the access record, the step S7 is executed, and when the dwell time of the page is not within the preset dwell time range and the access record set does not comprise the access record, the step S1 is returned; step S3: calculating the similarity between the first access record and the latest access record in the access record set; step S4: judging whether the similarity is greater than or equal to a preset similarity threshold, wherein when the similarity is greater than or equal to the preset similarity threshold, executing step S5, and when the similarity is less than the preset similarity threshold, executing step S6; step S5: writing the first access record into the access record set, and returning to step S1; step S6: the access record set is output to get a session, the access record set is emptied, the first access record is added to the access record set, and the process returns to step S1. Step S7: the access record set is output to get a session, the access record set is emptied, and the process returns to step S1.
Optionally, in an embodiment, the similarity is a hamming distance or an edit distance of access addresses of two adjacent access records.
Optionally, in an embodiment, the preset dwell time ranges corresponding to the dwell times of the pages corresponding to different access addresses are different, and the preset dwell time ranges are calculated by adopting the following steps: obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and calculating a preset stay time range according to the stay time of the pages of the similar access records.
Optionally, in an embodiment, the step of calculating the preset stay time range according to the page stay times of the similar access records includes: drawing a box line graph according to the page staying time of the similar access records; calculating a first quartile Q1, a third quartile Q3 and a quartile distance QR of the box plot; the preset residence time range (. delta.) was calculated using the following formulatimemin,δtimemax):δtimemin=Q1-a*QR,δtimemaxQ3+ b QR, where a and b are dimensionless coefficients.
EXAMPLE five
The embodiment also provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. As shown in fig. 5, the computer device 01 of the present embodiment at least includes but is not limited to: a memory 011 and a processor 012, which are communicatively connected to each other via a system bus, as shown in fig. 5. It is noted that fig. 5 only shows the computer device 01 having the component memory 011 and the processor 012, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
In this embodiment, the memory 011 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 011 can be an internal storage unit of the computer device 01, such as a hard disk or a memory of the computer device 01. In other embodiments, the memory 011 can also be an external storage device of the computer device 01, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 01. Of course, the memory 011 can also include both internal and external memory units of the computer device 01. In this embodiment, the memory 011 is generally used to store an operating system installed in the computer device 01 and various application software, such as program codes of the redundancy authority determining apparatus of the second embodiment. Further, the memory 011 can also be used to temporarily store various kinds of data that have been output or are to be output.
The processor 012 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor, or other data Processing chip in some embodiments. The processor 012 is generally used to control the overall operation of the computer device 01. In the present embodiment, the processor 012 is configured to run a program code stored in the memory 011 or process data, for example, a method of determining a redundancy authority.
EXAMPLE six
The present embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., on which a computer program is stored, which when executed by a processor implements corresponding functions. The computer readable storage medium of this embodiment is used to store a determination apparatus of redundancy rights, and when executed by a processor, the computer readable storage medium implements the determination method of redundancy rights of the first embodiment.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields are also included in the scope of the present invention.

Claims (10)

1. A method for determining redundancy rights, comprising:
acquiring historical access information of a target subject;
analyzing the historical access information to obtain a plurality of sessions, wherein the sessions comprise a plurality of access records, the access records comprise access addresses and page operations carried out when the access addresses are accessed, and the session target of the session is the last access record in the session;
determining redundant session targets in the session targets of the multiple sessions according to the occurrence probability of the session targets, wherein the smaller the occurrence probability of the session targets is, the larger the probability of the session targets as the redundant session targets is; and
And in the authority set of the target subject, determining redundancy authority according to the redundancy session target.
2. The method of claim 1, wherein parsing the historical access information for a plurality of sessions comprises:
acquiring the access address in the historical access information;
acquiring the page operation performed on a page when the access address is accessed;
generating the access record according to the access address and the page operation corresponding to the access address; and
and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold as one session.
3. The method of determining redundancy rights of claim 2,
after the step of obtaining the access address in the historical access information, the step of parsing the historical access information to obtain a plurality of sessions further comprises: calculating the residence time of the page on the page when the access address is accessed;
the step of generating the access record according to the access address and the page operation corresponding to the access address specifically includes: generating the access record according to the access address, the page operation corresponding to the access address and the page retention time;
The step of using a plurality of access records with similarity larger than a preset similarity threshold as one session comprises the following steps: and taking a plurality of adjacent access records with the similarity larger than a preset similarity threshold value and the page dwell time within a preset dwell time range as the session.
4. The method for determining redundant authority according to claim 3, wherein the step of regarding a plurality of access records with similarity greater than a preset similarity threshold, page dwell time within a preset dwell time range and adjacent access records as one session comprises:
step S1: acquiring one access record as a first access record according to the access time sequence;
step S2: judging whether the dwell time of the page in the first access record is within a preset dwell time range, and judging whether an access record set comprises the access record, wherein when the dwell time of the page is within the preset dwell time range and the access record set comprises the access record, step S3 is executed, when the dwell time of the page is within the preset dwell time range and the access record set does not comprise the access record, step S5 is executed, when the dwell time of the page is not within the preset dwell time range and the access record set comprises the access record, step S7 is executed, and when the dwell time of the page is not within the preset dwell time range and the access record set does not comprise the access record, the step S1 is returned;
Step S3: calculating the similarity between the first access record and the latest access record in the access record set;
step S4: judging whether the similarity is greater than or equal to the preset similarity threshold, wherein when the similarity is greater than or equal to the preset similarity threshold, executing step S5, and when the similarity is less than the preset similarity threshold, executing step S6;
step S5: writing the first access record into the access record set, and returning to step S1;
step S6: outputting the access record set to obtain one session, emptying the access record set, adding the first access record into the access record set, and returning to the step S1;
step S7: outputting the access record set to obtain one of the sessions, emptying the access record set, and returning to step S1.
5. The method for determining redundancy authority of any one of claims 2 to 4, wherein the similarity is a Hamming distance or an editing distance of the access addresses of two adjacent access records.
6. The method for determining the redundancy authority of any one of claims 2 to 4, wherein if the dwell times of the pages corresponding to the access addresses are different, the corresponding preset dwell time ranges are different, and the preset dwell time ranges are calculated by adopting the following steps:
Obtaining an access record comprising an access address corresponding to the retention time of the page to obtain a similar access record; and
and calculating the preset stay time range according to the stay time of the similar access records.
7. The method for determining redundancy rights of claim 6, wherein the step of calculating the preset stay time range according to the page stay time of the similar access record comprises:
drawing a box line graph according to the page staying time of the similar access records;
calculating a first quartile Q1, a third quartile Q3, and a quartile distance QR of the box plot;
calculating the preset dwell time range (δ) using the following formulatimemin,δtimemax):
δtimemin=Q1-a*QR,δtimemaxQ3+ b QR, where a and b are dimensionless coefficients.
8. An apparatus for determining redundancy authority, comprising:
the acquisition module is used for acquiring historical access information of the target subject;
the analysis module is used for analyzing the historical access information to obtain a plurality of sessions, wherein the sessions comprise a plurality of access records, the access records comprise access addresses and page operations carried out when the access addresses are accessed, and the session target of the session is the last access record in the sessions;
The first determining module is used for determining redundant conversation targets in the conversation targets of the plurality of conversations according to the occurrence probability of the conversation targets, wherein the smaller the occurrence probability of the conversation targets is, the larger the probability of the conversation targets as the redundant conversation targets is; and
and the second determining module is used for determining redundancy permission according to the redundancy session target in the permission set of the target subject.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented by the processor when executing the computer program.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the method of any one of claims 1 to 7.
CN201911415388.0A 2019-12-31 2019-12-31 Method and device for determining redundancy permission, computer equipment and readable storage medium Active CN111143824B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911415388.0A CN111143824B (en) 2019-12-31 2019-12-31 Method and device for determining redundancy permission, computer equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911415388.0A CN111143824B (en) 2019-12-31 2019-12-31 Method and device for determining redundancy permission, computer equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN111143824A CN111143824A (en) 2020-05-12
CN111143824B true CN111143824B (en) 2022-06-10

Family

ID=70522749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911415388.0A Active CN111143824B (en) 2019-12-31 2019-12-31 Method and device for determining redundancy permission, computer equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN111143824B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107679072A (en) * 2017-08-24 2018-02-09 平安普惠企业管理有限公司 User behavior information collecting method, terminal and storage medium
CN109472127A (en) * 2018-10-11 2019-03-15 北京三快在线科技有限公司 Permission processing method, device, using side apparatus and storage medium
CN109688120A (en) * 2018-12-14 2019-04-26 浙江大学 Based on the dynamic permission management system for improving RBAC model and Spring Security frame
CN110119488A (en) * 2019-04-12 2019-08-13 平安普惠企业管理有限公司 The control method and device that the page is shown

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9461876B2 (en) * 2012-08-29 2016-10-04 Loci System and method for fuzzy concept mapping, voting ontology crowd sourcing, and technology prediction

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107679072A (en) * 2017-08-24 2018-02-09 平安普惠企业管理有限公司 User behavior information collecting method, terminal and storage medium
CN109472127A (en) * 2018-10-11 2019-03-15 北京三快在线科技有限公司 Permission processing method, device, using side apparatus and storage medium
CN109688120A (en) * 2018-12-14 2019-04-26 浙江大学 Based on the dynamic permission management system for improving RBAC model and Spring Security frame
CN110119488A (en) * 2019-04-12 2019-08-13 平安普惠企业管理有限公司 The control method and device that the page is shown

Also Published As

Publication number Publication date
CN111143824A (en) 2020-05-12

Similar Documents

Publication Publication Date Title
CN111090620B (en) File storage method, device, equipment and readable storage medium
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN109088788B (en) Data processing method, device, equipment and computer readable storage medium
CN113821771B (en) Dynamic watermark adding method, device, network disk and storage medium
CN110377276B (en) Source code file management method and device
CN111143824B (en) Method and device for determining redundancy permission, computer equipment and readable storage medium
CN110442466B (en) Method, device, computer equipment and storage medium for preventing repeated access request
CN115344315A (en) Skin switching method and device of applet page and electronic equipment
WO2017050178A1 (en) Data authentication method and device
CN111159719B (en) Determination method and device of conflict authority, computer equipment and storage medium
CN113923039B (en) Attack equipment identification method and device, electronic equipment and readable storage medium
CN114547675A (en) Data identification method and device
CN114547496A (en) Directory guessing and identifying method and device and electronic equipment
CN112738006B (en) Identification method, equipment and storage medium
CN107895335B (en) Rights and interests protection method and application server
CN108182202B (en) Content update notification method, content update notification device, electronic equipment and storage medium
CN107465744B (en) Data downloading control method and system
CN110708306B (en) Data processing method, device and storage medium
CN111212153A (en) IP address checking method, device, terminal equipment and storage medium
CN112764974B (en) Information asset online management method and system
CN109088859B (en) Method, device, server and readable storage medium for identifying suspicious target object
CN114710468B (en) Domain name generation and identification method, device, equipment and medium
CN117688011A (en) Data processing method, device, equipment and storage medium
CN117395222B (en) Affinity daemon method and device for online social contact
CN110442845B (en) File repetition rate calculation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: Qianxin Technology Group Co.,Ltd.

Applicant after: Qianxin Wangshen information technology (Beijing) Co., Ltd

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: Qianxin Technology Group Co.,Ltd.

Applicant before: Wangshen information technology (Beijing) Co., Ltd

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant