CN111274276A - Operation auditing method and device, electronic equipment and computer-readable storage medium - Google Patents

Operation auditing method and device, electronic equipment and computer-readable storage medium Download PDF

Info

Publication number
CN111274276A
CN111274276A CN202010037874.XA CN202010037874A CN111274276A CN 111274276 A CN111274276 A CN 111274276A CN 202010037874 A CN202010037874 A CN 202010037874A CN 111274276 A CN111274276 A CN 111274276A
Authority
CN
China
Prior art keywords
block chain
auditing
target
audit
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010037874.XA
Other languages
Chinese (zh)
Inventor
刘斌华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202010037874.XA priority Critical patent/CN111274276A/en
Publication of CN111274276A publication Critical patent/CN111274276A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2457Query processing with adaptation to user needs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses an operation auditing method, device and system, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring an operation summary field from a target sub-block chain network in a parent block chain network; data isolation is carried out between each sub-blockchain network in the parent blockchain network, and the operation summary field comprises elements and an extension field corresponding to each element; extracting the integrity characteristics of the operation abstract field, and auditing the integrity of the operation abstract field based on the integrity characteristics; determining audit items, and obtaining an audit result corresponding to each audit item based on the operation summary field; the audit item comprises any one or a combination of any several items of qualification of the subject, sensitive objects, sensitive operation types and subject-object association degrees. The operation auditing method provided by the application realizes real-time operation auditing for enterprises.

Description

Operation auditing method and device, electronic equipment and computer-readable storage medium
Technical Field
The present application relates to the field of operation auditing technologies, and in particular, to an operation auditing method and apparatus, an electronic device, and a computer-readable storage medium.
Background
At present, a supervision mechanism does not have a direct technical means for monitoring how user personal information is used in an enterprise, more is to rely on the enterprise to carry out internal audit and internal control, the supervision mechanism determines whether the enterprise is in compliance or not by carrying out regular spot check, audit and compliance check on the enterprise, and a large blind spot exists, namely, the operation audit of the enterprise is poor in instantaneity.
Therefore, how to implement real-time operation auditing for an enterprise is a technical problem to be solved by the technical personnel in the field.
Disclosure of Invention
The application aims to provide an operation auditing method and device, electronic equipment and a computer readable storage medium, and the method and device can be used for realizing real-time operation auditing of enterprises.
To achieve the above object, a first aspect of the present application provides an operation auditing method, including:
acquiring an operation summary field from a target sub-block chain network in a parent block chain network; the master block chain network comprises a plurality of sub-block chain networks, data isolation is carried out between each sub-block chain network, the target sub-block chain network is a sub-block chain network corresponding to a target enterprise, the operation summary field is extracted on the basis of an operation original log of the target enterprise for block chain link points in the target sub-block chain network, the operation summary field comprises elements and extension fields corresponding to each element, the elements comprise standard elements and custom elements, the standard elements comprise subjects, objects, time and operation types, and the extension fields are extracted on the basis of element extension standards defined by supervision block chain link points for the block chain link points;
extracting the integrity characteristics of the operation summary field, and auditing the integrity of the operation summary field based on the integrity characteristics;
determining audit items, and obtaining an audit result corresponding to each audit item based on the operation summary field; the audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
In order to achieve the above object, a second aspect of the present application provides an operation auditing apparatus, which is applied to a supervisor area block link node in a target sub-area block link network corresponding to a target enterprise in a mother block link network, where the mother block link network includes a plurality of sub-area block link networks, and data isolation is performed between each of the sub-area block link networks; the device comprises:
the acquisition module is used for acquiring an operation summary field from a target sub-block chain network in a parent block chain network; the master block chain network comprises a plurality of sub-block chain networks, data isolation is carried out between each sub-block chain network, the target sub-block chain network is a sub-block chain network corresponding to a target enterprise, the operation summary field is extracted on the basis of an operation original log of the target enterprise for block chain link points in the target sub-block chain network, the operation summary field comprises elements and extension fields corresponding to each element, the elements comprise standard elements and custom elements, the standard elements comprise subjects, objects, time and operation types, and the extension fields are extracted on the basis of element extension standards defined by supervision block chain link points for the block chain link points;
the first auditing module is used for extracting the integrity characteristics of the operation abstract fields and auditing the integrity of the operation abstract fields based on the integrity characteristics;
the second auditing module is used for determining auditing items and obtaining an auditing result corresponding to each auditing item based on the operation abstract field; the audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
To achieve the above object, a third aspect of the present application provides an electronic device comprising:
a memory for storing a computer program;
a processor for implementing the steps of the above-described operational auditing method when executing the computer program.
To achieve the above object, a fourth aspect of the present application provides a computer-readable storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the above-mentioned operation auditing method.
According to the scheme, the operation auditing method comprises the following steps: acquiring an operation summary field from a target sub-block chain network in a parent block chain network; the master block chain network comprises a plurality of sub-block chain networks, data isolation is carried out between each sub-block chain network, the target sub-block chain network is a sub-block chain network corresponding to a target enterprise, the operation summary field is extracted on the basis of an operation original log of the target enterprise for block chain link points in the target sub-block chain network, the operation summary field comprises elements and extension fields corresponding to each element, the elements comprise standard elements and custom elements, the standard elements comprise subjects, objects, time and operation types, and the extension fields are extracted on the basis of element extension standards defined by supervision block chain link points for the block chain link points; extracting the integrity characteristics of the operation summary field, and auditing the integrity of the operation summary field based on the integrity characteristics; determining audit items, and obtaining an audit result corresponding to each audit item based on the operation summary field; the audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
According to the operation auditing method, data isolation is carried out between each sub-block chain network, so that the operation information of different enterprises is isolated from each other in the mother block chain network, and the safety of the operation information of the enterprises is ensured. And adding a supervision mechanism for performing operation audit on the target enterprise as a block chain node into a target sub-block chain network corresponding to the target enterprise, and acquiring an operation summary field from the target sub-block chain network in real time for performing operation audit. The integrity of the operation summary field is audited, and all operations of target enterprise internal personnel on user sensitive information are guaranteed to be uploaded to a target sub-block chain network. And secondly, auditing each audit item based on the operation summary field. Therefore, the operation auditing method provided by the application ensures the timeliness and the non-tampering property of the operation information of the enterprise by utilizing the characteristics of shared accounts, non-tampering and timely synchronization of the block chains, breaks through the system barrier from the enterprise to the supervision institution, and realizes the real-time operation auditing of the enterprise. The application also discloses an operation auditing device, electronic equipment and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is an architecture diagram of an operational audit system provided by an embodiment of the present application;
FIG. 2 is a flow chart of an operation auditing method provided by an embodiment of the present application;
FIG. 3 is a flow chart of another method for auditing operation according to an embodiment of the present application;
FIG. 4 is a block diagram of an operation auditing apparatus according to an embodiment of the present application;
fig. 5 is a structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to facilitate understanding of the operation auditing method provided by the present application, a system for use thereof is described below. Referring to fig. 1, an architecture diagram of an operation auditing system according to an embodiment of the present application is shown, and as shown in fig. 1, the architecture diagram includes a log source 100 of a target enterprise, a server 200 of the target enterprise, a parent blockchain network and a target storage 400, where the parent blockchain network includes a plurality of child blockchain networks, each enterprise corresponds to one child blockchain network, that is, one child blockchain network is used to store operation information of one enterprise, and data isolation is performed between each child blockchain network, so that operation information of different enterprises are isolated from each other in the parent blockchain network, and the security of the operation information of the enterprises is ensured. The sub-blockchain network corresponding to the target enterprise is the target sub-blockchain network 300.
The number of log sources is not limited herein, i.e. log source 100 may include a plurality of log sources, each of which may be understood as a memory for storing logs, such as a kafka queue or database. Each log source may maintain an original operation log generated by one system, or may maintain original operation logs generated by a plurality of systems, which are not specifically limited herein, and these original operation logs are collectively referred to as original operation logs in the following embodiments.
The server 200 is a server of an intra-enterprise auditing system, and includes a plurality of log source plug-ins, which can be stored in the server 200 in a cluster manner, and each log source plug-in is used for acquiring an operation original log in a corresponding log source and transmitting the operation original log to the server 200, so that the cluster is expandable with the increase of the types of the log sources 100.
The server 200 further includes a plurality of tag extraction plug-ins, which may be stored in the server 200 in a cluster manner, and each tag extraction plug-in is configured to extract elements from the operation raw log of its corresponding log type.
In addition, in order to extract information closer to the service, the server 200 may further include a plurality of element extension plug-ins for extracting extension fields of the elements in the management system corresponding to the elements. The management system is used for recording basic information of each element, for example, the subject management system may include an HR system and the like, and the object management system may include a resource management system and the like.
Target sub-blockchain network 300 includes a supervisor blockchain node 31 for performing operational auditing on a target enterprise, i.e., a supervisory authority performs operational auditing on a target enterprise using the supervisor blockchain node 31. Of course, the target sub-blockchain network 300 further includes other blockchain nodes, the server 200 may store the hash value corresponding to the element extracted from the operation original log and the operation original log into the target sub-blockchain network 300 by using the blockchain node 32, and the supervisor blockchain node 31 may obtain the operation summary field from the target sub-blockchain network 300 and store the operation summary field into the target storage 400, where the target storage 400 has the capabilities of data query, conditional filtering, and aggregation, and may be an elasticsearch cluster, a relational database such as mysql, or a nosql engine, and the like, which is not specifically limited herein. The supervisor block chain node 31 may perform an operational audit using the above-described functionality of the target memory 400.
The embodiment of the application discloses an operation auditing method, which realizes real-time operation auditing of an enterprise.
Referring to fig. 2, a flowchart of an operation auditing method provided in an embodiment of the present application is shown in fig. 2, and includes:
s101: the method comprises the steps that a server obtains an original operation log of a target enterprise from a log source;
in this step, the server obtains the operation original log from the log source, and preferably, this step includes: and acquiring an operation original log from a log source by using the log source plug-in. The operation original log may include an internet application log, an instant messaging log, a data block log, an attack/scan log, a file transfer log, a remote control log, a mail log, and the like, and the internet application log may include an HTTP (Hyper Text transfer protocol) application log, an entertainment software log, an application software usage log based on a C/S (Client/Server, full chinese) architecture, and the like. The HTTP application log is a log for monitoring content information of accessing an Internet webpage, recording keyword information set by a user, information aiming at HTTPUP and recording all DNS (Domain Name System) protocol requests, and the monitoring content information of accessing the Internet webpage comprises publishing and browsing based on an HTTP protocol. The instant communication log is a log for recording various instant communication software use information, namely virtual identity information, the database log is a log for recording various data Block operations and user information, the attack/scan log is a log for recording DDOS attack (Chinese full name: Distributed denial of service attack, English full name: Distributed trust of service attack) and port scanning behavior log, the File transmission log comprises File transmission information carried out by various download tools, FTP Protocol (Chinese full name: File transmission Protocol, English full name: File Transfer Protocol) and Chinese full name: Server Message Block, and also comprises information of instant chat software point-to-point transmission files and File names, the remote control log is a log for recording various remote control software or Protocol use conditions, and comprises a TELNET Protocol (Chinese full name: remote terminal Protocol), WINDOWS remote desktop and SSH (Chinese full name: Secure Shell Protocol, English full name: Secure Shell), Mail logs are SMTP (Simple Mail Transfer Protocol), POP3 (Post Office Protocol Version 3, English full name: Post Office Protocol-Version 3) and logs of mainstream web mails, including recipients, subjects, copies, texts, attachments, and the like.
The server comprises a plurality of log source plug-ins, each log source plug-in is used for obtaining operation original logs from one log source, namely, the server obtains the operation original logs from a plurality of log sources by using the plurality of log source plug-ins. Specifically, the step may include: acquiring an operation original log in a kafka queue by using a kafka source plug-in; and/or acquiring an operation original log in the database by using a data plug-in; and/or, acquiring the reported operation original log by using a reporting interface plug-in through an interface.
In a specific implementation, for the operation original logs stored in the kafka queue, the operation original logs can be read into the server through the kafka source plug-in, and for the operation original logs stored in the database, the operation original logs can be read from the database through the data plug-in. The server may further include a reporting interface plug-in, and the reporting interface plug-in may be used to report the operation original log to the server through the interface.
The kafka source plug-in, the data plug-in and the reporting interface plug-in can be stored in a server in a cluster mode, and the cluster can be expanded as the types of log sources increase.
S102: the server extracts elements of the operation original log; the elements comprise standard elements and custom elements, wherein the standard elements comprise subjects, objects, time and operation types;
preferably, the step of extracting, by the server, the elements of the operation original log includes: determining the log type of the operation original log, and extracting elements of the operation original log by using a mark extraction plug-in corresponding to the log type.
In the log source plug-in, the operation original log is marked with basic labels, for example, a server indicates which system the operation original log is generated by, a service indicates which service interface the operation original log is generated by, and the labels can be obtained by operating the original log source system or performing simple reading analysis on the operation original log. The server may determine a log type of each operation raw log according to the above tag, where the log type may include a structured type, an sql type, a text type, and the like, and the structured day type is, for example, a json structure, an xml structure, and the like, and is not limited in detail here.
The server comprises a plurality of mark extraction plug-ins, and each mark extraction plug-in is used for extracting elements from the operation original logs of the corresponding log types, namely the server extracts the elements of the operation original logs of different log types by using different mark extraction plug-ins. The elements herein may include subject, object, time and operation type of operation audit four elements, i.e. standard elements in this step, and may also include other user-defined elements.
The plurality of tag extraction plug-ins may be stored in the server in a collection, which is extensible. The server may provide a mapping table to indicate which tag extraction plug-in can handle the raw log of operations of different log types, for example as shown in table 1:
TABLE 1
Log type Mark extraction insert
Structured type Mark extraction insert A
sql type Mark extraction plug-in B
Text type Mark extraction plug-in C
It can be understood that the log types of the operation original logs generated by different service interfaces of the same system may be different, and therefore, for the operation original logs of the same system, multiple mark extraction plug-ins can be used for element extraction at the same time. Table 1 can be extended to table 2:
TABLE 2
server service Log type Mark extraction insert
ServerA Service1 sql type Mark extraction plug-in B
ServerA Service2 Structured type Mark extraction insert A
ServerB Service3 sql type Mark extraction plug-in B
ServerC Service4 Text type Mark extraction plug-in C
Specifically, the step of extracting the element of the operation original log by using the mark extraction plug-in corresponding to the log type may include: carrying out structured analysis on the operation original log, and extracting elements of the operation original log from an analysis result; and/or analyzing the sql statement in the operation original log through a pipeline library, and extracting elements of the operation original log from an analysis result; and/or extracting elements of the operation original log by using a regular expression.
In a specific implementation, if the log type is a json or xml structured type, the structure may be analyzed, so as to further obtain each element of the original operation log. If the log type is the sql type, that is, the operation original log contains sql statements, the sql statements can be analyzed by the pipeline library, and then each element of the operation original log is obtained. Due to specific labels and keywords in the structured type and sql type operation raw logs, elements can be extracted by identifying the labels and keywords. The druid is an open-source, distributed, column-storage, and real-time data analysis system, and can summarize basic statistical indexes, that is, the elements in this embodiment can be represented by one field. If the log type is a text type, all elements of the original log can be obtained in a regular expression mode.
It should be noted that, for the mark extraction plug-in this step, the implementation manner of the mark extraction plug-in is not specifically limited in this embodiment, and for example, the mark extraction plug-in may be implemented by Java code or may be implemented by python script.
The original of the extracted operation original log can comprise standard elements and custom elements, wherein the standard elements are four operation audit elements including subjects, objects, time and operation types. These four elements can be extracted from each raw log of operations, which defines a standard story/event for each raw log of operations, i.e. what person (subject) has done what type of operation on what object at what time. The subject represents an executor of an operation, and the object represents an object on which the operation is actually acted, such as a server host, a service, a product configuration, and the like. The following examples are presented for operation:
(1) the system administrator queries a user for information. In the operation, the subject is a system administrator, the object is a user ID, and the operation type is query;
(2) the system administrator modifies the configuration of a fund. In the operation, the subject is a system administrator, the object is an ID of the fund, and the operation type is modification;
(3) an employee logs into a machine. In the operation, the subject is the employee ID, the object is the IP address of the machine, and the operation type is login;
it should be noted that the object element in one operation raw log may be multiple and various types. For example, if an employee deploys service S on machine a, machine B, and machine C, respectively, the objects include machine a, machine B, and machine C, and also include service S, and there are 4 objects in the operation.
For the object element, the object element can be extracted from the parameters in the request message recorded in the operation original log. For example, for the operation original log "system administrator inquires user information by user ID", the ID of the user may be extracted from the parameter in the request message as an object. Of course, the parameters may be extracted from the response message recorded in the operation original log. For example, for the operation of the original log, "a system administrator initiates a range query," the response message returns an information list of 10 users, and the ID of each user in the response message 10 may be used as an object. That is, the present step may include: and extracting the object of the operation original log according to the request message and the response message in the operation original log by using the mark extraction plug-in corresponding to the log type.
The parameter type of the extracted object element at least includes an object type (type) and an object name (name). For example, the object is the user ID, type is userId, and name is zhangsan. It should be noted that, in order to facilitate operation auditing across multiple log types, naming needs to be uniformly specified for the same object type. For example, for system a, the type of the user ID is userId, and in system B, the type of the user ID is user _ account, which may be unified as userId in the present embodiment.
Of course, in addition to the standard elements described above, other elements of business interest may be extracted in the markup extraction plug-in as custom elements. For example, for an original log of operations that records configured online activity, the configured amount may be of additional concern, and thus the amount may be extracted as a custom element. Of course, the user may also set other custom elements, which are not specifically limited herein.
Because different systems, even different operations in the same system, can have different log formats, the element of standardizing the operation original log can provide data support for the follow-up operation audit. For example, for an important user, it is necessary to determine whether someone has operated him in all the systems. By the object element extraction in the step, the heterogeneous logs can be subjected to unified standard query to obtain results. Similarly, the main body and the operation type have similar meanings, and the time element can understand the time of the operation and the reduction operation sequence.
S103: the server acquires element extension standards from the supervision block chain nodes, and determines extension fields corresponding to each element based on the element extension standards;
in this step, the supervisor defines the extension fields that each element must extend, i.e. defines the element extension criteria, to be published into the entire target sub-blockchain network through the supervisor blockchain nodes. The server determines an extension field corresponding to each element based on the element extension criteria. In element extension, the same extension plug-in can be adopted for heterogeneous logs with different sources, and each extension plug-in is distinguished according to different elements. More important marks close to the service can be expanded for the operation original log through the extension plug-in, so that the operation audit supports stronger standardized audit.
In a specific implementation, the principal markup extension plug-in extracts basic information by calling a principal management system, where the principal management system may include the HR system or the organizational architecture system of a company, depending on the differences of the IT systems of the respective companies. For example, the actual identity of a principal, including the actual name, identification card, or equivalent identification, may be extended, as well as the role of the principal in a company, contract organization, etc. The object mark extension plug-in extracts the basic information by calling an object management system, wherein the object management system, such as a resource management system of a company, is determined according to the difference of IT systems of various companies. For example, the real identity of the object may be extended, including the real name, identification card or equivalent identification, and the attributes of the object may also be extended, for example, when the fund information purchased by the user is queried by internal staff, relevant rules should be made, and the extended relevant attributes of the fund are filled in the extended field.
Preferably, the extension field of the operation type includes a category; the determining the extension field corresponding to each element based on the element extension standard comprises: and acquiring operation type classification standard from the supervision block chain node, and determining the class of the operation type based on the operation type classification standard. In a specific implementation, servers of different enterprises define different URL names or interface names for the operation type, which are too poorly readable for the regulatory authorities. Therefore, the supervising agency can define the operation type classification standard which is convenient for auditing, the server establishes the corresponding relation between each supported operation type and the class, for example, the class corresponding to the "/api/fk _ freqen" is risk control-frozen fund ", and for the operation types which cannot be classified, Chinese annotation marks can be added.
Preferably, this embodiment further includes: and the server performs hash calculation on the operation original log to obtain a hash value corresponding to the operation original log, and stores the mapping relation between the operation original log and the hash value. In a specific implementation, the operation raw logs are hashed to obtain a hash value corresponding to each operation raw log, where a specific form of the hash value is not limited, for example, the hash value may include a hash value. The server stores the mapping relation between each operation original log and the hash value, only the hash value of the operation original log is uploaded to a target sub-block chain network in the subsequent steps, the safety of the operation original log is guaranteed, the hash value can be obtained from the target sub-block chain network when a supervision organization needs to operate the original log, and the operation original log corresponding to the hash value is determined in the server based on the mapping relation.
S104: the server determines an operation summary field of the operation original log according to each element and an extension field corresponding to each element based on a standard reporting format;
in specific implementation, the server adds the extracted elements into a standard reporting format, where the standard reporting format is, for example:
Figure BDA0002366673400000111
it is understood that "user" is the subject, "operation _ type" is the operation type, "timestamp" is the time, and "object" is the object. If the elements extracted in the previous step also include the user-defined element, in the standard reporting format, other operation summary fields can be distributed for the user-defined element. In a target sub-block chain network, elements extracted from an operation original log are stored based on a standard reporting format, namely, each element is subjected to standardized processing, and a supervision organization audits operation information in a uniform format, so that the efficiency is high.
As a preferred embodiment, after this step, the method further comprises: determining sensitive information in an operation summary field, and performing preprocessing operation on the sensitive information; wherein the sensitive information comprises user sensitive information and/or system sensitive information of the target enterprise. In a specific implementation, before the operation information is uploaded to the target sub-blockchain network, in order to ensure the security of data, the sensitive information in the operation information needs to be preprocessed. It is understood that the whole content of the operation information can be divided into user information related to the user operation and system information unrelated to the user operation, and the user information can be divided into user sensitive information and non-user sensitive information. The sensitive information herein may include the user sensitive information, such as user identity information, etc., and may also include system information unrelated to the user operation, i.e., system sensitive information of the target enterprise, such as an IP address inside the target enterprise, an internal database name, an internal system name, etc.
The specific preprocessing mode is not limited, and only the plaintext of the sensitive information cannot be acquired by other equipment accessed into the target sub-block chain network. For example, the system sensitive information in the element may be removed, or the system sensitive information may be masked. For user sensitive information, it may be encrypted. The specific encryption method is not limited here, and a symmetric encryption method or an asymmetric encryption method may be used. For the symmetric encryption mode, a shared key is distributed between a target enterprise and each supervision mechanism in advance, the target enterprise encrypts user sensitive information by using the shared key and uploads the encrypted user sensitive information to a target sub-block chain network, and the supervision mechanism reads data on the target sub-block chain network and decrypts the encrypted user sensitive information. For the asymmetric encryption mode, the public key is distributed to the target enterprise for encryption, and the supervision organization uses the private key for decryption.
S105: the server stores the operation summary field into a target sub-block chain network corresponding to the target enterprise in a parent block chain network;
in this step, the server uploads the hash values of all the operation original logs of the target enterprise and the elements extracted from the operation original logs to a target sub-blockchain network corresponding to the target enterprise in the parent blockchain network. The master block chain network comprises a plurality of sub-block chain networks, each enterprise corresponds to one sub-block chain network, namely one sub-block chain network is used for storing the operation information of one enterprise, and data isolation is performed among the sub-block chain networks, so that the operation information of different enterprises is isolated from each other in the master block chain network, and the safety of the operation information of the enterprises is ensured.
S106: the monitoring area block chain node acquires an operation summary field from the target sub-area block chain network;
in a specific implementation, the target sub-blockchain network includes a supervision block chain node for performing operation audit on the target enterprise, that is, the supervision entity performs operation audit on the target enterprise by using the supervision block chain node. The supervisor blockchain node may obtain the operation digest field from the target blockchain network and store it in the target storage.
S107: the supervision block chain node extracts the integrity characteristics of the operation abstract field and audits the integrity of the operation abstract field based on the integrity characteristics;
in this step, the supervision area blockchain node audits the integrity of the operation summary field based on the integrity characteristics, namely, the target enterprise is ensured to upload all operations of internal personnel on user sensitive information to the target sub-blockchain network, and the auditing can be performed in a mode of combining offline and online. For the offline approach, the regulatory bodies interview enterprise personnel, requiring them to list all relevant systems that can operate user sensitive information, and to perform spot checks.
For the online manner, as a possible implementation manner, the integrity feature includes a time when the operation summary field is uploaded into the target sub-blockchain network, and the step of auditing the integrity of the operation summary field based on the integrity feature includes: judging whether the operation abstract field corresponding to each type of operation is received in an operation abstract field receiving time period predefined by each type of operation or not based on the integrity characteristics; and if so, judging the completeness of the operation summary field. In a specific implementation, the regulatory body defines in advance a classification standard of an operation, and the classification standard may be defined based on any one or any several elements of the subject, the object, and the operation type, for example, an operation that is the same as the object may be classified into a class of operations, and for example, an operation that is the same as both the object and the operation type may be classified into a class of operations. In addition, the supervision mechanism sets a corresponding receiving time period for each type of operation in advance, the target enterprise has to upload the operation summary fields in the receiving time period, and whether the operation summary fields corresponding to each type of operation are all corresponding to the receiving time period can be judged based on the time of uploading the operation summary fields to the target sub-block chain network. If yes, the operation summary field is judged to be complete. Otherwise, the target enterprise is informed to upload, so that the uploaded operation summary field tends to be complete, and the process is recorded into the target sub-block chain network, so that the credit information of the target enterprise is influenced. And when the missing operation summary field exceeds a preset proportion, triggering an alarm prompt.
As another possible implementation, the integrity feature includes the number of all the operation summary fields received in the current time window, and the auditing the integrity of the operation summary fields based on the integrity feature includes: determining the number of all the operation summary fields received in the current time window as a first number, and determining the number of all the operation summary fields received in the previous time window as a second number; and if the ratio of the first number to the second number is larger than a third threshold value, judging that the operation summary field is complete. In an implementation, the number of operation summary fields of the uplink may be monitored using a parity or ring rule. For example, the number of operation summary fields of the last week may be aggregated, compared to the number of operation summary fields of the previous week, and if the ratio is greater than a third threshold, the operation summary fields are determined to be complete. Otherwise, the operation summary field is missing, the checking is needed, and an alarm prompt can be triggered.
S108: and determining audit items by the monitoring area block chain node, and obtaining an audit result corresponding to each audit item based on the operation summary field.
The audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
In this embodiment, the supervisor block chain node performs operation auditing using the data querying, conditional filtering, and aggregation capabilities of the target storage. The audit item may include the qualification of the subject, i.e. an audit of the qualification and compliance of the operator. For example, the extended field of "principal contract unit" exists in the operation summary field, and it can be audited whether the operation of the operation type is an operation performed by a qualified contract unit person, such as inquiring about credit investigation of a certain user under the system of a credit investigation company, and the operation must be performed by an employee signed by the company, but cannot be performed by outsourcing personnel or other sub-company persons under the group. If the operator has qualification requirements, the supervision organization can be connected with a corresponding database to inquire the qualification mode of the operator for auditing.
The audit item can also comprise a sensitive object, a sensitive operation type and the like, the sensitive object is an object with the sensitivity higher than a first threshold, the sensitive operation type is an operation type with the sensitivity higher than a second threshold, and a user can set the first threshold and the second threshold in the step according to actual conditions. In a specific implementation, a monitoring authority may monitor operations of internal enterprise personnel on sensitive objects, such as VIP people, confidential personnel, terrorist suspicion molecules, and the like, and when the operations of the internal enterprise personnel relate to the sensitive objects, the operations may relate to national security, and perform alarm and tracking processing. The regulatory body can also alarm and track operations of sensitive operation types by personnel in the enterprise.
The audit item can also comprise subject-object association degree, and the method comprises the following steps: establishing a personnel relation graph, and judging whether a target operation abstract field with a preset relation between a subject and an object exists in the operation abstract field based on the personnel relation graph; if yes, triggering prompt information; wherein the prompt message at least comprises the target operation summary field. In specific implementation, the supervising authority may establish a personnel relationship diagram, such as a telephone communication relationship, a bank transfer relationship, a relationship of relatives, and the like, through data collected from each relevant database, and if a subject and an object have a predetermined relationship, such as a bank transfer relationship, an abnormal operation may exist, and an alarm prompt is triggered.
The audit item may also include repeatability of the target operation, this step including: and performing repeated auditing on the target operation based on the number of all operation abstract fields corresponding to the target operation to obtain a repeated auditing result of the target operation. In an implementation, the repetitive detection can be performed on some important operations, such as the target operation, for example, the unsealing operation on the account suspected of terrorist. The supervision mechanism can predefine the condition which is in accordance with the target operation, and when the number of the operation summary fields of the target operation in the preset time window reaches the preset value, an alarm prompt is triggered.
The audit item may also include isolation, this step including: classifying all operations according to a preset standard, and carrying out anomaly detection on the operation time and the operation frequency of each type of operation based on an operation abstract field corresponding to each type of operation to obtain an isolation audit result of each type of operation. In specific implementation, an algorithm of big data and AI, such as a clustering algorithm, an isolated deep forest algorithm, and the like, is adopted to perform clustering on operation summary fields in a target time period, determine a normal operation frequency range and a normal operation time range of each type of operation, and trigger an alarm prompt when there is an operation no longer in the normal operation frequency range or the normal operation time range.
According to the operation auditing method provided by the embodiment of the application, data isolation is performed between each sub-block chain network, so that the operation information of different enterprises is isolated from each other in the mother block chain network, and the safety of the operation information of the enterprises is ensured. And adding a supervision mechanism for performing operation audit on the target enterprise as a block chain node into a target sub-block chain network corresponding to the target enterprise, and acquiring an operation summary field from the target sub-block chain network in real time for performing operation audit. The integrity of the operation summary field is audited, and all operations of target enterprise internal personnel on user sensitive information are guaranteed to be uploaded to a target sub-block chain network. And secondly, auditing each audit item based on the operation summary field. Therefore, the operation auditing method provided by the embodiment of the application ensures the timeliness and the non-tampering property of the operation information of the enterprise by utilizing the characteristics of shared accounts, non-tampering and timely synchronization of the block chain, breaks through the system barrier from the enterprise to the supervision institution, and realizes the real-time operation auditing of the enterprise.
The embodiment of the application discloses an operation auditing method, and compared with the previous embodiment, the embodiment further explains and optimizes the technical scheme. In this embodiment, a supervisor block chain node is used as an execution main body, specifically:
referring to fig. 3, a flowchart of another operation auditing method provided in an embodiment of the present application is shown in fig. 3, and includes:
s201: receiving an operation query request of a client; wherein the operation inquiry request at least comprises a user identification of a target user;
the execution main body of the embodiment is a monitoring area block chain node, and when a user suspects the use of personal data of the enterprise, the user can apply to a monitoring authority through an online system, namely, an operation query request is sent to the monitoring area block chain node. The monitoring block chain node identifies the user, for example, a face recognition mode can be adopted.
S202: querying an operation summary field related to the target user in the target sub-block chain network based on the user identification as a response operation summary field;
s203: and performing masking processing on the sensitive information in the response operation summary field, and returning a processing result to the client.
After the identity of the user passes the identification, an operation abstract field related to the user is inquired in the target sub-block chain network as a response operation abstract field based on the user identification in the operation inquiry request, masking processing is carried out on sensitive information in the response operation abstract field, and an inquiry result, namely the response operation abstract field, is returned to the user. Sensitive information herein may include anti-terrorism financing, anti-money laundering related information, and the like.
S204: when receiving the audit list of the client, uploading the audit list to the target sub-block chain network so that the target enterprise can process the abnormal operation information; wherein the audit ticket includes abnormal operation information related to the target user.
In an implementation, if the user has a doubt about the operation of the enterprise on his personal data, for example, the user has not dialed a hotline, and is required to inquire about his recent transaction records by customer service. But there is an action of the customer service personnel inside to inquire about his transaction record. The user may initiate an audit ticket to the regulatory agency. And uploading the audit list containing the abnormal operation information to a target sub-block chain network by the supervisory organization, and sending the audit list to a target enterprise. The target enterprise needs to process the audit list, solve and record related questions, and contact the user if necessary. The processing procedure of the audit list should be recorded in a target sub-blockchain network, and the supervision mechanism can track the procedure by using the characteristic of 'shared accounts' of the blockchain. If the enterprise's processing of the audit ticket is not self-explanatory, the regulatory agency should intervene to determine if there is an unauthorized act to manipulate the user-sensitive information.
Therefore, the operation auditing method provided by the embodiment introduces the user into the auditing process, and the user can clearly judge whether the enterprise is authorized to perform sensitive information operation or not, so that whether the enterprise has the behavior of unauthorized operation of the user information or not can be audited in a fine-grained manner, and the operation auditing efficiency and accuracy are improved.
For ease of understanding, reference is made to an application scenario of the present application. In connection with fig. 1, the nodes of target sub-blockchain network 300 include enterprise a and its associated enterprises, departments, and a plurality of regulatory agencies. And the different block chain sub-networks are used for data isolation, so that the data of different enterprises can be isolated from each other.
And collecting operation original logs through a self-built auditing system in the enterprise by block chain nodes of each subsidiary company and each department of the enterprise A, extracting four-element information, namely a subject, an object, an operation type and time, by the auditing system, and expanding the four-element information. In making a four element extension, the mandatory fields required by the regulatory body must be extended as required. The principal must extend its true identity, job position in the company, contract organization, etc. The object must extend its true identity, attributes, etc. And for the operation type, adding a category identifier according to an operation type division standard defined by a regulatory agency, and for the operation type which cannot be classified, adding a Chinese annotation mark.
The extracted elements are used for removing or masking the internal system information of the enterprise which is not related to the user operation, so that the enterprise-related information is prevented from being leaked. And carrying out encryption processing on the user sensitive information. The hash values of all the operation original logs of the enterprise a and the processed elements extracted from the operation original logs are uploaded to the target sub-block chain network 300. The regulatory body may obtain the operation summary field from the target sub-blockchain network 300.
The audit of the operation abstract field by the supervision agency comprises integrity audit, autonomous audit and user inquiry audit. For integrity audits, regulatory agencies interview enterprise personnel, require them to list all relevant systems that can operate user sensitive information, and perform spot checks. Specifically, when the supervision authority requires that an internal person operates on the systems, whether the corresponding operation summary field can be received in an acceptable time in the blockchain network or not is determined, and if the corresponding operation summary field cannot be received by the blockchain network, which indicates that the system is not reported, the system needs to be modified. By repeatedly iterating the process, the operation summary field on the target sub-block chain network tends to be complete. Once a certain type of operation summary field has been reported to the auditing system, rules may be set to monitor it, for example, using a parity or round-robin rule to monitor log volumes. For example, by means of a preset audit rule, the log amount of the type of logs in the last week is aggregated and compared with the log amount in the previous week, if the log amount is reduced by more than 50%, an alarm is given, and it is indicated that problems may occur in the operation summary field report and the operation summary field report needs to be checked. And when more than 0.1 percent of the operation summary fields are incomplete, alarming.
The autonomous audit can include auditing the qualification and compliance of an operator, monitoring the related operation of the sensitive object, alarming the related operation of the relation of the sensitive object and the sensitive object, alarming when important operation reaches a certain magnitude, auditing and alarming the behaviors of abnormal operation time, abnormal operation frequency and the like.
For user autonomous query auditing, the following steps may be included:
the method comprises the following steps: when the user suspects the enterprise to use the personal sensitive data, the application can be made to the supervising agency through the online system, and the supervising agency identifies the personal sensitive data (such as face recognition)
Step two: the supervisory authority pulls the log associated with that person from the blockchain (which is not provided to the user for sensitive parts of the log, such as anti-terrorist financing, anti-money laundering related logs), and masks the operator or other sensitive information and returns it to the user.
Step three: the user may have any doubt as to the operation of the enterprise on its information. For example, the user has not dialed a hotline and is asked to have a customer service look up their recent transaction records. But there is an action of the customer service personnel inside to inquire about his transaction record. The user may initiate an audit trail to the audit authority.
Step four: and the auditing mechanism uploads the audit list to the block chain and sends the audit list to the enterprise.
Step five: enterprises need to process the audit list, solve and record related questions, and contact clients when necessary. The processing of the audit ticket should be recorded on the blockchain. Using the property of blockchains "shared accounts", regulatory agencies can track this process.
Step six: if the enterprise's processing of the audit ticket is not self-explanatory, the regulatory agency should intervene to determine if there is an unauthorized act to manipulate the user-sensitive information.
In the following, an operation auditing apparatus provided by an embodiment of the present application is introduced, and an operation auditing apparatus described below and an operation auditing method described above may be referred to each other.
Referring to fig. 4, a block diagram of an operation auditing apparatus provided in an embodiment of the present application is shown in fig. 4, and includes:
an obtaining module 401, configured to obtain an operation summary field from a target sub-blockchain network in a parent blockchain network; the master block chain network comprises a plurality of sub-block chain networks, data isolation is carried out between each sub-block chain network, the target sub-block chain network is a sub-block chain network corresponding to a target enterprise, the operation summary field is extracted on the basis of an operation original log of the target enterprise for block chain link points in the target sub-block chain network, the operation summary field comprises elements and extension fields corresponding to each element, the elements comprise standard elements and custom elements, the standard elements comprise subjects, objects, time and operation types, and the extension fields are extracted on the basis of element extension standards defined by supervision block chain link points for the block chain link points;
a first auditing module 402, configured to extract an integrity feature of the operation summary field, and audit the integrity of the operation summary field based on the integrity feature;
a second auditing module 403, configured to determine audit items, and obtain an audit result corresponding to each audit item based on the operation summary field; the audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
According to the operation auditing device provided by the embodiment of the application, data isolation is carried out between each sub-block chain network, so that the operation information of different enterprises is isolated from each other in the main block chain network, and the safety of the operation information of the enterprises is ensured. And adding a supervision mechanism for performing operation audit on the target enterprise as a block chain node into a target sub-block chain network corresponding to the target enterprise, and acquiring an operation summary field from the target sub-block chain network in real time for performing operation audit. The integrity of the operation summary field is audited, and all operations of target enterprise internal personnel on user sensitive information are guaranteed to be uploaded to a target sub-block chain network. And secondly, auditing each audit item based on the operation summary field. Therefore, the operation auditing device provided by the embodiment of the application ensures the timeliness and the non-tampering property of the operation information of the enterprise by utilizing the characteristics of shared accounts, non-tampering and timely synchronization of the block chain, breaks through the system barrier from the enterprise to the supervision institution, and realizes the real-time operation auditing of the enterprise.
On the basis of the foregoing embodiment, as a preferred implementation manner, the integrity feature includes a time when the operation summary field is uploaded into the target sub-blockchain network, and the first auditing module 402 includes:
the first judging unit is used for judging whether the operation summary field corresponding to each type of operation is received in the operation summary field receiving time period predefined by each type of operation or not based on the integrity characteristics; and if so, judging the completeness of the operation summary field.
Based on the foregoing embodiment, as a preferred implementation manner, the integrity feature includes the number of all the operation summary fields received in the current time window, and the first auditing module 402 includes:
a first determining unit, configured to determine that the number of all the operation summary fields received in a current time window is a first number, and determine that the number of all the operation summary fields received in a previous time window is a second number;
a second determining unit, configured to determine that the operation summary field is complete if a ratio of the first number to the second number is greater than a third threshold.
On the basis of the above embodiment, as a preferred implementation, the second audit module 403 includes:
a second determination unit for determining an audit item;
the establishing unit is used for establishing a personnel relationship diagram and judging whether a target operation abstract field with a preset relationship between a subject and an object exists in the operation abstract field based on the personnel relationship diagram; if yes, triggering prompt information; wherein the prompt message at least comprises the target operation summary field.
On the basis of the foregoing embodiment, as a preferred implementation manner, the obtaining of the audit result corresponding to each audit item based on the operation summary field includes:
and performing repeated auditing on the target operation based on the number of all operation abstract fields corresponding to the target operation to obtain a repeated auditing result of the target operation.
On the basis of the above embodiment, as a preferred implementation, the audit object includes isolation, and the second audit module 403 includes:
a second determination unit for determining an audit item;
and the abnormality detection unit is used for classifying all the operations according to a preset standard, and performing abnormality detection on the operation time and the operation frequency of each type of operation based on the operation abstract field corresponding to each type of operation to obtain an isolation audit result of each type of operation.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the first receiving module is used for receiving an operation inquiry request of a client; wherein the operation inquiry request at least comprises a user identification of a target user;
the query module is used for querying an operation summary field related to the target user in the target sub-block chain network based on the user identification as a response operation summary field;
and the return module is used for performing masking processing on the sensitive information in the response operation summary field and returning a processing result to the client.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the second receiving module is used for receiving the audit list of the client; wherein the audit ticket includes abnormal operation information related to the target user;
and the uploading module is used for uploading the audit sheet to the target sub-block chain network so that the target enterprise can process the abnormal operation information.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The present application also provides a server, referring to fig. 5, a structure diagram of an electronic device 50 provided in the embodiment of the present application, as shown in fig. 5, may include a processor 51 and a memory 52.
The processor 51 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 51 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 51 may also include a main processor and a coprocessor, the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 51 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 51 may further include an AI (Artificial Intelligence) processor for processing computing operations related to machine learning.
The memory 52 may include one or more computer-readable storage media, which may be non-transitory. Memory 52 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 52 is at least used for storing a computer program 521, wherein after being loaded and executed by the processor 51, the computer program can implement relevant steps in the operation auditing method executed by the monitoring block chain node side disclosed in any of the foregoing embodiments. In addition, the resources stored by the memory 52 may also include an operating system 522, data 523, and the like, and the storage may be transient storage or permanent storage. Operating system 522 may include, among other things, Windows, Unix, Linux, and the like.
In some embodiments, the electronic device 50 may further include a display 53, an input/output interface 54, a communication interface 55, a sensor 56, a power source 57, and a communication bus 58.
Of course, the structure of the electronic device shown in fig. 5 does not constitute a limitation of the electronic device in the embodiment of the present application, and in practical applications, the electronic device may include more or less components than those shown in fig. 5, or some components may be combined.
In another exemplary embodiment, there is also provided a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the operational auditing method performed by the server of any of the above embodiments.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. An operational auditing method, comprising:
acquiring an operation summary field from a target sub-block chain network in a parent block chain network; the master block chain network comprises a plurality of sub-block chain networks, data isolation is carried out between each sub-block chain network, the target sub-block chain network is a sub-block chain network corresponding to a target enterprise, the operation summary field is extracted on the basis of an operation original log of the target enterprise for block chain link points in the target sub-block chain network, the operation summary field comprises elements and extension fields corresponding to each element, the elements comprise standard elements and custom elements, the standard elements comprise subjects, objects, time and operation types, and the extension fields are extracted on the basis of element extension standards defined by supervision block chain link points for the block chain link points;
extracting the integrity characteristics of the operation summary field, and auditing the integrity of the operation summary field based on the integrity characteristics;
determining audit items, and obtaining an audit result corresponding to each audit item based on the operation summary field; the audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
2. The operation auditing method according to claim 1, where the integrity feature comprises a time at which the operation summary field is uploaded into the target sub-blockchain network, where auditing the integrity of the operation summary field based on the integrity feature comprises:
judging whether the operation abstract field corresponding to each type of operation is received in an operation abstract field receiving time period predefined by each type of operation or not based on the integrity characteristics;
and if so, judging the completeness of the operation summary field.
3. The operation auditing method according to claim 1, where the integrity characteristic includes a number of all of the operation summary fields received within a current time window, where auditing the integrity of the operation summary fields based on the integrity characteristic includes:
determining the number of all the operation summary fields received in the current time window as a first number, and determining the number of all the operation summary fields received in the previous time window as a second number;
and if the ratio of the first number to the second number is larger than a third threshold value, judging that the operation summary field is complete.
4. The operation auditing method according to claim 1, wherein said obtaining an auditing result corresponding to each said auditing item based on said operation summary field comprises:
establishing a personnel relation graph, and judging whether a target operation abstract field with a preset relation between a subject and an object exists in the operation abstract field based on the personnel relation graph;
if yes, triggering prompt information; wherein the prompt message at least comprises the target operation summary field.
5. The operation auditing method of claim 1, where the audit items include repeatability of target operations, and where obtaining the audit result for each audit item based on the operation summary field includes:
and performing repeated auditing on the target operation based on the number of all operation abstract fields corresponding to the target operation to obtain a repeated auditing result of the target operation.
6. The operation auditing method of claim 1, wherein the audit object includes isolation, and obtaining the audit result corresponding to each audit item based on the operation summary field comprises:
classifying all operations according to a preset standard, and carrying out anomaly detection on the operation time and the operation frequency of each type of operation based on an operation abstract field corresponding to each type of operation to obtain an isolation audit result of each type of operation.
7. The operation auditing method according to any one of claims 1 to 6 further comprising:
receiving an operation query request of a client; wherein the operation inquiry request at least comprises a user identification of a target user;
querying an operation summary field related to the target user in the target sub-block chain network based on the user identification as a response operation summary field;
masking sensitive information in the response operation summary field, and returning a processing result to the client;
when receiving the audit list of the client, uploading the audit list to the target sub-block chain network so that the target enterprise can process the abnormal operation information; wherein the audit ticket includes abnormal operation information related to the target user.
8. An operation auditing device is applied to a monitoring area blockchain node in a target sub-blockchain network corresponding to a target enterprise in a mother blockchain network, wherein the mother blockchain network comprises a plurality of sub-blockchain networks, and data isolation is performed between each sub-blockchain network; the device comprises:
the acquisition module is used for acquiring an operation summary field from a target sub-block chain network in a parent block chain network; the master block chain network comprises a plurality of sub-block chain networks, data isolation is carried out between each sub-block chain network, the target sub-block chain network is a sub-block chain network corresponding to a target enterprise, the operation summary field is extracted on the basis of an operation original log of the target enterprise for block chain link points in the target sub-block chain network, the operation summary field comprises elements and extension fields corresponding to each element, the elements comprise standard elements and custom elements, the standard elements comprise subjects, objects, time and operation types, and the extension fields are extracted on the basis of element extension standards defined by supervision block chain link points for the block chain link points;
the first auditing module is used for extracting the integrity characteristics of the operation abstract fields and auditing the integrity of the operation abstract fields based on the integrity characteristics;
the second auditing module is used for determining auditing items and obtaining an auditing result corresponding to each auditing item based on the operation abstract field; the audit item comprises any one or a combination of any several items of the qualification, the sensitive object, the sensitive operation type and the subject-object association degree of the subject, wherein the sensitive object is an object with the sensitivity higher than a first threshold, and the sensitive operation type is an operation type with the sensitivity higher than a second threshold.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the operational auditing method of any one of claims 1 to 7 when executing said computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, carries out the steps of the operational auditing method of any one of claims 1 to 7.
CN202010037874.XA 2020-01-14 2020-01-14 Operation auditing method and device, electronic equipment and computer-readable storage medium Pending CN111274276A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010037874.XA CN111274276A (en) 2020-01-14 2020-01-14 Operation auditing method and device, electronic equipment and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010037874.XA CN111274276A (en) 2020-01-14 2020-01-14 Operation auditing method and device, electronic equipment and computer-readable storage medium

Publications (1)

Publication Number Publication Date
CN111274276A true CN111274276A (en) 2020-06-12

Family

ID=70997103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010037874.XA Pending CN111274276A (en) 2020-01-14 2020-01-14 Operation auditing method and device, electronic equipment and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN111274276A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111930704A (en) * 2020-09-29 2020-11-13 北京每日优鲜电子商务有限公司 Service alarm equipment control method, device, equipment and computer readable medium
CN112347119A (en) * 2020-09-18 2021-02-09 杭州安恒信息安全技术有限公司 Data storage method and device applied to auditing system and computer equipment
CN112632121A (en) * 2020-12-15 2021-04-09 京东数字科技控股股份有限公司 Block chain data acquisition method and device
CN115134169A (en) * 2022-08-29 2022-09-30 北京中科金财科技股份有限公司 Block chain data management method and system
CN116361363A (en) * 2023-03-24 2023-06-30 上海雷昶科技有限公司 Audit tracking record generation method and related device for scientific process evaluation system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112347119A (en) * 2020-09-18 2021-02-09 杭州安恒信息安全技术有限公司 Data storage method and device applied to auditing system and computer equipment
CN111930704A (en) * 2020-09-29 2020-11-13 北京每日优鲜电子商务有限公司 Service alarm equipment control method, device, equipment and computer readable medium
CN111930704B (en) * 2020-09-29 2021-01-15 北京每日优鲜电子商务有限公司 Service alarm equipment control method, device, equipment and computer readable medium
CN112632121A (en) * 2020-12-15 2021-04-09 京东数字科技控股股份有限公司 Block chain data acquisition method and device
CN112632121B (en) * 2020-12-15 2024-04-16 京东科技控股股份有限公司 Block chain data acquisition method and device
CN115134169A (en) * 2022-08-29 2022-09-30 北京中科金财科技股份有限公司 Block chain data management method and system
CN115134169B (en) * 2022-08-29 2022-11-15 北京中科金财科技股份有限公司 Block chain data management method and system
CN116361363A (en) * 2023-03-24 2023-06-30 上海雷昶科技有限公司 Audit tracking record generation method and related device for scientific process evaluation system
CN116361363B (en) * 2023-03-24 2023-09-12 上海雷昶科技有限公司 Audit tracking record generation method and related device for scientific process evaluation system

Similar Documents

Publication Publication Date Title
US10965706B2 (en) Cybersecurity system
US11743294B2 (en) Retrospective learning of communication patterns by machine learning models for discovering abnormal behavior
US11115434B2 (en) Computerized system and method for securely distributing and exchanging cyber-threat information in a standardized format
US11032312B2 (en) Programmatic discovery, retrieval, and analysis of communications to identify abnormal communication activity
AU2019403265B2 (en) Threat detection platforms for detecting, characterizing, and remediating email-based threats in real time
US20220278997A1 (en) Multistage analysis of emails to identify security threats
CN107577939B (en) Data leakage prevention method based on keyword technology
US8707431B2 (en) Insider threat detection
CN111274276A (en) Operation auditing method and device, electronic equipment and computer-readable storage medium
US20180248902A1 (en) Malicious activity detection on a computer network and network metadata normalisation
US11693958B1 (en) Processing and storing event data in a knowledge graph format for anomaly detection
US20130081065A1 (en) Dynamic Multidimensional Schemas for Event Monitoring
CN111241104A (en) Operation auditing method and device, electronic equipment and computer-readable storage medium
US20120158454A1 (en) Method and system for monitoring high risk users
CN112714118B (en) Network traffic detection method and device
Žgela et al. Security Information and Event Management–Capabilities, Challenges and Event Analysis in the Complex IT System
CN112347066B (en) Log processing method and device, server and computer readable storage medium
CN112346938A (en) Operation auditing method and device, server and computer readable storage medium
Center Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage
KVSN et al. A Service Oriented Modeling and Analysis for Building Intrusion Detection Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40024816

Country of ref document: HK

WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200612