CN111510463B - Abnormal behavior recognition system - Google Patents

Abnormal behavior recognition system Download PDF

Info

Publication number
CN111510463B
CN111510463B CN202010551673.1A CN202010551673A CN111510463B CN 111510463 B CN111510463 B CN 111510463B CN 202010551673 A CN202010551673 A CN 202010551673A CN 111510463 B CN111510463 B CN 111510463B
Authority
CN
China
Prior art keywords
account
data
server
abnormal
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010551673.1A
Other languages
Chinese (zh)
Other versions
CN111510463A (en
Inventor
吴强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Qizhi Technology Co ltd
Original Assignee
Zhejiang Qizhi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Qizhi Technology Co ltd filed Critical Zhejiang Qizhi Technology Co ltd
Publication of CN111510463A publication Critical patent/CN111510463A/en
Application granted granted Critical
Publication of CN111510463B publication Critical patent/CN111510463B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The abnormal behavior identification system comprises a data acquisition layer and a behavior analysis engine, wherein the data acquisition layer is used for collecting all authorized behavior data, collecting all server-side account numbers of a data center, asset data and changes of the asset data; establishing a white list by using authorized behavior data, taking the change of the asset data as an abnormal event, summarizing the data of the data acquisition layer in a behavior analysis engine, comparing each abnormal event with the white list by the behavior analysis engine, judging whether the content of the abnormal event belongs to the white list, and if not, marking the abnormal event as an abnormal behavior; the behavior analysis engine only alarms on abnormal behavior. The invention has the advantages that: the acquisition layer, the analysis layer and the application layer are transversely expandable, and the acquisition layer and the analysis layer are longitudinally integrated by each application module of the application layer, so that various safety applications can be continuously and rapidly developed according to the requirements of users.

Description

Abnormal behavior recognition system
Technical Field
The invention relates to the field of information security, in particular to an abnormal behavior identification system.
Background
This section is for convenience only to understand the content of the present invention and should not be taken as prior art.
Depending on the users to which the network is directed, the network can be divided into an extranet (internet) and an intranet (local area network). The intranet may be divided into an office network and a production network. The network behavior of the office internet is relatively open, and viruses and network intrusion events are easy to occur. If the office user and the production user are in the same network, the virus and the intrusion event which occur in the office network can be almost and rapidly spread to the production network, and great threat is brought to the production safety. Thus, office and production networks are also required to be isolated. The production network is also referred to as a data center. The data center includes computing resources, storage resources, network resources, and the like.
Common attack behaviors include: 1. password intrusion means logging in to a destination device by using accounts and passwords of some legal users and then carrying out attack activities. The premise of this method is that the account number of a legal user on the device must be obtained first, and then the password of the legal user must be decoded. 2. Trojan horses, often disguised as utility programs or games that entice the user to open them, leave them on the computer once they have opened attachments to these emails or executed them, and hide a program in their own computer system that can silently execute when the windows is started. 3. WWW spoofing, the web page being accessed has been tampered with by hackers, and the information on the web page is false. For example, the hacker rewrites the URL of the web page to be browsed by the user to point to the hacker's own server, and actually makes a request to the hacker server when the user browses the target web page. 4. When an attacker breaks through one device, the device is often used as a foundation to attack other devices. They can attempt to hack other devices within the same network using network monitoring methods; other devices can also be attacked through IP spoofing and device trust relationships. 5. Network monitoring is an operating mode of a device, in which the device can receive all information transmitted on the same physical channel by the network segment, regardless of the senders and receivers of the information.
However, the risk monitoring or early warning is only that of the user, or the target device alarms respectively, and all early warnings are information with a single dimension. For example: and (4) alarming by the user: the XX account number is abnormal; or the target device alarms: and XX equipment is abnormal. The information of a single dimension cannot know whether the abnormal alarm is caused by the attack or the false alarm is caused only by temporarily changing the operation rule.
The existing abnormal recognition can be used for alarming abnormal events aiming at account numbers or target equipment independently. The abnormal event alarming mechanism is a single-dimension abnormal event which is identified by judging on the basis of a fixed rule in a single data dimension. The problems with this abnormal event alert mechanism are: 1. the fixed rule is rigid and cannot be advanced with time. If a certain account logs in the data center in an invalid period, the account gives an abnormal event alarm. However, it is possible that the account needs to enter the data center by a temporary work task, and the workflow engine has already approved the allowed operation, but the allowed operation is not a fixed rule, so the account with the legal allowed operation logs in the data center in an effective period specified by the non-fixed rule, and the account dimension gives an alarm for an account abnormal event. 2. The alarm is only carried out from a single dimension, and abnormal events of the single dimension cannot form abnormal behaviors or attack behaviors. If an account sends an account abnormal event, but the abnormal information is only the account abnormal, there is no way to obtain information of other dimensions associated with the account. The problems caused by these reasons are mainly: 1. the false alarm rate is high, 2, abnormal event alarm of single dimension, except this dimension information, there is no information of other dimensions, therefore can't judge whether the abnormal event is caused by the aggressive behavior, the reference value of the abnormal event alarm is lower. The false alarm rate is high, and the reference value of alarm is not high, so that operation and maintenance personnel habitually ignore abnormal event alarm, and the alarm is similar to a nominal alarm.
Disclosure of Invention
The invention regards the model entering the data center as comprising a terminal and a server, wherein the terminal represents a user, and the server represents the assets of the data center.
During conventional operation and maintenance operations, workers log in the server of the data center by using respective server accounts to perform work. The number of the service ends of the data center is huge, and each service end has at least one account, so that the number of the accounts entering the service end is huge and cannot be managed. In addition, the operation after the staff enters the server cannot be monitored, and the operation and maintenance safety events frequently occur due to misoperation, illegal operation and the like of the staff, and the reasons are difficult to find.
The internationally common DIKI model gives how to evolve from data layer-by-layer to wisdom. The first layer of data layer collects the original and original data of the risk points, finds the abnormity of the risk points from the original and original data, and obtains abnormal information, namely the second layer of information layer; the information layer can only send out that a certain risk point has an abnormality, but the abnormality does not mean a certain risk, but only indicates that the currently obtained data and a preset information rule are changed, and the data change can be caused by normal work, attack behavior, misoperation of a worker, and the like. The third knowledge layer is used for identifying whether the attack behavior exists or not by performing correlation analysis on the abnormal information; after the attack behavior is found, the automatic perception and the active defense are the fourth layer of intelligence. From this model, it can be known that to discover the hacking behavior, the information correlation analysis is performed, and the solution can be obtained only in the knowledge layer.
And currently, no implementation scheme of a knowledge layer exists. The data shows that the safety management of the data center can only be performed on an information layer at present, that is, the original and native data are compared with a preset rule to judge whether each risk point is abnormal or not. The preset rules are made manually, cannot be adjusted automatically or flexibly according to actual conditions, cannot be updated in real time or in time, so that a lot of abnormal information is misreported, the problem of high false report rate causes too much abnormal information, and real risks are submerged in the misreported data. Moreover, because the data size is too large, the operation and maintenance personnel cannot analyze the abnormal information one by one.
The abnormal behavior identification system takes the bastion machine, the account number maintenance system and the asset data middle desk as data sources, establishes the white list based on the bastion machine, identifies the abnormal behavior of people by using the abnormal event trigger and the white list, and reduces the abnormal false alarm rate. The bastion machine realizes identity authentication, access control, authority control and operation audit when operation and maintenance personnel enter the data center, and the account maintenance system can automatically collect all server accounts of the data center, so that the bastion machine is used as a unique channel for entering the operation and maintenance of the data center on an equipment and host layer. The asset data center can acquire asset information at regular time, comb and acquire complete asset information of the data center, find abnormal events on assets and realize risk early warning of asset dimensionality. However, the exceptional events are single-dimensional events, and the exceptional events need to be associated with people to form behaviors.
The abnormal behavior identification system takes the bastion machine, the account number maintenance system and the asset data middle desk as data sources, establishes the white list based on the bastion machine, identifies the abnormal behavior of people by using the abnormal event trigger and the white list, and reduces the abnormal false alarm rate.
An abnormal behavior recognition system, characterized in that: the system comprises a data acquisition layer and a behavior analysis engine, wherein the data acquisition layer is used for collecting all authorized behavior data, and collecting all server account numbers, asset data and changes of the asset data of a data center; establishing a white list by using authorized behavior data, taking the change of the asset data as an abnormal event, summarizing the data of the data acquisition layer in a behavior analysis engine, comparing each abnormal event with the white list by the behavior analysis engine, judging whether the content of the abnormal event belongs to the white list, and if not, marking the abnormal event as an abnormal behavior; the behavior analysis engine only alarms on abnormal behavior.
Preferably, the behavior analysis engine determines, for each abnormal event, whether the abnormal event has identity authentication information, if so, determines whether the identity authentication information belongs to a white list, and if not, determines that the abnormal event is an abnormal behavior.
Preferably, if the abnormal event passes the identity authentication, the server account corresponding to the abnormal event is obtained, whether the server account of the abnormal event belongs to the white list is judged, and if not, the abnormal event is regarded as the abnormal behavior.
Preferably, when judging whether the account number of the server belongs to the white list, the account number-password of the account number of the server is acquired first, and if the account number-password of the account number of the server does not belong to the white list, the abnormal behavior is considered; if the account-password of the server account belongs to the white list, whether the actual use time of the account is consistent with the operation authority of the server account is judged, and if not, the abnormal behavior is considered.
Preferably, if the abnormal event is authenticated and is logged in within an allowed time by using a server account in a white list, whether an operation instruction corresponding to the abnormal event belongs to the white list is judged, and if not, the abnormal event is regarded as an abnormal behavior.
Preferably, the data acquisition layer comprises a bastion machine, an account maintenance system and an asset data center, and the operation authority and the operation log in the bastion machine belong to authorized behaviors; the account maintenance system collects all server accounts of the data center and updates the server accounts in the bastion machine, and the asset data center acquires asset data and changes of the asset data; and the asset data center station acquires the server account from the bastion machine or the account maintenance system.
Preferably, the account maintenance system comprises a data collector, the data collector logs in the server regularly, searches the storage positions of the accounts in the operating system of the server, and then acquires all the accounts on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time.
Preferably, the data collector searches the account storage position of the operating system to obtain all accounts capable of logging in the operating system.
Preferably, a data collector of the account maintenance system acquires an operating system account of the server, the data collector remotely logs in the server by using the operating system account, after logging in, detects a process of the operating system, corresponds to the application by the process, and then searches an account storage position of the application to acquire all accounts of the operating system.
Preferably, the acquisition layer comprises an asset data staging station comprising: the system comprises an asset acquisition layer and an asset data layer, wherein the asset acquisition layer searches and acquires target data from a server at regular time, a security baseline is configured in the data acquisition layer, the security baseline is the latest authorized data, and the change of the currently acquired data and the security baseline is taken as an abnormal event.
Preferably, the acquisition layer logs in an operating system for data search and acquisition through a server account at regular time; and a server account set is configured in the acquisition layer, and the acquisition layer automatically acquires data at regular time.
Preferably, the data center station has a detection module, and the detection module discovers new assets connected with the current server based on the logged-in server.
Preferably, the bastion machine is used as an operation and maintenance gateway of the data center; an identity account, a server account and a matching relation between the identity account and the server account are arranged in the bastion machine; the bastion machine is provided with an identity authentication module, the bastion machine matches the account numbers of the service ends with the terminal through the identity authentication terminal, each account number of the service end has respective operation authority, the bastion machine establishes connection between the terminal and the service end according to the operation authority, and the operation of the terminal on the service end forms an operation log to be stored in the bastion machine.
Preferably, the bastion machine is connected with a workflow engine, and the approved work list in the workflow engine is input into the bastion machine as an authorized behavior; and/or, statically configuring authorized behaviors within the bastion.
The invention has the advantages that:
1. the acquisition layer, the analysis layer and the application layer are transversely expandable, and the acquisition layer and the analysis layer are longitudinally integrated by each application module of the application layer, so that various safety applications can be continuously and rapidly developed according to the requirements of users.
2. The invention takes the bastion machine as the only channel for entering the data center, realizes identity authentication, access control, authority control and audit by the bastion machine, thereby realizing that authorized responsible persons access the allowed access service terminals in an authorized range, and the whole operation process forms an operation log so as to compare the operation log with an approved work order and realize work audit; the method has the advantage of properly ensuring the safety of the data center on the premise of not influencing the existing structure and connection relation of the data center.
3. According to the invention, the data acquisition device is authorized by the bastion machine to log in the server for data acquisition, a plug-in is not required to be installed on the server, the normal work of the server is not interfered, the safety of the data center is properly ensured, and abnormal events of the data center can be found.
4. The data acquisition device acquires data through the bastion machine, the account number entering the service end is automatically configured by the bastion machine, and all the account numbers of the service end are arranged in the bastion machine, so that automatic full acquisition of configuration data can be realized, and the acquisition efficiency is high.
5. The behavior of a person is considered to comprise four elements of the person, the affair, the place and the time, data are collected from multiple dimensions by a data collector, the collected data are divided according to the elements of the behavior, the data of all the dimensions are collected in a behavior analysis engine, the behavior analysis engine completes the splicing and comparison of the elements of the behavior, and single-dimensional abnormal events are related into the behavior; the alarm is triggered by the abnormal behavior instead of the abnormal event, so that the abnormal false alarm rate is obviously reduced, and the external attack behavior can be found so as to respond in time and ensure the safety of the data center.
Drawings
Fig. 1 is a schematic diagram of a terminal (user) accessing a service end of a service data center through a bastion machine.
Figure 2 is a schematic diagram of the bastion machine interacting with a third party platform.
Figure 3 is a schematic diagram of four deployment modes of the bastion machine.
FIG. 4 is a schematic diagram of data collected by the Agent-free data collection method.
FIG. 5 is a block diagram of a framework for a station in asset data.
FIG. 6 is a data collection diagram of a station in asset data.
FIG. 7 is a block diagram of data collection for stations in asset data.
FIG. 8 is a block diagram of a security system for data center operations and maintenance.
FIG. 9 is a schematic diagram of a card account of the account maintenance system.
Figure 10 is a schematic diagram of the account maintenance system interacting with the bastion machine.
FIG. 11 is a block diagram of an anomaly identification system.
Detailed Description
Abnormal behavior
The abnormal behavior in the present invention refers to an operation behavior that is not consistent with the content of the white list, and includes, but is not limited to, an abnormal behavior caused by an attack of a hacker, an abnormal behavior caused by an incorrect operation of an internal operation and maintenance worker, and the like.
Gateway
It is known that walking from one room to another necessarily passes through a door. Similarly, sending information from one network to another must also pass through a "gateway," which is a gateway. As the name implies, a Gateway (Gateway) is a "Gateway" that connects one network to another, i.e., a network Gateway. The gateway in the invention refers to a door entering a data center.
Workflow engine
The workflow engine is used for determining information transfer routing, content level and other core solutions which have determination effects on each application system according to different roles, division of labor and conditions. The workflow engine of the invention can complete the examination and approval and authorization of the worksheet of the operation and maintenance personnel, and the content of the worksheet comprises the service end which the terminal (who) logs in the corresponding service end with a certain identity account number and the work (operation authority).
Service terminal
The server is a targeted service program, and the main expression form is mainly 'window program' and 'console'. The server is generally built under operating systems such as Linux, Unix and Windows. The service end in the invention refers to all equipment service programs of the data center, including but not limited to: hosts (including virtual machines), network resources, the Web, applications, middleware, and databases.
Server account
The server account refers to an account-password for logging in the server, and each server account corresponds to a corresponding authority (operation authority).
Fortress machine
As shown in fig. 1, the fort machine is used as an operation and maintenance operation gateway of a data center; an identity account, a server account and a matching relation between the identity account and the server account are arranged in the bastion machine; the bastion machine is provided with an identity authentication module, the bastion machine matches the account numbers of the service ends with the terminal through the identity authentication terminal, each account number of the service end has respective operation authority, the bastion machine establishes connection between the terminal and the service end according to the operation authority, and the operation of the terminal on the service end forms an operation log to be stored in the bastion machine.
The bastion machine is used as a unique channel for entering the data center during operation and maintenance, the fact that the bastion machine enters the data center through the bastion machine is considered to be legal, and the fact that the bastion machine does not enter the data center through the bastion machine is considered to be illegal. The bastion machine realizes the automatic matching of the terminal (responsible person) and the server, and solves the problems of huge account number and difficult management. Identity authentication realizes identity determination of the terminal, and knows who is who, namely who is going to enter a server of the data center. That is, the fort machine realizes two confirmations of the identity of the person: 1. the person responsible for the access belongs to the collection of persons who are allowed access, and 2, the person who applies for the access is the principal. So, solved the fuzzy problem of identity, if the discovery problem, can directly trace back to people.
The bastion machine automatically matches the account number of the server side with the terminal, access control of the terminal entering a data center is achieved, and the problem of unauthorized access is solved by determining where you can go. The account number of the server side is bound with the operation authority, the operation authority represents what you can do, the instruction can be accurately obtained, and the problems of violation and misoperation are solved. All operations of the terminal on the server side are stored in the bastion machine in the form of logs, and the problem that the logs are difficult to trace is solved.
Further, the service account refers to an account-password that can access the service, each service account has its own operation right, and the content of the operation right includes time allowed to perform an operation, the service allowed to access and the operation allowed to be performed.
The operation authority can be an inherent rule pre-configured in the bastion machine or a rule allowed after the approval of the production side. Intrinsic rules include, but are not limited to, network security laws, registration protection requirements, marketing enterprise specifications, industry regulatory requirements, operation and maintenance security requirements, and the like.
In some embodiments, the operation authority can be input into the bastion machine at regular time or in real time through a flexible authorization strategy on the basis of the inherent rule. And the fortress machine is connected with the workflow engine, and the work sheet passing the approval in the workflow engine is used as the operation authority to be input into the fortress machine.
The bastion machine performs data transmission through an API (application programming interface) as shown in figure 2. The bastion machine is connected with an office platform of a production party so as to obtain a list of persons allowed to enter the data center, asset records of the data center, network information and the like.
The bastion machine comprises a character host protocol module, a graph host protocol module, a file transmission protocol module, a database protocol module and an application release protocol module. Different protocol modules are used for being compatible with different brands, different operating systems, different applications and the like.
The server side comprises a host, a network device, a web server, an application, middleware and a database. The server is also called an asset.
The mode that the terminal visits the bastion machine comprises the following steps: the bastion machine is directly connected with the bastion machine through webpage access, or through mobile terminal APP access, or through an operation and maintenance tool; or local access.
In some embodiments, the identity authentication module implements identity authentication using a two-factor authentication mechanism.
The operation authority initiatives of the server account are authorized based on user attributes, and the user attributes comprise a user name, a mailbox and/or an authentication mode; and/or the operation authority of the server account is initiated based on the server attribute, wherein the server attribute comprises an asset name, an IP address, an asset type and/or a responsible person.
Comparing the operation authority in the bastion machine with an operation log left by the terminal after the bastion machine accesses a server (asset) to realize audit; the audit includes character operation audit, graphic operation audit, file transmission audit, database operation audit, and/or log retrieval. That is, the audit is classified according to data types, such as graphic data, file transfer amount, database files, and the like.
The bastion machine adopts a data warehousing technology to carry out data management, adopts a big data index technology to carry out data retrieval, and adopts a Spring Boot modularization technology to carry out task construction and scheduling. The tasks include character protocol processing, graphic protocol processing, authorization data processing, and the like.
In some embodiments, the deployment mode of the bastion machine is a dual-machine deployment mode of the host machine and the standby machine, and the dual machines share the virtual IP, as shown in fig. 3.
In some embodiments, the bastion machines are deployed in a manner that each bastion machine serves as a cluster node and the cluster nodes can be expanded horizontally, and all the cluster nodes share a virtual IP (Internet protocol), as shown in FIG. 3.
In some embodiments, the deployment mode of the bastion machine is a multi-site deployment mode, each site is deployed in a dual machine, the dual machines share a virtual IP, or the cluster nodes are deployed, the cluster nodes share a virtual IP, or the single machine is deployed, and the single machine uses an actual IP, as shown in fig. 3.
In some embodiments, the bastion machine is deployed in a mode that cluster nodes are classified according to service types, and a plurality of cluster nodes are combined to form a complete bastion machine function. For example, cluster nodes including Master HA, Worker node, ES big data index cluster and storage cluster are shown in FIG. 3.
Agents-free data acquisition method
A data acquisition method of a data center is characterized in that a data acquisition unit is arranged in the data center, an initial server account is input to the data acquisition unit, and the data acquisition unit logs in a server at regular time by using the server account to acquire data.
In some embodiments, the data collector enters the server to collect data, and performs the following operations: the data acquisition device remotely logs in an operating system of the target device, detects a file where the target information is located in the operating system of the service device, acquires the target information in the file, and acquires the target information into a storage module of the data acquisition device.
A data configuration module is arranged in the data acquisition unit, and a configuration rule of data is preset in the data configuration module; when the data acquisition device acquires the data, the target information is acquired to form configuration data according to the configuration rule, and the configuration data is used as the output of the data configuration module.
Data acquisition unit
A data acquisition unit of a data center is a server side of the data center and is provided with an automatic data acquisition module, and the data acquisition unit enters a target server side to search and acquire target data in a remote login mode through a server side account.
The automated data collection module includes, but is not limited to, an application, a plug-in or script, and the like.
The operation and maintenance department of the producer is used as a manager of the data center and has an account number for entering the operating system of the server. Preferably, the server account is configured in the data collector, and the data collector performs data collection according to the configured server by logging in the data center in batches at regular time. For example, the data collector (IP address) logs in the server a with the account a for data collection at XX, logs in the server B with the account B for data collection, and logs in the server C with the account C for data collection … …. The data collection in this scheme is a configuration data full collection, as shown in fig. 6, the asset data center collects and detects all assets in the data center, such as patches, accounts, network devices, operating systems, middleware, databases, servers, ports, processes, security devices, and the like. Currently, a single acquisition can configure 500 and more servers for data acquisition. As shown in fig. 5, the acquisition layer may log in the server through an instruction set, or implant a script into the server, and send the server data to the data layer through the script, or may acquire data through JMX, JDBC, API ports or offline, or may acquire data through an Agent-free data acquisition unit or an acquisition method in the present invention.
In some embodiments, the data collector enters the server to collect data, and performs the following operations: the data acquisition device remotely logs in an operating system of the target device, detects a file where the target information is located in the operating system of the service device, acquires the target information in the file, and acquires the target information into a storage module of the data acquisition device.
A data configuration module is arranged in the data acquisition unit, and a configuration rule of data is preset in the data configuration module; when the data acquisition device acquires the data, the target information is acquired to form configuration data according to the configuration rule, and the configuration data is used as the output of the data configuration module.
The data acquisition unit is responsible for actively searching target data and outputting data of various brands and various types of service ends in the data center in a uniform format, so that the aims of actively acquiring the data and converting the data of different types and then outputting the data are fulfilled.
In some embodiments, the data center has the aforementioned bastion machine, the server account initialized in the data collector is from the bastion machine, and the data collector is independent of the bastion machine.
And acquiring data from the dimension of the assets to a data center by using a bastion machine, and comprehensively carding the online assets. And in the operation and maintenance record of the producer, records of all equipment of the data center are provided, and the equipment record contains an account password for logging in the equipment. When a data center is constructed, a producer enters registration for each purchased device and sets an initial login account number (account password). However, after the data center is put into use, although the devices are not changed, the data in the devices and the attributes of the devices are changed at any time. For example, when registering a device, the device a registers a device ID, an account (password of an incoming account), and an attribute of the device a as a host. However, after being put into use, device a is reinstalled, and its property is changed to the Web server. For example, the properties of the device a are not changed, but the production data of the host is also changing, and so on.
The data collected by the bastion machine timing login server side comprises port data, process data, account data, application data, hardware data, patch information, network data, software data, server side log data, login data of the server side, interface data and the like. Of course, the data that the bastion machine can collect from the server is not limited to the above example, and may be other data that the server has.
The assets are found and the asset attributes are found by collecting data from the data center, and the aim of comprehensively combing the online assets is further fulfilled. And (4) regularly acquiring and combing to ensure that the asset records change along with the change of the data, so as to construct a comprehensive and complete asset information base.
Account maintenance system
And the terminal is allowed to enter the server side for operation after identity authentication. However, the number of the service terminals is very large, and each service terminal has a respective account and password; therefore, the data volume of the account-password is also huge, and an account management scheme is developed at the same time.
The current account management scheme in information security generally manages the access of a terminal to a server, and records and monitors an operation log after the terminal logs in the server. The account management scheme has the following problems: the number of the account numbers is huge, and an operation and maintenance department cannot master all the account numbers of the server, so that unique channel control from the terminal to the server cannot be realized.
A data center account number maintenance system comprises a data acquisition unit, wherein the data acquisition unit searches the storage positions of account numbers in an operating system of a server at regular time and then acquires all account numbers on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time.
When the operating system and the application software are installed, a special file for storing a login account (an account password) and operation authority owned by the account is provided in the operating system. When account maintenance is carried out, after the data acquisition unit remotely logs in an operating system of a server, a storage file of an account is automatically detected, an account password and an operation authority of the account are found from the storage file, and the account password and the operation authority are collected into the data acquisition unit. Generally, the password stored in the file may be an encrypted ciphertext, so that when account maintenance is performed, the password of the account is automatically changed to obtain a usable account.
Through continuous data acquisition, all account numbers-passwords recorded by the server can be obtained, and the account numbers are combed. In addition, the password is automatically modified after the account number of the server is obtained, the automatic generation rule of the password is pre-configured in the data acquisition unit, the automatically generated password naturally conforms to various password rules, and the problem of weak password is solved easily. The data acquisition unit can acquire all account numbers-passwords of the server side through continuous acquisition, and automatically and easily solve the problem that the account numbers are not changed for a long time. An account password configuration strategy is preset in the data acquisition unit, and automatic encryption is realized by adopting the prior art.
The data acquisition unit searches the account storage position of the operating system to acquire all accounts capable of logging in the operating system. The data acquisition unit acquires an operating system account of the server, remotely logs in the server by the operating system account, detects the process of the operating system after logging in, corresponds the application by the process, searches the applied account for storing files, and acquires all accounts of each application on the operating system.
Acquiring attribute information of an account when the account is acquired, wherein the attribute information of the account includes last login time of the account, account permission, identity information corresponding to the account, account number, account creation time, account ID, expiration time of the account, account source and the like, and as shown in fig. 9, the account information can be acquired through a network segment scanning tool and a precision scanning tool; and comparing the current account attribute information with the account attribute information acquired last time, and if the account attribute information changes, regarding the change as an account abnormal event. The account number-password and the attribute information of the account number belong to the content of the server account number.
The data acquisition unit is provided with a search module, and the abnormal time of the account is classified according to the account attribute information, and the abnormal events of the account are classified and counted.
Comparing the latest login time of the account with a preset time threshold, and regarding the account exceeding the preset time threshold as a zombie account; and/or comparing the account authority with the account authority acquired last time, and if the authority content changes, determining the account as an unauthorized account; and/or identifying identity information corresponding to the account, and if the identity information is null, determining the account as a ghost account; if the identity information is not null, comparing the identity information with the identity information acquired last time, and if the identity information changes, regarding the identity information as a risk account; zombie account numbers, unauthorized account numbers, ghost account numbers and risk account numbers all belong to account number abnormal events.
And/or judging whether the number of the currently obtained accounts is equal to the number of the accounts obtained last time, and if the number of the currently obtained accounts is larger than the number of the accounts obtained last time, regarding the newly added accounts as account abnormal events; and if the number of the currently obtained accounts is less than that of the last obtained accounts, acquiring the deleted accounts, and regarding account deletion as an account abnormal event and the like. The account abnormal event is probably caused by an attack behavior or misoperation, and the abnormal event triggers risk reminding.
Obtaining a password using the SDK; alternatively, the password is obtained using an automated plug-in.
And screening the expiration time of the account for the account data acquired each time, deleting the account reaching the expiration time, and generating a new account and a password thereof. And generating a new account-password according to an account password configuration strategy. Thus, account life cycle management and a secret can be realized.
The data center for carrying out account maintenance by using the data collector is provided with a bastion machine, the account of the data collector which automatically logs in the server for the first time comes from the bastion machine, and the account record of the server collected by the data collector every time is input into the bastion machine. As shown in fig. 10, the account maintenance system performs account combing, encrypts a newly acquired account each time a new account is acquired, and stores an account and a password, all account information obtained by the account maintenance system combing is pushed to the bastion machine, the bastion machine performs access authorization according to the account, establishes connection between the terminal and an asset (service end), realizes asset access, and realizes operation audit of the terminal on the asset.
An account safety baseline is preset in the data acquisition unit and comprises data updated last time, and if the data acquired by the data acquisition unit at the current time is changed from the account safety baseline, the changed data is marked as an account abnormal event.
The method for maintaining the data center account number has the following advantages: 1. the account data can be comprehensively collected, and all server accounts existing in the data center can be obtained. 2. The data can be comprehensively collected, and the account number is comprehensively evaluated for risk; the account password is directly obtained from the operating system, and all asset types of the data center are compatible through various password detection modes. 3. The account password configuration strategy is preset in the data acquisition unit, and can comprise an encryption algorithm to realize automatic encryption of the password, or can be combined with the current hardware information to support hardware encryption. 4. The API is used for realizing data transmission, the data acquisition device is in seamless linkage with the bastion machine, the data acquisition device is rapidly integrated with the bastion machine or other servers in a plug-in mode, and the method and the system can be suitable for a super-large-scale account management scene.
The server, the network equipment, the database, the safety equipment, the middleware and the like are assets of the data center, and the asset accounts are difficult to comb due to the large quantity, multiple types, multiple brands and quick change of the asset equipment; the assets are various and scattered in risk, the security department is not a data producer and a data center builder, and is used as a technical department of a data producer and a data center builder to pay attention to IT efficiency and not to pay attention to IT security; the security department focuses on IT security, but not on IT efficiency; the security department is led to take steps in acquiring asset security data, asset risks are difficult to identify, and industry security rules are difficult to realize.
Asset data middling platform
In order to solve the problems of unclear assets, unknown risks and opaque rectification, the invention provides an asset data center station which has low interference on data production and can obtain complete asset safety data of a data center.
An asset data center of a data center, comprising: the acquisition layer searches and acquires target data from the server at regular time; target data are input into a data layer, and the data layer stores the target data in a classified manner; the asset data middle desk is preset with a data configuration rule, target data of the data layer is configured and then output, the application layer comprises a plurality of display modules, and the display modules of the application layer are transversely expanded as shown in fig. 5.
The acquisition layer actively searches for target data from the server, that is, the acquisition layer searches for the target data first and then performs data acquisition, as shown in fig. 4, the asset security data center performs data full acquisition on the data center, compares the currently acquired data with the security baseline, and acquires and identifies malicious files, illegal processes, illegal changes, viruses, high-risk vulnerabilities, illegal ports and the like. Instead of passively receiving the data of the server. And the acquired data is classified and stored and configured in a data center platform in a data format, and the configured data is input into a remote analysis platform or displayed by each display module of an application layer of the data center platform.
The manner of acquiring data from the server by the acquisition layer includes but is not limited to: the data are collected by using the script, the data are collected by using the instruction set, the data are collected by using the Agent loaded on the server, the data are collected by using the JMX method, the data are collected by using the JDBC method, and the data are obtained by using the API interface, as shown in fig. 5. As shown in fig. 7, the data collected from the data center includes port information, process information, file information, account information, network information, software information, version information, patch information, application service configuration, account configuration, Operating System (OS) configuration, network device configuration, security device configuration, database configuration, and the like.
The acquisition layer logs in an operating system for data search and acquisition through a server account at regular time; and a server account set is configured in the acquisition layer, and the acquisition layer automatically acquires data at regular time.
The data center is provided with the bastion machine, and the service end account set of the acquisition layer comes from the bastion machine. Preferably, the data center is provided with the account maintenance system, the service side account set acquired by the account maintenance system each time is synchronized with the bastion machine, and the service side account of the bastion machine is synchronized with the data center.
The data center station is provided with a detection module, wherein the detection module comprises an SNMP scanning tool, an NMAP network connection end scanning tool, a ping discovery tool, a host ARP cache discovery tool and a local area network ARP scanning discovery tool; and/or probe process discovery applications. The detection module is used for discovering new assets of the data center.
Snmp based auto discovery of hosts within a network. The NMAP scans the open network connection end of the data center and detects unregistered servers in the working environment. Ping is used to discover remote servers that are remotely connected to the currently logged-on server. And finding out the IP address of the host accessing the current service end by inquiring the ARP cache of the host. And (4) utilizing the local area network ARP to scan and discover all hosts in the local area network.
This is because the data producers and equipment builders of a data center are the technical sector, not the security sector, which cannot know the current assets of the data center in time. Therefore, when or before the asset data acquisition is carried out, the asset detection is carried out on the data center, the assets existing in the network are found, and the completeness of the asset account book is ensured by checking missing and filling. After detecting the new assets, the server account of the assets is obtained through manual addition of the server account of the assets or other ways such as an account maintenance system.
Data collected by the collection layer includes, but is not limited to: account information, port information, process information, patch information, file information, network information, software information, version information, operating system configuration, application service configuration, account configuration, network device configuration, security device configuration, middleware configuration, database configuration, business information, hardware information, operating system information, kernel information, disk partitions, and the like.
The server is logged in at regular time by the server account number, data are automatically collected in batches, scripts do not need to be implanted into the equipment or agents do not need to be installed, and the influence on the service is reduced to the minimum. Only the target data to be acquired is configured on the acquisition layer, one-time acquisition of the multidimensional data can be realized, the acquisition efficiency is high, and frequent acquisition is not needed.
In some embodiments, the asset data center configures a security baseline, where the security baseline is the last acquired data and/or the risk point rules; after each data acquisition, comparing the current data with the safety baseline, and taking the changed data as an abnormal event; for example, in the asset data, port 1 was closed in the last data; however, in the current data, if the port 1 is opened, the port 1 has data change and is marked as an abnormal event. For another example, in the account data, there is no account X in the last data. However, if an account X appears in the current data, that is, if an account X is newly added, the account X is a data change and is marked as an abnormal event. The abnormal event is probably caused by an attack or misoperation, and the abnormal event triggers a risk reminder.
For example, the account number should contain numbers, letters and symbols, but if the account number Y has only numbers, the account number Y is marked as an abnormal event. For example, if the server X should not be logged in on weekends, but the server X is logged in on weekends, the server X logged in on weekends is marked as an abnormal event. The risk point rules may be industry rules, such as rules for determining weak password accounts, zombie accounts that do not log in for a long time, and the like. The risk point rule may also be a legal provision.
Abnormal behavior recognition system
The bastion machine realizes identity authentication, access control, authority control and operation audit when operation and maintenance personnel enter the data center, and the account maintenance system can automatically collect all server accounts of the data center, so that the bastion machine is used as a unique channel for entering the operation and maintenance of the data center on an equipment and host layer. The asset data center can acquire asset information at regular time, comb and acquire complete asset information of the data center, find abnormal events on assets and realize risk early warning of asset dimensionality. However, the exceptional events are single-dimensional events, and the exceptional events need to be associated with people to form behaviors. In the fifth aspect of the invention, the bastion machine, the account maintenance system and the asset data center are used as data sources, the white list is established based on the bastion machine, the abnormal behavior of people is identified by using the abnormal event trigger and the white list, and the abnormal behavior identification system reduces the abnormal false alarm rate.
The abnormal behavior recognition system, as shown in fig. 11, includes a data collection layer and a behavior analysis engine, where the data collection layer collects all authorized behavior data, all server accounts of a data center, and asset data and changes of the asset data; establishing a white list by using authorized behavior data, taking the change of the asset data as an abnormal event, summarizing the data of the data acquisition layer in a behavior analysis engine, comparing each abnormal event with the white list by the behavior analysis engine, judging whether the content of the abnormal event belongs to the white list, and if not, marking the abnormal event as an abnormal behavior; the behavior analysis engine only alarms on abnormal behavior.
The scheme divides human behaviors into the following basic elements: person (a person in charge), time (at what time, time period), place (where, i.e. the device), thing (what was done, i.e. the operating instructions). And the information of the person includes: operator and account password. Therefore, to see the abnormal behavior of people in a data center, the following needs to be included: which operator uses which set of account password (person) to enter which server (place) to execute which operation instruction (thing) at what time (time).
The data for the account dimension includes: what account number (information about the person missing the operator) changes at what time (time) on which server (place). Therefore, the information of the operator is lost in the data of the account dimension, that is, the operation performed by which natural person cannot be seen, so that whether the worker works normally (normal behavior) or a hacker (non-worker) attacks cannot be identified.
The data for the asset dimension includes: what device data changes at what time (time) on which server(s). Thus, data for the asset dimension is missing information for a person.
The authorized actions include: a person in charge is allowed to log in a certain device (place) for operation (at what time (time) a certain group of account passwords (people) are). The allowed operation has the basic elements of human, time, place and thing behaviors. However, the allowed operation is a pre-configured rule, the allowed operation is an explicit rule, and only dynamically updated or supplemented, and the attack behavior is not considered to occur in the industry due to the dynamic change of the allowed operation. Data changes (abnormal event triggers) in account dimensions and/or asset dimensions may be due to aggressive behavior. Therefore, the invention uses the allowed operation (configured rule) as the white list, and compares the data of the account dimension, the data of the asset dimension and the white list with each other to realize the splicing of the basic elements of the behaviors, thereby achieving the purpose of identifying the abnormal behaviors based on people.
Preferably, the data acquisition layer comprises the bastion machine, an account maintenance system and an asset data center station, and the operation authority and the operation log in the bastion machine belong to authorized behaviors.
The bastion machine realizes the uniqueness of the operation and maintenance channel, and the asset data center station realizes the integrity of the asset data of the data center, so that the bastion machine has all authorized behavior information and establishes a white list, and the asset data center station can discover all data changes of an asset end and trigger abnormal event alarm; and the behavior analysis engine confirms information in the white list aiming at the abnormal event alarm and judges whether unauthorized abnormal behaviors exist or not.
The operation log records the operation instruction actually occurred in detail. The allowed operations are allowed to do and do not necessarily actually occur. The operation log is actually generated, and the operation instruction and the allowed operation complement each other to perfect the content of the white list.
The account maintenance system collects all server accounts in the data center, is connected with the bastion machine and updates the server accounts in the bastion machine, and the server accounts belong to a white list.
The asset data center station obtains complete and comprehensive asset information of the data center, and identifies abnormal events after data acquisition each time.
Behavior analysis engine
The behavior analysis engine is packaged as an independent module and can be transplanted to any platform, system or whole scheme. The behavior analysis engine comprises an input interface for acquiring data, an engine kernel for analyzing the data, and an output interface for outputting the data. The output interface may be connected directly to the application APP or to another data engine, such as a search engine.
In some embodiments, the behavior analysis engine determines, for each abnormal event, whether the abnormal event has identity authentication information, if so, determines whether the identity authentication information belongs to a white list, and if not, determines that the abnormal event is an abnormal behavior. Whether the person is authenticated or not refers to whether the abnormal event has the stage of authentication or not. For example, the behavior splicing data corresponding to the abnormal event is as follows: the person responsible for A1 logged in to server D1, but person responsible for A1 did not belong to the set of people in the white list allowed to log in to the list of people in server D1, then the abnormal event is considered abnormal behavior. That is, the server side of the data center that an unauthorized person logs in is an abnormal behavior.
In some embodiments, if the abnormal event passes through the identity authentication of the bastion machine, the server account corresponding to the abnormal event is obtained, whether the server account of the abnormal event belongs to the white list or not is judged, and if not, the abnormal event is regarded as an abnormal behavior. For example, the person responsible for the abnormal event is an abnormal behavior if the person responsible for the abnormal event a1 enters the server D1 at time T1 through account B1, and the person responsible for the abnormal event belongs to a person allowed to enter the white list at time T1 after the identity authentication, but account B1 does not belong to the account set entering the server D1 at time T1 in the white list. Using an unauthorized server account is an abnormal behavior.
In some embodiments, when determining whether the server account belongs to a white list, first obtaining an account-password of the server account, and if the account-password of the server account does not belong to the white list, determining that the server account is an abnormal behavior; if the account-password of the server account belongs to the white list, whether the actual use time of the account is consistent with the operation authority of the server account is judged, and if not, the abnormal behavior is considered.
That is, when determining whether the account of the server belongs to the white list, first, it is determined whether the account-password entered into the server is recorded in the bastion machine, and if a new account-password appears, it is determined that an abnormal behavior appears. The reason is that all the behaviors authorized by the bastion machine to enter the data center are recorded according to the access control function of the bastion machine, and if no corresponding record exists in the bastion machine, the current login behavior is not authorized by the bastion machine and belongs to illegal operation, namely abnormal behavior.
When the account number-password of the server account number belongs to a white list, whether the login time is within the permission time is judged, based on the permission control function of the bastion machine, the bastion machine only establishes an access channel within the permission range, and if the actual operation information is not in accordance with the operation permission, the current login behavior is not authorized by the bastion machine and belongs to illegal operation, namely abnormal behavior.
In some embodiments, if the abnormal event is authenticated by the bastion machine and is logged in within an allowed time by using a server account in a white list, whether an operation instruction corresponding to the abnormal event belongs to the white list is judged, and if not, the abnormal event is regarded as abnormal behavior. The operation log of the bastion machine is used for comparing the white list content of the operation instruction. The nature of an exception event is a data change that is caused by an operation instruction. If the operation log does not have a corresponding operation instruction, based on the auditing function of the bastion machine, the current operation is known not to be authorized by the bastion machine, possibly enters from a leak, and is an abnormal behavior.
Starting with an abnormal event of account dimensionality, finding the abnormal event of the account by a data collector of the account dimensionality, extracting the time and the server side of the abnormal event, searching whether a right matched with the event occurrence time and the server side exists in a white list, if yes, judging whether an operation instruction is recorded in the right, if so, judging whether the operation instruction can cause data change corresponding to the abnormal event, if the operation instruction corresponds to the data change, judging the operation instruction to be a normal behavior, and if the operation instruction does not correspond to the data change, judging the operation instruction to be an abnormal behavior; and if the authority matched with the event occurrence time and the server side does not exist, the abnormal behavior is considered.
If no operation instruction is recorded in the authority, searching an operation log of the authority before and after the event occurrence time, extracting the operation instruction from the operation log, judging whether the operation instruction in the log can cause account change corresponding to the account abnormal event, if the operation instruction corresponds to the account change, considering the operation log as a normal behavior, and if the operation instruction does not correspond to the account change, considering the operation log as an abnormal behavior.
Starting with an asset dimension abnormal event, finding the asset dimension abnormal event by an asset dimension data collector, extracting the asset abnormal event occurrence time and a server, searching whether a right matched with the event occurrence time and the server exists in a white list, if so, judging whether an operation instruction is recorded in the right, if so, judging whether the operation instruction can cause data change corresponding to the abnormal event, if the operation instruction corresponds to the asset state change, judging the operation instruction to be a normal behavior, and if the operation instruction does not correspond to the asset state change, judging the operation instruction to be an abnormal behavior; and if the authority matched with the event occurrence time and the server side does not exist, the abnormal behavior is considered.
If no operation instruction is recorded in the authority, searching an operation log of the authority before and after the event occurrence time, extracting the operation instruction from the operation log, judging whether the operation instruction in the log can cause the asset state change corresponding to the asset abnormal event, if the operation instruction corresponds to the asset state change, considering the operation log as a normal behavior, and if the operation instruction does not correspond to the asset state change, considering the operation log as an abnormal behavior.
Operation and maintenance safety system
The system comprises a data acquisition layer, a data analysis layer and an application layer; the data acquisition layer comprises a data acquisition device and a bastion machine which are transversely expanded, and data acquired by the data acquisition layer is collected in the data analysis layer; the data analysis layer comprises transversely extended analysis engines, and all analysis engines share data from the data acquisition layer; the application layer comprises a transversely extended application module, the result of the data analysis layer is displayed by the corresponding application, and the safety system for the operation and maintenance of the data center shown in fig. 8 comprises an application layer, an analysis layer and an acquisition layer; the bastion machine, the account management system and the asset data center (or called asset management system) are used as collectors for collecting data from a data center (object layer). The analysis layer comprises data analysis engines such as a search engine, a task scheduling engine, a big data processing engine, a machine learning engine and a behavior analysis engine; and the data acquired from the object layer by the acquisition layer is input into the analysis layer for data analysis, and the results of the data analysis are displayed by various applications APP of the application layer.
According to the operation and maintenance system, a traditional data acquisition device corresponds to one analysis module and then corresponds to a chimney type structure of a display module, the chimney type structure is divided into a data acquisition layer, the data analysis layer and an application layer are longitudinally overlapped in an interlayer mode, the layer is transversely expanded, all display modules share the structure of the data analysis layer and the data acquisition layer, timely and flexibly expansion can be achieved according to user requirements, and the acquisition efficiency, the analysis efficiency and the display efficiency are improved.
The data acquisition layer comprises but is not limited to a bastion machine, an account number maintenance system, an asset data center station and the like.
The data analysis layer includes, but is not limited to, the behavior analysis engine, the search engine, the task management engine, and the like.
The embodiments described in this specification are merely illustrative of implementations of the inventive concept and the scope of the present invention should not be considered limited to the specific forms set forth in the embodiments but rather by the equivalents thereof as may occur to those skilled in the art upon consideration of the present inventive concept.

Claims (14)

1. An abnormal behavior recognition system, characterized in that: the system comprises a data acquisition layer and a behavior analysis engine, wherein the data acquisition layer is used for collecting all authorized behavior data, and collecting all server account numbers, asset data and changes of the asset data of a data center; establishing a white list by using authorized behavior data, wherein the authorized behavior comprises the following steps: allowing a responsible person to log in a certain device for operation at the time of a certain group of account passwords, taking the change of asset data as an abnormal event, collecting the data of a data acquisition layer in a behavior analysis engine, comparing each abnormal event with a white list by the behavior analysis engine, judging whether the content of the abnormal event belongs to the white list, and if not, marking the abnormal event as an abnormal behavior; the behavior analysis engine only alarms on abnormal behavior.
2. The abnormal behavior recognition system of claim 1, wherein: and the behavior analysis engine judges whether the abnormal event has identity authentication information or not aiming at each abnormal event, if so, judges whether the identity authentication information belongs to a white list or not, and if not, the abnormal event is regarded as abnormal behavior.
3. The abnormal behavior recognition system of claim 2, wherein: if the abnormal event passes the identity authentication, obtaining a server account corresponding to the abnormal event, judging whether the server account of the abnormal event belongs to a white list, and if not, regarding the abnormal event as an abnormal behavior.
4. The abnormal behavior recognition system of claim 3, wherein: when judging whether the server account belongs to a white list, firstly acquiring an account-password of the server account, and if the account-password of the server account does not belong to the white list, determining that the server account is abnormal; if the account-password of the server account belongs to the white list, whether the actual use time of the account is consistent with the operation authority of the server account is judged, and if not, the abnormal behavior is considered.
5. The abnormal behavior recognition system of claim 4, wherein: if the abnormal event is authenticated and is logged in within the allowed time by using the server account in the white list, judging whether the operation instruction corresponding to the abnormal event belongs to the white list, and if not, regarding the abnormal event as abnormal behavior.
6. The abnormal behavior recognition system of claim 1, wherein: the data acquisition layer comprises a bastion machine, an account maintenance system and an asset data center, and the operation authority and the operation log in the bastion machine belong to authorized behaviors; the account maintenance system collects all server accounts of the data center and updates the server accounts in the bastion machine, and the asset data center acquires asset data and changes of the asset data; and the asset data center station acquires the server account from the bastion machine or the account maintenance system.
7. The abnormal behavior recognition system of claim 6, wherein: the account maintenance system comprises a data acquisition unit, wherein the data acquisition unit logs in a server regularly, searches the storage positions of accounts in an operating system of the server and then acquires all accounts on the server; automatically adding a new server account; and the data acquisition unit automatically modifies the passwords for all the account numbers at regular time.
8. The abnormal behavior recognition system of claim 7, wherein: the data acquisition unit searches the account storage position of the operating system to acquire all accounts capable of logging in the operating system.
9. The abnormal behavior recognition system according to claim 7 or 8, wherein: the method comprises the steps that a data acquisition unit of an account maintenance system acquires an operating system account of a server, the data acquisition unit remotely logs in the server through the operating system account, after logging in, the process of the operating system is detected, the process corresponds to an application, the account storage position of the application is searched, and all accounts of the operating system are acquired.
10. The abnormal behavior recognition system of claim 6, wherein: the asset data center station comprises an asset acquisition layer and an asset data layer, the asset acquisition layer searches and acquires target data from the server at regular time, the asset data center station is configured with a safety baseline, the safety baseline is the latest authorized behavior data, and changes of the currently acquired data and the safety baseline are taken as abnormal events.
11. The abnormal behavior recognition system of claim 10, wherein: the asset acquisition layer logs in an operating system for data search and acquisition through a server account at regular time; and a server account set is configured in the asset acquisition layer, and the asset acquisition layer automatically acquires data at regular time.
12. The abnormal behavior recognition system of claim 10, wherein: the asset data center station is provided with a detection module, and the detection module discovers new assets connected with the current server based on the logged-in server.
13. The abnormal behavior recognition system of claim 6, wherein: the fortress machine is used as an operation and maintenance gateway of the data center; an identity account, a server account and a matching relation between the identity account and the server account are arranged in the bastion machine; the bastion machine is provided with an identity authentication module, the bastion machine matches the account numbers of the service ends with the terminal through the identity authentication terminal, each account number of the service end has respective operation authority, the bastion machine establishes connection between the terminal and the service end according to the operation authority, and the operation of the terminal on the service end forms an operation log to be stored in the bastion machine.
14. The abnormal behavior recognition system of claim 13, wherein: and the bastion machine is connected with the workflow engine, and the approved work list in the workflow engine is used as an authorized behavior to be input into the bastion machine.
CN202010551673.1A 2020-03-07 2020-06-17 Abnormal behavior recognition system Active CN111510463B (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN202010154373X 2020-03-07
CN202010154373 2020-03-07
CN202010366115 2020-04-30
CN2020103661158 2020-04-30

Publications (2)

Publication Number Publication Date
CN111510463A CN111510463A (en) 2020-08-07
CN111510463B true CN111510463B (en) 2020-12-18

Family

ID=71873785

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010551673.1A Active CN111510463B (en) 2020-03-07 2020-06-17 Abnormal behavior recognition system

Country Status (1)

Country Link
CN (1) CN111510463B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112257057A (en) * 2020-10-21 2021-01-22 广州锦行网络科技有限公司 Method for strengthening password in windows domain based on reducible encryption mechanism
CN113505050A (en) * 2021-06-07 2021-10-15 广发银行股份有限公司 User behavior analysis method, system, device and storage medium
CN116028461B (en) * 2023-01-06 2023-09-19 北京志行正科技有限公司 Log audit system based on big data
CN117828638A (en) * 2023-12-28 2024-04-05 北京建恒信安科技有限公司 Information system identity security authorization management method, system, equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257209A (en) * 2018-09-04 2019-01-22 山东浪潮云投信息科技有限公司 A kind of data center server centralized management system and method
CN110765369A (en) * 2019-09-11 2020-02-07 安徽先兆科技有限公司 Real-time monitoring data processing method and system based on time-space attributes

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10003497B2 (en) * 2014-11-21 2018-06-19 Belkin International Inc. System for utility usage triggering action
CN104156439B (en) * 2014-08-12 2017-06-09 华北电力大学 A kind of method of novel maintenance intelligent auditing
US10356113B2 (en) * 2016-07-11 2019-07-16 Korea Electric Power Corporation Apparatus and method for detecting abnormal behavior
CN107566409A (en) * 2017-10-20 2018-01-09 携程旅游网络技术(上海)有限公司 Local area network scan behavioral value method, apparatus, electronic equipment, storage medium
CN108881299A (en) * 2018-08-01 2018-11-23 杭州安恒信息技术股份有限公司 The safe O&M method and device thereof of private clound platform information system
CN109327442A (en) * 2018-10-10 2019-02-12 杭州安恒信息技术股份有限公司 Method for detecting abnormality, device and the electronic equipment of Behavior-based control white list
CN109639634B (en) * 2018-11-05 2021-03-19 杭州安恒信息技术股份有限公司 Self-adaptive safety protection method and system for Internet of things

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257209A (en) * 2018-09-04 2019-01-22 山东浪潮云投信息科技有限公司 A kind of data center server centralized management system and method
CN110765369A (en) * 2019-09-11 2020-02-07 安徽先兆科技有限公司 Real-time monitoring data processing method and system based on time-space attributes

Also Published As

Publication number Publication date
CN111510463A (en) 2020-08-07

Similar Documents

Publication Publication Date Title
CN111600856B (en) Safety system of operation and maintenance of data center
CN111510463B (en) Abnormal behavior recognition system
US10880314B2 (en) Trust relationships in a computerized system
US9438616B2 (en) Network asset information management
CN112637220B (en) Industrial control system safety protection method and device
CN104283889B (en) APT attack detectings and early warning system inside electric system based on the network architecture
CN101610264B (en) Firewall system, safety service platform and firewall system management method
CN111786966A (en) Method and device for browsing webpage
CN114598525A (en) IP automatic blocking method and device for network attack
CN113691566B (en) Mail server secret stealing detection method based on space mapping and network flow statistics
CN112073437B (en) Multi-dimensional security threat event analysis method, device, equipment and storage medium
CN105550593A (en) Cloud disk file monitoring method and device based on local area network
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
JP2022037896A (en) Automation method for responding to threat
CN117792733A (en) Network threat detection method and related device
CN116074280B (en) Application intrusion prevention system identification method, device, equipment and storage medium
CN103078771B (en) Based on Botnet distributed collaborative detection system and the method for P2P
KR101662530B1 (en) System for detecting and blocking host access to the malicious domain, and method thereof
AT&T
CA3122328A1 (en) A system for, and a method of creating cybersecurity situational awareness, threat detection and risk detection within the internet-of-things space
CN115239261A (en) Account login method, device, equipment and medium
CN110933064A (en) Method and system for determining user behavior track
Kumazaki et al. Incident Response Support System for Multi-Located Network by Correlation Analysis of Individual Events
CN118214607B (en) Security evaluation management method, system, equipment and storage medium based on big data
Sanjaya et al. Anomaly detection in iot using cooja simulator

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant