CN111901199A

CN111901199A - Mass data-based quick early warning matching implementation method

Info

Publication number: CN111901199A
Application number: CN202010746841.2A
Authority: CN
Inventors: 龙有东; 史晓龙
Original assignee: Beijing Hongda Longhe Technology Co ltd
Current assignee: Beijing Hongda Longhe Technology Co ltd
Priority date: 2020-07-29
Filing date: 2020-07-29
Publication date: 2020-11-06

Abstract

The invention discloses a quick early warning matching implementation method based on mass data, which relates to the technical field of information safety and comprises the following steps: capturing original network messages containing operation data through a network layer in advance, wherein the captured network messages serve as the most original input, and the captured network messages comprise operator operation requests and service system response return contents; carrying out data classification on the acquired network messages and establishing distributed storage, wherein the data classification comprises analyzing the acquired network messages and marking the operation contents; acquiring and identifying a distributed data cluster for adding an identifier, wherein the distributed data cluster comprises sensitive content contained in identification data and relevant attributes of identification statistical operation; and acquiring marked sensitive data content as output for early warning. The invention solves the problem of low efficiency when the traditional audit analysis technology architecture adopts a relational database to process mass log data, and the data cleaning mode is more convenient and efficient.

Description

Mass data-based quick early warning matching implementation method

Technical Field

The invention relates to the technical field of information security, in particular to a quick early warning matching implementation method based on mass data.

Background

In recent years, the service acceptance amount and data scale are rapidly increased, along with the development of security situation, the threat of client information security is more and more increased, a legal user obtains information in batches through malicious operation on a service system for selling, and even security events which are illegally profitable through batch operation are frequently generated, and the main technology aiming at preventing sensitive information from being leaked comprises the following steps: the service support system logs, records the related operations after the user logs in the system, and can be used as post audit to help track responsibility; the service support system performs authorization control, and performs all-around control from three aspects of network boundary, peripheral boundary and desktop application, so as to meet the requirement of controllability in the information security target and prevent improper use and flow of information; sensitive information is encrypted, and in the data transmission process and the storage of sensitive data, even if a third party obtains the data by an illegal means, the data cannot be checked.

In the current service support system, a developer of the service support system is a subject to be audited, the service system records logs, which is equivalent to self-auditing, and the service support system has the hidden danger of 'supervision and self-theft', which is contrary to the safety management idea; in the past years of security accidents, most of the problems are caused by service manufacturer personnel; in addition, the service system software can not record logs for all client data to be checked, so that the logs are incomplete, but the vulnerability service systems cannot be found, so that the problems can be found only by monitoring through third-party audit software; the audit must realize the correlation audit of the sensitive content level, so if the function is realized by modifying the service system, the newly increased data volume is huge every day, the performance of the service system is seriously influenced, and huge hidden troubles influencing the service exist; the safety audit is a dynamic evolution process, and along with the change of the safety audit requirement, if a log function is realized in the modification of a service system, the safety audit is equivalent to a frequent online safety function, and is equivalent to the risk of introducing a new function of frequently cutting online on the service system, so that hidden danger is brought to the service.

Therefore, a method for realizing rapid early warning matching based on mass data is urgently needed.

Disclosure of Invention

Aiming at the problems in the related art, the invention provides a quick early warning matching implementation method based on mass data, so as to overcome the technical problems in the prior related art.

The technical scheme of the invention is realized as follows:

a quick early warning matching implementation method based on mass data comprises the following steps:

step S1, capturing original network messages containing operation data through a network layer in advance as the most original input, wherein the captured network messages comprise operator operation requests and service system response return contents;

step S2, data classification is carried out on the obtained network message and distributed storage is established, which comprises the steps of analyzing the obtained network message and adding identification to the operation content;

step S3, acquiring and identifying the distributed data cluster of the filling identifier, wherein the distributed data cluster comprises sensitive content contained in the identification data and relevant attributes of identification statistical operation;

and step S4, acquiring marked sensitive data content as output for early warning.

Further, the capturing of the original network packet containing the operation data includes the following steps:

introducing the traffic data of the service system into an acquisition equipment terminal in a bypass mirror image mode;

and data traffic on the network card is subjected to packet capturing through the Pcap 4J.

Further, the method comprises the following steps:

acquiring currently accessed data information which comprises a client IP, a client port, a client MAC, a server IP, a server port, a service MAC, TCP information, a session sequence number, a session response code, a session length and session information after the captured flow is integrated by the Pcap 4J;

and acquiring TCP session characteristics, rearranging the received flow data and sorting the session messages.

Further, the arranging the session message comprises useless data elimination and forward arrangement reordering of the out-of-order traffic.

Further, the data classification of the acquired network message includes effective differentiation of characteristics of different protocols.

Further, the protocols include http, ftp, telnet, db2, mysql, and Oracle.

The invention has the beneficial effects that:

the invention relates to a method for realizing quick early warning matching based on mass data, which comprises the steps of grabbing original network messages containing operation data through a network layer in advance as the most original input, wherein the grabbed network messages comprise operator operation requests and service system response return contents; carrying out data classification on the acquired network messages and establishing distributed storage, wherein the data classification comprises analyzing the acquired network messages and marking the operation contents; acquiring and identifying a distributed data cluster for adding an identifier, wherein the distributed data cluster comprises sensitive content contained in identification data and relevant attributes of identification statistical operation; the marked sensitive data content is obtained to be output for early warning, the problem of low efficiency when a relational database is adopted in a traditional audit analysis technology architecture to process massive log data is solved, and the data cleaning mode is more convenient and efficient.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.

Fig. 1 is a schematic flowchart of a method for implementing quick early warning matching based on mass data according to an embodiment of the present invention;

fig. 2 is a schematic block diagram of a method for implementing fast early warning matching based on mass data according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.

According to the embodiment of the invention, a rapid early warning matching implementation method based on mass data is provided.

As shown in fig. 1-2, the method for implementing quick early warning matching based on mass data according to the embodiment of the present invention includes the following steps:

The method for capturing the original network message containing the operation data comprises the following steps:

The method comprises the following steps:

And the arranging the conversation message comprises useless data elimination and forward arranging and reordering of out-of-order flow.

Wherein, the data classification of the acquired network message comprises effectively distinguishing the characteristics of different protocols.

Wherein the protocols include http, ftp, telnet, db2, mysql, and Oracle.

By means of the scheme, the method and the system capture massive original operation data through a network layer, perform data message integration and restoration, utilize a big data parallel computing technology, perform alarm and audit on suspicious operation related to client sensitive information in a business system according to a preset alarm model, accurately position a data operator triggering the alarm, perform real and comprehensive log recording on behaviors of accessing sensitive page data and executing key operation, alarm timely on the suspicious operation, and restore a complete operation track, provide powerful evidence for tracing responsibility, realize that forced audit and illegal behaviors of client sensitive information operation cannot be denied, solve the problem of low efficiency when a relational database is adopted by a traditional audit analysis technology architecture to process massive log data, and have a more convenient and more efficient data cleaning mode.

In addition, specifically, for mass data above the acquired TB, the original flow is classified according to various protocol characteristics, all information in the protocol is redefined and analyzed, the operation content is identified and the identification is added, and then the information is stored in the distributed file system. When the early warning model defined by the user takes effect, the redefined standardized data is accelerated from the distributed file system, the tasks are distributed to all machines in the cluster through Map-Reduce to synchronously and concurrently process the data, and after the contents in the files are extracted, the data can be identified in the concurrently performed tasks.

According to the difference of sensitive contents (such as client identity information, family information, telephone information and the like) contained in the data, the relevant attributes (such as IP address, user information, operation time, operation contents, operation frequency and other behavior characteristics and the like) of operation are counted, corresponding different identifications (which are marked when the flow data is subjected to standardized processing) are combined through distributed calculation and content identification, various marked sensitive data contents can be efficiently and accurately found, and rapid calculation and early warning are performed according to a threshold value set by an early warning model.

In addition, specifically, for traffic collection, traffic data of a service system is introduced into a terminal of a collection device of one party in a bypass mirroring mode, then a program captures packet of data traffic on a network card through Pcap4J, and the whole collection system is programmed into a flexibly configurable collection program through code encapsulation of the system. The general proposed modification is configured to: the network card name, the packet capturing snaplen, the filtering expression of the captured flow, the local storage path of the serialized data file after the data flow is arranged by the system and other configuration information.

And traffic general information extraction: after the captured flow is integrated by the Pcap4J, the currently accessed client IP, client port, client MAX, server IP, server port, service MAX, and TCP information, including session sequence number, session response code, session length, and the like, can be obtained. The system can rearrange the received flow data according to the TCP session characteristics, arrange the session messages, perform the operations of duplicate removal, rearrangement and the like, eliminate useless data in the flow information, arrange the disordered flow in a forward direction and arrange the disordered flow into complete and ordered session messages.

Differentiation of traffic protocols: the system analyzes the captured data packets and effectively distinguishes the data packets according to the characteristics of different protocols. The target system supports http, ftp, telnet, db2, mysql, Oracle, etc. The types of protocols that Guangdong mobile has put into production at present are three protocols, http, ftp and db 2.

Specifically, the basis for making effective distinction for these several protocols is expressed as follows:

1. the HTTP protocol header contains some feature codes containing some property information, such as "HTTP", "GET", "POST", "put", "DELETE", and so on. For example, the front 3 words of the traffic data captured by the current system can be matched with "GET", and this is an http request with the request type of GET; if the first 4 words can match the POST, then the http request with the request type of POST is determined; for another example, if the first 4 bytes match "HTTP", it is determined that this is an HTTP response session message.

2. The ftp protocol determines a protocol type according to a port number, an ftp command port is 21 in a passive mode, a data port is 21, and a port number needs to be provided for a peer in an active mode (a default rule of the ftp protocol is that a data port number is command port number-1, for example, a command port number is 222, and a data port number is 221).

3. The db2 protocol can take the first 9 bytes according to the unique signature code of its head, the drda protocol, and then determine whether the drda protocol is present by official character comparison code. The first 9 bytes correspond to the specific attribute value in the drda protocol (here, the matching is detected according to the characteristics of a DDM block necessarily included in the drda protocol).

In addition, for data analysis: after the collected data is sorted, we will continue to convert the original packet in the data packet into some information that we want through another process, which is specifically as follows:

1. host, user agent, accept-language, accept-Encoding, accept-charset, referrer and other information, request body content and response body content can be obtained in the http protocol.

2. The ftp protocol may obtain a username, a password, and some commands for the user to operate.

3. The drda protocol can obtain information such as the drda length, the interaction type, the user name, the password, the sql type of the operation, the specific content of the sql of the operation, the result of the query, the execution result of the sql of the operation, and the like.

In addition, the early warning model is established: the user can establish the early warning model which the user wants according to the requirement of the user at will, the system supports the mode of yes, no, and or to establish the composite rule, and the early warning model with complex effect and simple configuration is established by matching with the rule types of who, where, what, whhy, how and the like. Similar to the configuration mode facing the change, the configuration difficulty of the complex rule is reduced to a certain extent.

In addition, account number automatic completion: user login information and a session unique identifier can be extracted from data flow through system configuration, and the information is stored in a system memory. The system completes all the captured sessions, and a cookie value or a Sessionid can be extracted through configuration aiming at the http protocol type and used as a unique certificate for login information completion; and aiming at other data without a session state, calculating a hash value as a unique identifier of the session, wherein the hash value is used for matching all the following operation information and is used as a unique certificate for completing login information. The information of the related personnel of each step of operation can be clearly known through the step, and all data information can be unified and standardized.

The following auditing operation is mainly to carry out a series of model matching on data according to the obtained response body and the request body, so that the information of the occurrence time, IP, MAC, account number, operation content and the like of the illegal operation can be known, then alarms are generated, the auditing result is clearly and accurately displayed on a UI interface, the operation flow backtracking in the later period is provided, and a user can clearly see the true reason of the auditing result each time and the information of the scene of the operation at that time. The program can accurately identify information such as identity cards, bank cards, mobile phones, names, addresses and the like according to the early warning model.

And (3) data mining process: and grouping and storing the data source files stored in the hadoop according to the date. And then configuring data mining conditions through an interface, storing configuration information after configuration is finished, automatically loading the configuration information in a configuration table by a system at regular intervals, and then generating a sequencing rule and a filtering rule according to a rule and an early warning model loaded by configuration, and finishing the configuration information in the early warning model. Then, the system registers a job in the JobTracker, performs distributed recombination and cleaning on a data source file stored in the hadoop according to a form of key value pairs of < protocol, data >, and then compares the data with rules configured in an early warning model to finally generate a warning result.

The core implementation process is roughly as follows: firstly, when the Map-Reduce receives a task, classifying various sensitive data, and effectively counting the same or different sensitive operations operated by different users. All the captured flow information contains sensitive data and normal data, and the system filters the data according to the requirements of users so as to achieve accurate and clear results. When a job number frequently operates a certain function within a period of time, the system automatically records the operation conditions in detail, mainly including which user has performed which operations at what time point, why the operations are recorded, how many times the user has operated at this time point, what each operation is done, what unnecessary influence is caused to the common user, and the like. And after the contents are identified in different dimensions, the contents are compared with the relevant thresholds in the early warning model, and an alarm is triggered if the comprehensive weight calculation meeting the relevant thresholds is met.

In summary, by means of the above technical scheme of the present invention, a large amount of original operation data is captured through a network layer, data packet integration and restoration are performed, a big data parallel computing technology is applied, according to a preset alarm model, alarm and audit are performed on suspicious operations related to customer sensitive information in a business system, a data operator triggering alarm is accurately positioned, real and comprehensive log recording is performed on behaviors of accessing sensitive page data and executing key operations, alarm is timely performed on suspicious operations, and a complete operation track is restored, so as to provide strong evidence for tracing responsibility, realize that forced audit and illegal behaviors of customer sensitive information operations cannot be denied, solve the problem that a traditional audit analysis technical architecture adopts a relational database to process a large amount of log data, and the data cleaning mode is more efficient and convenient, is more efficient.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims

1. A quick early warning matching implementation method based on mass data is characterized by comprising the following steps:

capturing original network messages containing operation data through a network layer in advance, wherein the captured network messages serve as the most original input, and the captured network messages comprise operator operation requests and service system response return contents;

carrying out data classification on the acquired network messages and establishing distributed storage, wherein the data classification comprises analyzing the acquired network messages and marking the operation contents;

acquiring and identifying a distributed data cluster for adding an identifier, wherein the distributed data cluster comprises sensitive content contained in identification data and relevant attributes of identification statistical operation;

and acquiring marked sensitive data content as output for early warning.

2. The method for realizing rapid early warning matching based on mass data according to claim 1, wherein the step of capturing the original network message containing the operation data comprises the following steps:

3. The mass data-based rapid early warning matching implementation method according to claim 2, further comprising the steps of:

4. The method for realizing rapid early warning matching based on mass data according to claim 3, wherein the arranging the session messages comprises useless data elimination and forward arranging and reordering out-of-order traffic.

5. The method for implementing rapid early warning matching based on mass data according to claim 1, wherein the data classification of the acquired network messages comprises effective differentiation of characteristics of different protocols.

6. The mass data-based rapid early warning matching implementation method according to claim 2, wherein the protocol includes http, ftp, telnet, db2, mysql, and Oracle.