CN112507384B - Method and device for processing data outgoing behavior - Google Patents
Method and device for processing data outgoing behavior Download PDFInfo
- Publication number
- CN112507384B CN112507384B CN202011531216.2A CN202011531216A CN112507384B CN 112507384 B CN112507384 B CN 112507384B CN 202011531216 A CN202011531216 A CN 202011531216A CN 112507384 B CN112507384 B CN 112507384B
- Authority
- CN
- China
- Prior art keywords
- data
- outgoing
- user terminal
- weight value
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Telephonic Communication Services (AREA)
Abstract
The embodiment of the invention provides a method and a device for processing a data outgoing behavior, wherein the method comprises the steps of responding to the detected data outgoing behavior of a user terminal, obtaining target data corresponding to the data outgoing behavior, and data detection information for the user terminal, wherein the data detection information is used for judging the data outgoing behavior of the user terminal, if the target data comprises sensitive data, obtaining the number of data items of the sensitive data, generating a detection result aiming at the data outgoing behavior according to the data detection information and the number of the data items, wherein the detection result comprises the step of allowing the user terminal to send the target data, detecting the data outgoing behavior of the user terminal, judging whether the terminal can execute the data outgoing behavior or not according to the data detection information under the condition that the sensitive data is detected to be contained in the outgoing data of the user terminal, effectively managing the data outgoing behavior of the user terminal, ensuring the safety of data sending, and avoiding the problem of data leakage.
Description
Technical Field
The present invention relates to the field of data monitoring technologies, and in particular, to a method and an apparatus for processing a data outgoing behavior.
Background
For modern enterprises, computers, broadband networks, printers and the like are used as company computing resources, how to more efficiently utilize the resources to create values for companies becomes an important subject, and the traditional desktop terminal has the characteristics of too weak management, too low visualization degree, security/management/maintenance disconnection and often afterfire fighting, so that network managers of users are often tired and run, and the efficiency is low and the loophole is hundreds. And the behavior of surfing the internet irrelevant to work, illegal website visits, data outgoing through network forms such as mails, chat tools, FTP, microblogs, net disks, forums and the like, and random access of external equipment and the like can cause the desktop behavior of the user to be out of control if the management is not carried out, thereby not only influencing the information safety and the working efficiency, but also easily causing data leakage and even bringing the risk of violating laws and regulations for enterprises by serious people.
Disclosure of Invention
In view of the foregoing problems, embodiments of the present invention provide a method and an apparatus for processing a data outgoing behavior, an electronic device, and a computer-readable storage medium, so as to solve the problem that data leakage occurs due to failure to detect outgoing data of a user terminal in the prior art.
In order to solve the above problem, an embodiment of the present invention discloses a method for processing a data outgoing behavior, including:
responding to the detected data outgoing behavior of a user terminal, acquiring target data corresponding to the data outgoing behavior and data detection information aiming at the user terminal, wherein the data detection information is used for judging the data outgoing behavior of the user terminal;
if the target data comprises sensitive data, acquiring the number of data items of the sensitive data;
and generating a detection result aiming at the data outgoing behavior according to the data detection information and the data entry number, wherein the detection result comprises the condition that the user terminal is allowed to send the target data out.
Optionally, the data detection information includes a first detection threshold and a second detection threshold, where the second detection threshold is greater than the first detection threshold, and the generating, according to the data detection information and the number of data entries, a detection result for the data outgoing behavior includes:
if the number of the data items is smaller than the first detection threshold, allowing the user terminal to send the target data out;
and if the number of the data entries is larger than the second detection threshold, forbidding the user terminal to send the target data out.
Optionally, the generating a detection result for the data outgoing behavior according to the data detection information and the number of the data entries further includes:
if the number of the data items is larger than or equal to the first detection threshold and smaller than or equal to the second detection threshold, generating approval information for the data outgoing behavior, and sending the approval information to an approval terminal corresponding to the user terminal, wherein the approval terminal is used for approving the data outgoing behavior of the user terminal so as to determine whether the user terminal is allowed to send the target data.
Optionally, the data detection information is generated by:
acquiring user behavior data in a historical time period, wherein the user behavior data comprises data outgoing events of different user terminals, and the data outgoing events comprise a first outgoing event containing sensitive data and a second outgoing event not containing the sensitive data;
counting the first outdoor sending times of the first outgoing event, the first group outgoing times and the first terminal outgoing times corresponding to the user terminal;
counting second outdoor sending times of the second outgoing event, second group outgoing times and second terminal outgoing times corresponding to the user terminal;
calculating a target sensitivity weight value aiming at the user terminal according to the first outdoor sending times, the first group outgoing times and the first terminal outgoing times;
calculating a target non-sensitive weight value aiming at the user terminal according to the second outdoor sending times, the second group sending times and the second terminal sending times;
and generating data detection information aiming at the user terminal in the current time period by adopting the target sensitive weight value and the target non-sensitive weight value.
Optionally, the calculating a sensitive weight value for the user terminal according to the first user outgoing number, the first group outgoing number, and the first terminal outgoing number includes:
if the outgoing times of the first terminal are greater than the first outdoor outgoing times, acquiring a first user coefficient for the first outgoing event, and calculating a first user weight value for the user terminal by adopting the first user coefficient, the first terminal outgoing times and the first outdoor outgoing times;
if the outgoing times of the first terminal are greater than the outgoing times of the first group, acquiring a first group coefficient for the first outgoing event, and calculating a first group weight value for the user terminal by adopting the first group coefficient, the outgoing times of the first terminal and the outgoing times of the first group;
acquiring an original sensitive weight value of the user terminal and an adjustment step length aiming at the first outgoing event;
and calculating a target sensitive weight value aiming at the user terminal by adopting the original sensitive weight value, the adjustment step length, the first user weight value and the first group weight value.
Optionally, the calculating a non-sensitive weight value for the user terminal according to the second outdoor sending times, the second group sending times and the second terminal sending times includes:
if the second terminal outgoing times are larger than the second outdoor outgoing times, acquiring a second user coefficient for the second outgoing event, and calculating a second user weight value for the user terminal by adopting the second user coefficient, the second terminal outgoing times and the second outdoor outgoing times;
if the outgoing times of the second terminal are greater than the outgoing times of the second group, acquiring a second group coefficient aiming at the second outgoing event, and calculating a second group weight value aiming at the user terminal by adopting the second group coefficient, the outgoing times of the second terminal and the outgoing times of the second group;
acquiring an original non-sensitive weight value of the user terminal and an adjustment step length aiming at the second outgoing event;
and calculating a target non-sensitive weight value aiming at the user terminal by adopting the original non-sensitive weight value, the adjustment step length, the user weight value and the group weight value.
Optionally, the generating, by using the target sensitive weight value and the target non-sensitive weight value, data detection information for the user terminal in a current time period includes:
calculating a data detection weight value for the user terminal by adopting the target sensitive weight value and the target non-sensitive weight value;
acquiring user authority information corresponding to the user terminal;
and determining a first detection threshold and a second detection threshold aiming at the user terminal in the current time period by adopting the user permission information and the data detection weight value.
The embodiment of the invention also discloses a device for processing the data outgoing behavior, which comprises the following components:
the target data acquisition module is used for responding to the detection of the data outgoing behavior of the user terminal, acquiring target data corresponding to the data outgoing behavior and data detection information aiming at the user terminal, wherein the data detection information is used for judging the data outgoing behavior of the user terminal;
the data entry data acquisition module is used for acquiring the number of data entries of the sensitive data if the target data comprises the sensitive data;
and the outgoing behavior judging module is used for generating a detection result aiming at the data outgoing behavior according to the data detection information and the data entry number, wherein the detection result comprises the condition that the user terminal is allowed to send the target data out.
Optionally, the data detection information includes a first detection threshold and a second detection threshold, where the second detection threshold is greater than the first detection threshold, and the outgoing behavior determining module includes:
the outgoing allowing module is used for allowing the user terminal to send the target data out if the number of the data entries is smaller than the first detection threshold;
and the outgoing prohibition module is used for prohibiting the user terminal from sending the target data outwards if the number of the data items is greater than the second detection threshold.
Optionally, the outgoing behavior determining module further includes:
and the examination and approval module is used for generating examination and approval information aiming at the data outgoing behavior and sending the examination and approval information to an examination and approval terminal corresponding to the user terminal if the number of the data items is greater than or equal to the first detection threshold and less than or equal to the second detection threshold, and the examination and approval terminal is used for examining and approving the data outgoing behavior of the user terminal so as to determine whether the user terminal is allowed to send the target data out.
Optionally, the data detection information is generated by:
the user behavior data acquisition module is used for acquiring user behavior data in a historical time period, wherein the user behavior data comprises data outgoing events of different user terminals, and the data outgoing events comprise a first outgoing event containing sensitive data and a second outgoing event not containing the sensitive data;
the first counting module is used for counting the first outdoor sending times of the first outgoing event, the first group outgoing times and the first terminal outgoing times corresponding to the user terminal;
the second counting module is used for counting the second outdoor sending times of the second outgoing event, the second group outgoing times and the second terminal outgoing times corresponding to the user terminal;
a sensitive weight value calculating module, configured to calculate a target sensitive weight value for the user terminal according to the first outdoor sending times, the first group sending times, and the first terminal sending times;
the non-sensitive weight value calculation module is used for calculating a target non-sensitive weight value aiming at the user terminal according to the second outdoor sending times, the second group outgoing times and the second terminal outgoing times;
and the data detection information generation module is used for generating data detection information aiming at the user terminal in the current time period by adopting the target sensitive weight value and the target non-sensitive weight value.
Optionally, the sensitive weight value calculating module is specifically configured to:
if the outgoing times of the first terminal are larger than the first outdoor outgoing times, acquiring a first user coefficient aiming at the first outgoing event, and calculating a first user weight value aiming at the user terminal by adopting the first user coefficient, the first terminal outgoing times and the first outdoor outgoing times;
if the outgoing times of the first terminal are greater than the outgoing times of the first group, acquiring a first group coefficient aiming at the first outgoing event, and calculating a first group weight value aiming at the user terminal by adopting the first group coefficient, the outgoing times of the first terminal and the outgoing times of the first group;
acquiring an original sensitive weight value of the user terminal and an adjustment step length aiming at the first outgoing event;
and calculating a target sensitive weight value aiming at the user terminal by adopting the original sensitive weight value, the adjustment step length, the first user weight value and the first group weight value.
Optionally, the insensitive weight value calculating module is specifically configured to:
if the second terminal outgoing times are larger than the second outdoor outgoing times, acquiring a second user coefficient aiming at the second outgoing event, and calculating a second user weight value aiming at the user terminal by adopting the second user coefficient, the second terminal outgoing times and the second outdoor outgoing times;
if the outgoing times of the second terminal are greater than the outgoing times of the second group, acquiring a second group coefficient aiming at the second outgoing event, and calculating a second group weight value aiming at the user terminal by adopting the second group coefficient, the outgoing times of the second terminal and the outgoing times of the second group;
acquiring an original non-sensitive weight value of the user terminal and an adjustment step length aiming at the second outgoing event;
and calculating a target non-sensitive weight value aiming at the user terminal by adopting the original non-sensitive weight value, the adjustment step length, the user weight value and the group weight value.
Optionally, the data detection information generating module is specifically configured to:
calculating a data detection weight value for the user terminal by adopting the target sensitive weight value and the target non-sensitive weight value;
acquiring user authority information corresponding to the user terminal;
and determining a first detection threshold and a second detection threshold aiming at the user terminal in the current time period by adopting the user permission information and the data detection weight value.
The embodiment of the invention also discloses an electronic device, which comprises:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the electronic device to perform the method as described above.
Embodiments of the present invention also disclose a computer-readable storage medium having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform the method as described above.
The embodiment of the invention has the following advantages:
in the embodiment of the invention, the target data corresponding to the data outgoing behavior is obtained in response to the detection of the data outgoing behavior of the user terminal, and the data detection information for the user terminal is obtained, wherein the data detection information is used for judging the data outgoing behavior of the user terminal, if the target data comprises sensitive data, the number of data items of the sensitive data is obtained, and a detection result for the data outgoing behavior is generated according to the data detection information and the number of the data items, the detection result comprises the step of allowing the user terminal to send the target data outwards, the data outgoing behavior of the user terminal is detected, and under the condition that the data outgoing behavior of the user terminal is detected to contain the sensitive data, whether the terminal can execute the data outgoing behavior is judged through the data detection information, so that the data outgoing behavior of the user terminal is effectively managed, the data sending safety is ensured, and the problem of data leakage is avoided.
Drawings
Fig. 1 is a flowchart illustrating steps of a method for processing data outgoing behavior according to an embodiment of the present invention;
FIG. 2 is a flow chart of the processing of data detection information in an embodiment of the present invention;
fig. 3 is a block diagram of a processing apparatus for data outgoing according to an embodiment of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention more comprehensible, the present invention is described in detail with reference to the accompanying drawings and the detailed description thereof.
Terminal data leakage prevention: for modern enterprises, computers, broadband networks, printers and the like are used as company computing resources, how to more efficiently utilize the resources to create values for companies becomes an important subject, and the traditional desktop terminal has the characteristics of too weak management, too low visualization degree, security/management/maintenance disconnection and often afterfire fighting, so that network managers of users are often tired and run, and the efficiency is low and the loophole is hundreds. And the behavior of surfing the internet irrelevant to work, illegal website visits, data outgoing through network forms such as mails, chat tools, FTP, microblogs, net disks, forums and the like, and random access of external equipment and the like can cause the desktop behavior of the user to be out of control if the management is not carried out, thereby not only influencing the information safety and the working efficiency, but also easily causing data leakage and even bringing the risk of violating laws and regulations for enterprises by serious people.
The paths for terminal data leakage mainly include the following three types:
1. unstructured sensitive data such as documents and the like leak through an external connection device of the terminal: the system comprises a mobile storage device (copying a document to a U disk to leak data, and also comprises mobile devices of other protocols such as MTP (Media Transfer Protocol), a memory card, a card reader and other devices), a screen device (leaking data in a photographing or screen capturing mode), and a printer device (outputting the document content to a paper medium through a printer);
2. unstructured sensitive data such as documents and the like leak out the sensitive data through a network through software based on a standard public network Protocol, such as an FTP (File Transfer Protocol) Protocol, an HTTP/HTTPS Protocol, an SMTP (Simple Mail Transfer Protocol) Protocol, a network sharing NetBIOS Protocol and the like;
3. unstructured sensitive data such as documents and the like leak the sensitive data out through private network protocols, such as instant messaging software, mails and the like, and other private third party data transceiving tools.
For the management of the user terminals inside the enterprise, different data transmission permissions can be set for different user terminals through a network administrator, for example, the higher the user permission is, the smaller the data transmission restriction is, the lower the user permission is, the larger the data transmission restriction is, and the like, and all the user terminals inside the enterprise are managed and controlled according to the data transmission policy. However, in the process, the management and control strategy is configured manually by a network administrator, and different configurations need to be performed according to different users, so that the workload of terminal management is greatly increased, omission occurs easily, and the problem of data leakage is caused because the outgoing data of the user terminal cannot be effectively detected.
In view of the above, one of the core ideas of the embodiments of the present invention is to configure a data detection policy and issue the policy to a user terminal, when it is detected that a data outgoing behavior exists in the user terminal, obtain target data corresponding to the data outgoing behavior, and determine, for data detection information of the user terminal, the data outgoing behavior of the user terminal through the data detection information, so that on one hand, processing of the data outgoing behavior of the user terminal is implemented, and on the other hand, authority detection is performed on the data outgoing behavior of the user terminal, and it is determined whether the user terminal can execute the corresponding data outgoing behavior, thereby ensuring security of data transmission and avoiding data leakage under the condition of effectively managing the user terminal.
Specifically, referring to fig. 1, a flowchart of steps of a method for processing a data outgoing behavior according to an embodiment of the present invention is shown, which specifically includes the following steps:
in the embodiment of the present invention, the user terminal may be a terminal used by an employee or a visitor in an enterprise, and may include a PC terminal, a mobile terminal, and the like, and optionally, a terminal connected to a network dedicated to the enterprise may be used as a corresponding user terminal, and a terminal installed with a management system used by the enterprise may also be used as a corresponding user terminal, which is not limited in the present invention. The management system can be used for issuing a corresponding data auditing strategy, recording, analyzing and managing data outgoing behaviors of a user through the data auditing strategy, managing internal and external data sending behaviors, ensuring data security and avoiding data leakage.
In one example, for a user terminal, a monitoring application may be deployed in the user terminal, through which data egress behavior of the user terminal is monitored. Specifically, after a monitoring application program is deployed in a user terminal, the user terminal can receive a data auditing strategy sent by a management system, run a data monitoring process according to the data auditing strategy, and monitor data outgoing behavior of the user terminal through the data monitoring process. And data detection information corresponding to the data auditing strategy can be configured in the data monitoring process, and the data outgoing behavior of the user terminal can be judged through the data detection information, wherein the data outgoing behavior comprises the steps of judging whether the user terminal can execute data outgoing operation, judging whether the user terminal needs to carry out approval of the outgoing behavior and the like.
In another example, for a user terminal, a data outgoing behavior of the user terminal may be monitored by a traffic analysis function module (e.g., a gateway) on a network side, for example, after the gateway receives a data auditing policy sent by a management system, the data outgoing behavior of the user terminal is monitored in real time, whether the data outgoing behavior exists in the user terminal is detected according to a packet header of a data packet corresponding to the data outgoing behavior, and then the data outgoing behavior of the user terminal is processed according to data detection information in the data auditing policy, whether the user terminal can perform a data outgoing operation is determined, whether the user terminal needs to perform an approval of the outgoing behavior, and the like.
It should be noted that, in the embodiment of the present invention, an example is described in which a monitoring application is deployed in a user terminal to monitor a data outgoing behavior of the user terminal, and it can be understood that, in a process of monitoring the data outgoing behavior of the user terminal by a network side, a difference between the process of monitoring the data outgoing behavior of the user terminal by the network side and the process of monitoring the application is that the network side monitors data of the user terminal through pure data operation, while the monitoring application monitors data by running a data monitoring process locally on the user terminal, and a process of subsequently determining whether the user terminal can perform a data outgoing operation is substantially similar, and related contents may refer to the embodiment of the present invention.
In a specific implementation, after the management system issues a data auditing policy to the user terminal, the monitoring application program may run a data monitoring process to detect a data outgoing behavior of the user terminal, and if it is detected that the data outgoing behavior exists in the user terminal, target data corresponding to the data outgoing behavior is acquired. Optionally, the target data may be data corresponding to a data outgoing behavior executed by the user terminal at the current time.
In an optional embodiment of the present invention, the data detection information reported by the data auditing policy issued by the system may be generated as follows:
the method comprises the steps of obtaining user behavior data in a historical time period, wherein the user behavior data comprise data outgoing events of different user terminals, the data outgoing events comprise a first outgoing event containing sensitive data and a second outgoing event not containing the sensitive data, counting a first group outgoing number of the first outgoing event, a first group outgoing number and a first terminal outgoing number corresponding to the user terminal, then counting a second group outgoing number of the second outgoing event, a second group outgoing number and a second terminal outgoing number corresponding to the user terminal, then calculating a target sensitive weighted value aiming at the user terminal according to the first group outgoing number, the first group outgoing number and the first terminal outgoing number, and calculating a target non-sensitive weighted value aiming at the user terminal according to the second group outgoing number, the second group outgoing number and the second terminal outgoing number, and generating data detection information aiming at the user terminal in the current time period by adopting the target sensitive weighted value and the target non-sensitive weighted value.
Optionally, the data auditing policy for the user terminal may be dynamically adjusted, including generating the data auditing policy for the user terminal in the current time period according to the user behavior data in the historical time period, for example, each adjustment cycle may be 7 days, and then generating the data auditing policy for the current cycle according to the user behavior data in the last 7 days, so that the data auditing policy for the current cycle may be generated according to the user behavior data in the previous cycle or the user behavior data in the previous cycles, that is, data detection information for the user terminal in the current time period is generated, so that the data management and control policy for the user terminal may be periodically and adaptively updated, and the rationality and effectiveness of data monitoring are improved.
The time period may be different periods of one hour, one day, one week and the like, the first outgoing event may be that data outgoing from the user terminal in the data outgoing event includes sensitive data, the second outgoing event may be that the data outgoing from the user terminal in the data outgoing event does not include sensitive data, and the outgoing event is common data and the like, so that the data outgoing event of the user terminal is divided into a sensitive event and a common event under the dimension of the sensitive data, so as to manage the data auditing policy of the user terminal.
For the sensitive event, the number P of outgoing times of the first terminal of a single ue in a preset time period may be counted respectively y1 Average outgoing number M of all user terminals in an enterprise business unit 1 (i.e., the first outdoor transmission times), and counting the first group outgoing times N according to the group dimensions x1 (ii) a For a common event, the same reasoning can be adopted, and the second terminal outgoing times P of a single user terminal in a preset time period y2 Average outgoing number M of all user terminals in an enterprise business unit 2 (namely the second outdoor sending times), and counting the second group outgoing times N according to the group dimension x2 。
Alternatively, the group may be set according to departments of the enterprise, for example, the user i to which the user terminal a belongs, the user ii to which the user terminal B belongs, the user iii to which the user terminal C belongs, and the user iv to which the user terminal D belongs belong to the department (1); for sensitive events, the average outgoing times M corresponding to the users I to VII can be counted 1 And the average number of outgoing times N of the statistical department x1 Number of outgoing times P for a single user terminal y1 (ii) a For common events, the average outgoing times M corresponding to the users I to VII can be counted 2 And the average number of outgoing times N of the statistical department x2 Number of outgoing times P for a single user terminal y2 And so on.
After the outgoing times of different types for the sensitive event and the common event are obtained, the sensitive weight value and the non-sensitive weight value corresponding to the user terminal can be calculated according to the outgoing times of different types. Specifically, for a sensitive weight value of a user terminal, if the outgoing times of the first terminal are greater than the first outdoor outgoing times, a first user coefficient for a first outgoing event is obtained, and the first user weight value for the user terminal is calculated by adopting the first user coefficient, the first terminal outgoing times and the first outdoor outgoing times; if the outgoing times of the first terminal are greater than the outgoing times of the first group, a first group coefficient for the first outgoing event is obtained, the first group coefficient, the outgoing times of the first terminal and the outgoing times of the first group are adopted, a first group weight value for the user terminal is calculated, an original sensitive weight value of the user terminal is obtained, an original sensitive weight value, an adjustment step length, a first user weight value and the first group weight value are adopted for the adjustment step length of the first outgoing event, and a target sensitive weight value for the user terminal is calculated.
Aiming at the insensitive weighted value of the user terminal, if the outgoing times of the second terminal are greater than the second outdoor outgoing times, acquiring a second user coefficient aiming at a second outgoing event, and calculating a second user weighted value aiming at the user terminal by adopting the second user coefficient, the second terminal outgoing times and the second outdoor outgoing times; if the outgoing times of the second terminal are greater than the outgoing times of the second group, a second group coefficient for the second outgoing event is obtained, the second group coefficient, the outgoing times of the second terminal and the outgoing times of the second group are adopted, a second group weighted value for the user terminal is calculated, an original non-sensitive weighted value of the user terminal is obtained, an original non-sensitive weighted value, an adjustment step length, a user weighted value and a group weighted value are adopted for the adjustment step length of the second outgoing event, and a target non-sensitive weighted value for the user terminal is calculated.
It should be noted that the sensitive weight value and the non-sensitive weight value may be used to indicate a weight condition between a sensitive event and a non-sensitive event in the same user terminal, and if the sensitive weight value is greater than the non-sensitive weight value, it indicates that the number of times of referring to sensitive data and the number of data entries in the data outgoing behavior of the user terminal are large, and data detection needs to be enhanced, otherwise, it indicates that the data outgoing behavior of the user terminal is mainly normal data, and data detection on the data outgoing behavior of the user terminal can be reduced. And under the sensitive event, the first user coefficient and the first group coefficient are adjustment coefficients corresponding to the sensitive event under different dimensions, correspondingly, the second user coefficient and the second group coefficient are adjustment coefficients corresponding to the common event under different dimensions, the sum of the first user coefficient and the second user coefficient is 1, the sum of the first group coefficient and the second group coefficient is 1, and the weighted values (sensitive weighted value and non-sensitive weighted value) corresponding to the data auditing strategy of the user terminal can be adjusted individually and adaptively from different dimensions through the user coefficients and the group coefficients, so that the individual configuration of the management strategy is realized, the effectiveness of terminal management is improved, and the safety of data is ensured. In a default case, the first user coefficient and the second user coefficient may be 0.5, and similarly, the first group coefficient and the second group coefficient may also be 0.5.
In addition, the adjustment step size may be an adjustment value used for adjusting a sensitive weight value and a non-sensitive weight value, and different processing may be selected for the adjustment step size for a sensitive event and a non-sensitive event, for example, for a common event, one half of the adjustment step size may be taken; aiming at the sensitive event, the adjustment step length can be taken, so that the differentiated processing of different events is realized, the rationality of a data audit strategy is ensured, and the data detection and management of the user terminal are effectively carried out.
After a target sensitive weight value for a sensitive event and a target non-sensitive weight value for a common event are obtained, a data detection weight value for a user terminal can be calculated by using the target sensitive weight value and the target non-sensitive weight value, user permission information corresponding to the user terminal is obtained, and a first detection threshold value and a second detection threshold value for the user terminal are determined by using the user permission information and the data detection weight value. Optionally, the user right information may be associated with the right of the user in the enterprise, or may be associated with the network information of the user terminal, for example, the higher the position of the user in the enterprise, the higher the user right; or the higher the authority of the department where the user is located, the higher the authority of the user, and the like, so that after the data detection weight value is obtained, a first detection threshold and a second detection threshold aiming at the user terminal can be set based on the user authority information, and the data outgoing behavior of the user terminal is identified and judged through the two data detection thresholds.
In an example, referring to fig. 2, a flow chart of processing data detection information in an embodiment of the present invention is shown, where a behavior of each path of data outgoing (e.g., data outgoing via a private protocol, data outgoing via a usb disk, etc.) of a user terminal is separately analyzed without affecting each other, and data outgoing via all paths detect a weight value Z y Initially 0 is defaulted.
Firstly, dividing the events which are sent out by a single way and audited in the previous period into two types according to whether sensitive data are contained or not, carrying out statistical analysis on the sensitive events containing the sensitive data, then carrying out statistical analysis on common events which do not contain the sensitive data, and aiming at the sent out sensitive events: firstly, calculating the average outgoing times M of all user terminals in a period, and then counting the average outgoing times N of departments according to the dimensions of the departments x Finally, the outgoing times P of each individual user are counted y Then according to P y 、N x M, calculating the sensitive weight value Z of each user terminal y Including if P y >M, then by w = beta (P) y -M) calculating a first user weight value corresponding to the user terminal, if P y If the weight value of the first user is less than or equal to M, keeping the weight value of the first user unchanged, and continuing to use the weight value of the historical user; simultaneously adding N x And P y Making a comparison if P y >N X Then by w = alpha (P) y -N X ) Calculating the first group weight value corresponding to the group terminal if P y ≤N X If so, the first group weight value remains unchanged and the historical group weight value continues to be used. After obtaining the first group weight value and the first user weight value, the average value w of the two values can be calculated, then the adjustment step length step is obtained, and the adjustment step length step is based on the original sensitive weight value Z y Adjusting the step length and w, and calculating a target sensitive weight value for the user terminal, specifically, the target sensitive weight value may be Z y1 + w step, so as to obtain the corresponding sensitivity right according to the user behavior data in the latest periodAnd (4) weighing values. Wherein, x may represent a department where the user terminal is located, and y may represent a user number, which is not limited in the present invention.
For outgoing common events: firstly, calculating the average outgoing times U of all user terminals in a period, and then counting the average outgoing times V of departments according to the dimensions of the departments x Finally, the outgoing times T of each individual user are counted y Then according to T y 、V x U, calculating the sensitive weight value Z of each user terminal y Including if T y >U, then by w = sigma (T) y U) calculating a second user weight value corresponding to the user terminal if T y If the weight value of the second user is less than or equal to U, keeping the weight value of the second user unchanged, and continuing to use the weight value of the historical user; at the same time, will V x And T y Making a comparison if T y >V x Then by w = row (T) y -V x ) Calculating the second group weight value corresponding to the group terminal if T y ≤V x If so, the second group weight value remains unchanged and the historical group weight value continues to be used. After obtaining the second group weight value and the second user weight value, the average value w of the two weight values can be calculated, then the adjustment step length step is obtained, and the adjustment step length step is based on the original non-sensitive weight value Z y Adjusting the step length and w, and calculating a target non-sensitive weight value for the user terminal, specifically, the target non-sensitive weight value may be Z y2 + w (step/2), so as to obtain the non-sensitive weight value corresponding to the user behavior data in the latest period. Wherein, the sum between beta and sigma is 1, and the sum between alpha and row is 1, which respectively represents the user coefficient and the group coefficient.
Obtaining the sensitive weight value Z corresponding to the user terminal y1 And insensitive weight value Z y2 Then, the two values may be added to obtain the data detection weight value. Then, user authority information is obtained, and data detection weighted values are processed based on the user authority information to obtain a first detection threshold and a second detection threshold, for example, the user authority information includes user position authorities including a first-level authority, a second-level authority, a third-level authority and the like, and different authorities respectively correspond to different lower limit coefficients and upper limit coefficientsCoefficients, as shown in table 1 below:
| user position authority | Coefficient of lower limit | Coefficient of upper limit |
| First level of authority | 1 | 1.5 |
| Second level of authority | 0.8 | 1.3 |
| Three level of authority | 0.6 | 1.1 |
TABLE 1
Then, assuming that the data detection weight value is 10, the first detection threshold value corresponding to the user terminal with the first level authority may be 10, and the second detection threshold value may be 15, and similarly, the first detection threshold value corresponding to the user terminal with the second level authority may be 8, the second detection threshold value may be 13, the first detection threshold value corresponding to the user terminal with the third level authority may be 6, the second detection threshold value may be 11, and so on, so on one hand, the data detection weight value is calculated according to the outgoing behavior of the user terminal, and on the other hand, the data detection weight value is further adjusted in combination with the user authority, so that the data auditing policy not only conforms to the corresponding user authority, but also can be flexibly and periodically adjusted according to the data outgoing behavior, thereby effectively managing the data outgoing behavior of the user terminal, ensuring the security of data transmission, and avoiding the problem of data leakage.
It should be noted that, in the embodiment of the present invention, a user terminal is taken as an example to exemplarily describe, it is understood that, in the embodiment of the present invention, a user corresponding to each user terminal may be a different user, and user permissions corresponding to the users may be the same or different, based on a specific permission of the user in an enterprise and public institution to which the user belongs, and the user may log in corresponding account information in the user terminal, so that each user terminal corresponds to a unique user identifier, and further, the management system may manage different user terminals, thereby implementing issuing of a data audit policy.
sensitive data may be data in an enterprise business that relates to business secrets such as data relating to enterprise major decisions, business planning, contracts, major meeting summaries, finance, customer profiles, project documentation, source code, and so forth. When the user terminal performs a data outgoing behavior, the data monitoring process may detect the data outgoing behavior, acquire corresponding target data, scan the target data item by item, determine whether sensitive data exists in the target data, and if the target data includes the sensitive data, acquire the number of data items of the sensitive data in the target data.
103, generating a detection result aiming at the data outgoing behavior according to the data detection information and the data entry number, wherein the detection result comprises that the user terminal is allowed to send the target data out.
In the embodiment of the present invention, the data detection information may include a data detection threshold, and the data monitoring process may compare the number of data items of the sensitive data with the data detection threshold, and generate a detection result for the current data outgoing behavior according to the comparison result. The detection result comprises the steps of allowing the user terminal to send out the target data, forbidding the user terminal to send out the target data, requiring to examine and approve the current data sending out of the user terminal and the like.
In a specific implementation, the data detection information may include a first detection threshold and a second detection threshold, which may form three corresponding intervals, and then, the current data outgoing behavior of the user terminal may be processed according to a target interval in which the number of data entries is located.
Specifically, if the number of the data entries is smaller than a first detection threshold, the user terminal is allowed to send out the target data; if the number of the data items is larger than a second detection threshold, forbidding the user terminal to send the target data out; and if the number of the data entries is greater than or equal to the first detection threshold and less than or equal to the second detection threshold, generating approval information for the data outgoing behavior, sending the approval information to an approval terminal corresponding to the user terminal, wherein the approval terminal is used for approving the data outgoing behavior of the user terminal so as to determine whether the user terminal is allowed to send the target data.
In an example, if the current data outgoing behavior of the user terminal does not contain sensitive data, the corresponding target data can be directly outgoing; if the sensitive data is included, the data monitoring process may scan the target data to obtain the number of data entries of the sensitive data, and compare the number of data entries with a first detection threshold and a second detection threshold, for example, the first detection threshold is 10, the second detection threshold is 15, and if the number of data entries is less than 10, allow the user terminal to send out the target data; if the number of the data entries is greater than or equal to 10 and less than or equal to a second detection threshold, generating approval information for the current data outgoing behavior, and sending the approval information to a corresponding approval terminal, wherein the approval terminal can be a user terminal where a superior user of a user to which the user terminal belongs is located, and sends the target data after permission is obtained, or forbids the user terminal to send the target data; if the number of the data entries is larger than 15, the user terminal is prohibited from sending out the target data, whether the terminal can execute the data sending-out behavior is judged through the data detection information, the data sending-out behavior of the user terminal is effectively managed, the data sending safety is guaranteed, and the problem of data leakage is avoided.
It should be noted that the embodiments of the present invention include, but are not limited to, the above examples, and it is understood that, under the guidance of the idea of the present invention, those skilled in the art may also set the embodiments according to actual needs, and the present invention is not limited to these.
In the embodiment of the invention, the target data corresponding to the data outgoing behavior is obtained in response to the detection of the data outgoing behavior of the user terminal, and the data detection information for the user terminal is obtained, wherein the data detection information is used for judging the data outgoing behavior of the user terminal, if the target data comprises sensitive data, the number of data entries of the sensitive data is obtained, the target data is detected according to the data detection information and the number of the data entries, and the detection result for the data outgoing behavior is generated, and the detection result comprises the condition that the user terminal is allowed to send the target data.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Referring to fig. 3, a block diagram of a structure of a processing apparatus for data outgoing behavior according to an embodiment of the present invention is shown, which may specifically include the following modules:
a target data obtaining module 301, configured to, in response to detecting a data outgoing behavior of a user terminal, obtain target data corresponding to the data outgoing behavior, and data detection information for the user terminal, where the data detection information is used to determine the data outgoing behavior of the user terminal;
a data entry data obtaining module 302, configured to obtain a number of data entries of the sensitive data if the target data includes the sensitive data;
an outgoing behavior determining module 303, configured to generate a detection result for the data outgoing behavior according to the data detection information and the number of data entries, where the detection result includes that the user terminal is allowed to send the target data out.
In an optional embodiment of the present invention, the data detection information includes a first detection threshold and a second detection threshold, where the second detection threshold is greater than the first detection threshold, and the outgoing behavior determining module 303 includes:
the outgoing allowing module is used for allowing the user terminal to send the target data out if the number of the data entries is smaller than the first detection threshold;
and the outgoing prohibition module is used for prohibiting the user terminal from sending the target data outwards if the number of the data items is greater than the second detection threshold.
In an optional embodiment of the present invention, the outgoing behavior determining module 303 further includes:
and the examination and approval module is used for generating examination and approval information aiming at the data outgoing behavior and sending the examination and approval information to an examination and approval terminal corresponding to the user terminal if the number of the data items is greater than or equal to the first detection threshold and less than or equal to the second detection threshold, and the examination and approval terminal is used for examining and approving the data outgoing behavior of the user terminal so as to determine whether the user terminal is allowed to send the target data out.
In an optional embodiment of the present invention, the data detection information is generated by:
the user behavior data acquisition module is used for acquiring user behavior data in a historical time period, wherein the user behavior data comprises data outgoing events of different user terminals, and the data outgoing events comprise a first outgoing event containing sensitive data and a second outgoing event not containing the sensitive data;
the first counting module is used for counting the first outdoor sending times of the first outgoing event, the first group outgoing times and the first terminal outgoing times corresponding to the user terminal;
the second counting module is used for counting the second outdoor sending times of the second outgoing event, the second group outgoing times and the second terminal outgoing times corresponding to the user terminal;
a sensitive weight value calculating module, configured to calculate a target sensitive weight value for the user terminal according to the first outdoor sending times, the first group sending times, and the first terminal sending times;
the non-sensitive weight value calculation module is used for calculating a target non-sensitive weight value aiming at the user terminal according to the second outdoor sending times, the second group outgoing times and the second terminal outgoing times;
and the data detection information generation module is used for generating data detection information aiming at the user terminal in the current time period by adopting the target sensitive weight value and the target non-sensitive weight value.
In an optional embodiment of the present invention, the sensitive weight value calculating module is specifically configured to:
if the outgoing times of the first terminal are greater than the first outdoor outgoing times, acquiring a first user coefficient for the first outgoing event, and calculating a first user weight value for the user terminal by adopting the first user coefficient, the first terminal outgoing times and the first outdoor outgoing times;
if the outgoing times of the first terminal are greater than the outgoing times of the first group, acquiring a first group coefficient for the first outgoing event, and calculating a first group weight value for the user terminal by adopting the first group coefficient, the outgoing times of the first terminal and the outgoing times of the first group;
acquiring an original sensitive weight value of the user terminal and an adjustment step length aiming at the first outgoing event;
and calculating a target sensitive weight value aiming at the user terminal by adopting the original sensitive weight value, the adjustment step length, the first user weight value and the first group weight value.
In an optional embodiment of the present invention, the insensitive weight value calculating module is specifically configured to:
if the second terminal outgoing times are larger than the second outdoor outgoing times, acquiring a second user coefficient for the second outgoing event, and calculating a second user weight value for the user terminal by adopting the second user coefficient, the second terminal outgoing times and the second outdoor outgoing times;
if the outgoing times of the second terminal are greater than the outgoing times of the second group, acquiring a second group coefficient aiming at the second outgoing event, and calculating a second group weight value aiming at the user terminal by adopting the second group coefficient, the outgoing times of the second terminal and the outgoing times of the second group;
acquiring an original non-sensitive weight value of the user terminal and an adjustment step length aiming at the second outgoing event;
and calculating a target non-sensitive weight value aiming at the user terminal by adopting the original non-sensitive weight value, the adjustment step length, the user weight value and the group weight value.
In an optional embodiment of the present invention, the data detection information generating module is specifically configured to:
calculating a data detection weight value for the user terminal by adopting the target sensitive weight value and the target non-sensitive weight value;
acquiring user authority information corresponding to the user terminal;
and determining a first detection threshold and a second detection threshold aiming at the user terminal in the current time period by adopting the user permission information and the data detection weight value.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
An embodiment of the present invention further provides an electronic device, including:
one or more processors; and
one or more machine-readable media having instructions stored thereon, which when executed by the one or more processors, cause the electronic device to perform methods as described in embodiments of the invention.
Embodiments of the present invention also provide a computer-readable storage medium having instructions stored thereon, which, when executed by one or more processors, cause the processors to perform the method according to the embodiments of the present invention.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one of skill in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, EEPROM, flash, eMMC, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrases "comprising one of \ 8230; \8230;" does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The present invention provides a method and a device for processing data outgoing behavior, which are introduced in detail above, and the present invention applies specific examples to explain the principle and the implementation of the present invention, and the descriptions of the above examples are only used to help understand the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (9)
1. A method for processing data outgoing behaviors is characterized by comprising the following steps:
responding to the detected data outgoing behavior of a user terminal, acquiring target data corresponding to the data outgoing behavior and data detection information aiming at the user terminal, wherein the data detection information is used for judging the data outgoing behavior of the user terminal;
if the target data comprises sensitive data, acquiring the number of data items of the sensitive data;
generating a detection result aiming at the data outgoing behavior according to the data detection information and the number of the data items, wherein the detection result comprises that the user terminal is allowed to send the target data out;
wherein the data detection information is generated by:
acquiring user behavior data in a historical time period, wherein the user behavior data comprise data outgoing events of different user terminals, and the data outgoing events comprise a first outgoing event containing sensitive data and a second outgoing event not containing the sensitive data;
counting the first outdoor sending times of the first outgoing event, the first group outgoing times and the first terminal outgoing times corresponding to the user terminal;
counting second outdoor sending times of the second outgoing event, second group outgoing times and second terminal outgoing times corresponding to the user terminal;
calculating a target sensitive weight value aiming at the user terminal according to the first user outdoor sending times, the first group outgoing times and the first terminal outgoing times;
calculating a target non-sensitive weight value aiming at the user terminal according to the second outdoor sending times, the second group outgoing times and the second terminal outgoing times;
and generating data detection information aiming at the user terminal in the current time period by adopting the target sensitive weight value and the target non-sensitive weight value.
2. The method of claim 1, wherein the data detection information comprises a first detection threshold and a second detection threshold, wherein the second detection threshold is greater than the first detection threshold, and wherein generating the detection result for the data sending-out behavior according to the data detection information and the number of data entries comprises:
if the number of the data items is smaller than the first detection threshold, allowing the user terminal to send the target data out;
and if the number of the data entries is larger than the second detection threshold, forbidding the user terminal to send the target data out.
3. The method according to claim 2, wherein the generating a detection result for the data outgoing behavior according to the data detection information and the number of data entries further comprises:
if the number of the data items is larger than or equal to the first detection threshold and smaller than or equal to the second detection threshold, generating approval information for the data outgoing behavior, and sending the approval information to an approval terminal corresponding to the user terminal, wherein the approval terminal is used for approving the data outgoing behavior of the user terminal so as to determine whether the user terminal is allowed to send the target data.
4. The method of claim 1, wherein the calculating a sensitivity weight value for the user terminal according to the first number of outgoing users, the first group number of outgoing users, and the first terminal number of outgoing users comprises:
if the outgoing times of the first terminal are greater than the first outdoor outgoing times, acquiring a first user coefficient for the first outgoing event, and calculating a first user weight value for the user terminal by adopting the first user coefficient, the first terminal outgoing times and the first outdoor outgoing times;
if the outgoing times of the first terminal are greater than the outgoing times of the first group, acquiring a first group coefficient for the first outgoing event, and calculating a first group weight value for the user terminal by adopting the first group coefficient, the outgoing times of the first terminal and the outgoing times of the first group;
acquiring an original sensitive weight value of the user terminal and an adjustment step length aiming at the first outgoing event;
and calculating a target sensitive weight value aiming at the user terminal by adopting the original sensitive weight value, the adjustment step length, the first user weight value and the first group weight value.
5. The method of claim 1, wherein the calculating the non-sensitive weight value for the user terminal according to the second number of outgoing times, the second group number of outgoing times, and the second terminal number of outgoing times comprises:
if the second terminal outgoing times are larger than the second outdoor outgoing times, acquiring a second user coefficient for the second outgoing event, and calculating a second user weight value for the user terminal by adopting the second user coefficient, the second terminal outgoing times and the second outdoor outgoing times;
if the outgoing times of the second terminal are greater than the outgoing times of the second group, acquiring a second group coefficient aiming at the second outgoing event, and calculating a second group weight value aiming at the user terminal by adopting the second group coefficient, the outgoing times of the second terminal and the outgoing times of the second group;
acquiring an original non-sensitive weight value of the user terminal and an adjustment step length aiming at the second outgoing event;
and calculating a target non-sensitive weight value aiming at the user terminal by adopting the original non-sensitive weight value, the adjustment step length, the user weight value and the group weight value.
6. The method according to claim 1, 4 or 5, wherein the generating data detection information for the ue in the current time period by using the target sensitive weight value and the target insensitive weight value comprises:
calculating a data detection weight value for the user terminal by adopting the target sensitive weight value and the target non-sensitive weight value;
acquiring user authority information corresponding to the user terminal;
and determining a first detection threshold and a second detection threshold aiming at the user terminal in the current time period by adopting the user permission information and the data detection weight value.
7. An apparatus for processing data outgoing behavior, comprising:
the target data acquisition module is used for responding to the detection of the data outgoing behavior of the user terminal, acquiring target data corresponding to the data outgoing behavior and data detection information aiming at the user terminal, wherein the data detection information is used for judging the data outgoing behavior of the user terminal;
the data item data acquisition module is used for acquiring the data item number of the sensitive data if the target data comprises the sensitive data;
the outgoing behavior judging module is used for generating a detection result aiming at the data outgoing behavior according to the data detection information and the data entry number, wherein the detection result comprises the condition that the user terminal is allowed to send the target data out;
the data detection information is generated by the following modules:
the system comprises a user behavior data acquisition module, a data processing module and a data processing module, wherein the user behavior data acquisition module is used for acquiring user behavior data in a historical time period, the user behavior data comprises data outgoing events of different user terminals, and the data outgoing events comprise a first outgoing event containing sensitive data and a second outgoing event not containing the sensitive data;
the first counting module is used for counting the first outdoor sending times of the first outgoing event, the first group outgoing times and the first terminal outgoing times corresponding to the user terminal;
the second counting module is used for counting the second outdoor sending times of the second outgoing event, the second group outgoing times and the second terminal outgoing times corresponding to the user terminal;
a sensitive weight value calculating module, configured to calculate a target sensitive weight value for the user terminal according to the first outdoor sending times, the first group sending times, and the first terminal sending times;
the non-sensitive weight value calculating module is used for calculating a target non-sensitive weight value aiming at the user terminal according to the second outdoor sending times, the second group outgoing times and the second terminal outgoing times;
and the data detection information generation module is used for generating data detection information aiming at the user terminal in the current time period by adopting the target sensitive weight value and the target non-sensitive weight value.
8. An electronic device, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the electronic device to perform the method of any of claims 1-6.
9. A computer-readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the method recited by any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011531216.2A CN112507384B (en) | 2020-12-22 | 2020-12-22 | Method and device for processing data outgoing behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011531216.2A CN112507384B (en) | 2020-12-22 | 2020-12-22 | Method and device for processing data outgoing behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112507384A CN112507384A (en) | 2021-03-16 |
| CN112507384B true CN112507384B (en) | 2022-10-04 |
Family
ID=74923466
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011531216.2A Active CN112507384B (en) | 2020-12-22 | 2020-12-22 | Method and device for processing data outgoing behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112507384B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114115748B (en) * | 2021-12-06 | 2022-06-14 | 广州市和理信通信息科技有限公司 | Intelligent management method based on big data information safety and big data information system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011035748A (en) * | 2009-08-04 | 2011-02-17 | Nec Corp | Mobile communication system, mobility management apparatus, and network load reduction method |
| CN107633380A (en) * | 2017-08-30 | 2018-01-26 | 北京明朝万达科技股份有限公司 | The task measures and procedures for the examination and approval and system of a kind of anti-data-leakage system |
| CN108011881A (en) * | 2017-12-05 | 2018-05-08 | 北京明朝万达科技股份有限公司 | It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system |
| CN109525611A (en) * | 2019-01-11 | 2019-03-26 | 新华三信息安全技术有限公司 | A kind of abnormal outgoing behavioral value method and device of Intranet user |
| CN109688166A (en) * | 2019-02-28 | 2019-04-26 | 新华三信息安全技术有限公司 | A kind of exception outgoing behavioral value method and device |
-
2020
- 2020-12-22 CN CN202011531216.2A patent/CN112507384B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2011035748A (en) * | 2009-08-04 | 2011-02-17 | Nec Corp | Mobile communication system, mobility management apparatus, and network load reduction method |
| CN107633380A (en) * | 2017-08-30 | 2018-01-26 | 北京明朝万达科技股份有限公司 | The task measures and procedures for the examination and approval and system of a kind of anti-data-leakage system |
| CN108011881A (en) * | 2017-12-05 | 2018-05-08 | 北京明朝万达科技股份有限公司 | It is a kind of based on the slow leakage detection method of sensitive data adaptively perceived and system |
| CN109525611A (en) * | 2019-01-11 | 2019-03-26 | 新华三信息安全技术有限公司 | A kind of abnormal outgoing behavioral value method and device of Intranet user |
| CN109688166A (en) * | 2019-02-28 | 2019-04-26 | 新华三信息安全技术有限公司 | A kind of exception outgoing behavioral value method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112507384A (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11265350B2 (en) | Cyber risk analysis and remediation using network monitored sensors and methods of use | |
| US8782209B2 (en) | Insider threat correlation tool | |
| US9038187B2 (en) | Insider threat correlation tool | |
| US8800034B2 (en) | Insider threat correlation tool | |
| US9467466B2 (en) | Certification of correct behavior of cloud services using shadow rank | |
| US11212316B2 (en) | Control maturity assessment in security operations environments | |
| US10691796B1 (en) | Prioritizing security risks for a computer system based on historical events collected from the computer system environment | |
| CN102090019B (en) | Automatically distributed network protection | |
| US7779465B2 (en) | Distributed peer attack alerting | |
| US20080168453A1 (en) | Work prioritization system and method | |
| Cayirci et al. | Modelling trust and risk for cloud services | |
| CN112507384B (en) | Method and device for processing data outgoing behavior | |
| CN109684863A (en) | Data leakage prevention method, device, equipment and storage medium | |
| Farokhi et al. | Security versus privacy | |
| JP2009048317A (en) | Security evaluation method, security evaluation apparatus | |
| Savola et al. | Towards security effectiveness measurement utilizing risk-based security assurance | |
| Gillani et al. | Economic metric to improve spam detectors | |
| Qassim et al. | Strategy to Reduce False Alarms in Intrusion Detection and Prevention Systems. | |
| Nagle et al. | The effects of security management on security events | |
| Schneidewind | Metrics for mitigating cybersecurity threats to networks | |
| Flynn et al. | Cloud service provider methods for managing insider threats: Analysis phase ii, expanded analysis and recommendations | |
| Pahi et al. | Preparation, modelling, and visualisation of cyber common operating pictures for national cyber security centres | |
| Cayirci | Risk and Trust Assessment: Schemes for Cloud Services | |
| King-Wilson | Cyber risk analysis and valuation: a new combinatorial models and systems approach | |
| Gillani et al. | Improving efficiency of spam detection using economic model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |