CN113516337A - Method and device for monitoring data security operation - Google Patents
Method and device for monitoring data security operation Download PDFInfo
- Publication number
- CN113516337A CN113516337A CN202110318104.7A CN202110318104A CN113516337A CN 113516337 A CN113516337 A CN 113516337A CN 202110318104 A CN202110318104 A CN 202110318104A CN 113516337 A CN113516337 A CN 113516337A
- Authority
- CN
- China
- Prior art keywords
- alarm
- user
- access
- data
- limit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000002159 abnormal effect Effects 0.000 claims abstract description 46
- 238000004590 computer program Methods 0.000 claims description 8
- 230000001934 delay Effects 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 34
- 230000004044 response Effects 0.000 abstract description 24
- 238000012545 processing Methods 0.000 abstract description 13
- 238000007726 management method Methods 0.000 description 20
- 238000004458 analytical method Methods 0.000 description 15
- 230000008569 process Effects 0.000 description 9
- 238000012550 audit Methods 0.000 description 8
- 238000013475 authorization Methods 0.000 description 6
- 239000008186 active pharmaceutical agent Substances 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000011156 evaluation Methods 0.000 description 3
- 238000011282 treatment Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000013474 audit trail Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006698 induction Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007789 sealing Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 235000019580 granularity Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0631—Resource planning, allocation, distributing or scheduling for enterprises or organisations
- G06Q10/06311—Scheduling, planning or task assignment for a person or group
- G06Q10/063114—Status monitoring or status determination for a person or group
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
Landscapes
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Theoretical Computer Science (AREA)
- Economics (AREA)
- General Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- General Business, Economics & Management (AREA)
- Development Economics (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Quality & Reliability (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Primary Health Care (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides a monitoring method and a device for data security operation, wherein the method is suitable for constructing a plurality of databases which are operated and accessed through a same gateway on the same server, respectively setting a first-class alarm configuration, a second-class alarm configuration and an abnormal operation alarm configuration aiming at an application program interface service, a gateway service and user abnormal operation, and alarming risk behaviors by monitoring a user access request, a gateway working state and user login information. Under the data platform with the fuzzy data security authority boundary, timely warning and response to data high-risk behaviors are realized, and safe, stable and controllable data service and timely response and processing of security events are guaranteed.
Description
Technical Field
The invention relates to the technical field of data information, in particular to a method and a device for monitoring data security operation.
Background
The database established based on the government affair system is usually separated, different business systems respectively establish the database for users to access, the traditional database service generally uses a single system as a core to carry out safety monitoring, in a self-establishing and self-maintaining mode, the authority boundary of information system and data safety is clear and definite, and the single processing mode of a safety monitoring object is simple.
In a database service scene established by the block data platform in a unified manner, the same block data platform or server performs centralized and unified management on government affair system data and performs data sharing and exchange based on the block data, databases of a plurality of business systems are established in a centralized manner and provide access service to the outside, and the liability boundary of system and data safety becomes fuzzy. For such a centrally-built database, a monitoring method is urgently needed to ensure the safe operation of the database and realize the efficient management and monitoring of a plurality of databases which are uniformly built.
Disclosure of Invention
The embodiment of the invention provides a method and a device for monitoring data security operation, which aim to eliminate or improve one or more defects in the prior art and monitor and manage a plurality of databases uniformly established on the basis of a block data platform.
The technical scheme of the invention is as follows:
the invention provides a monitoring method for data safety operation, which is applied to a block data platform, wherein the block data platform constructs a plurality of databases accessed through the same gateway on the same server, each database is provided with one or more application program interfaces, each application program interface is connected with the gateway and accessed through the gateway, and the method comprises the following steps:
acquiring at least one first type of alarm configuration corresponding to each application program interface, wherein the first type of alarm configuration at least comprises the following steps: the method comprises the steps of accessing object identity limitation, access right limitation, access quantity and flow limitation, checking user access requests corresponding to application program interfaces, and generating first-class alarm information containing corresponding alarm content when the user access requests violate any one of the access object identity limitation, the access right limitation, the access quantity and the flow limitation;
the first type of alarm configures at least one second type of alarm configuration of a first type of alarm configuration acquisition API (Application Programming Interface) gateway, wherein the second type of alarm configuration at least comprises: the API calls delay limit and API error limit, monitors the working state of the API gateway, and generates second-class alarm information containing corresponding alarm content when the API gateway delays the time exceeding the API call delay limit or generates API errors;
obtaining abnormal operation alarm configuration, wherein the abnormal operation alarm configuration at least comprises the following steps: checking user login information, and generating abnormal operation alarm information containing corresponding alarm content when the user login information violates any one of the IP restriction of non-legal login, the time restriction of non-legal login, the restriction of non-legal login and the restriction of single password error input times;
and performing in-station notification on the first type of alarm information, the second type of alarm information and/or the abnormal operation alarm information and/or performing message notification on a setting management user.
In some embodiments, checking the user access request corresponding to each application program interface at least includes:
acquiring a user name and/or a login password recorded in a first set field of the user access request, and if the user name and/or the login password are not legal and violate the access object identity limit, generating first-class alarm information containing corresponding alarm content;
obtaining access content recorded in a second set field of the user access request, if the access content does not belong to authorized content corresponding to the access permission limit, violating the access permission limit, and generating first-class alarm information containing corresponding alarm content;
and counting the user access requests and calculating the single-day request times, the single-day query number and/or the single-day flow corresponding to each application program interface, and if the single-day request times, the single-day query number and/or the single-day flow are higher than the access amount and the flow limit, generating first-class alarm information containing corresponding alarm content.
In some embodiments, the first type of alert configuration further includes a database openness limit, and checking the user access request corresponding to each application program interface further includes:
and confirming the actual openness degree of the database corresponding to each application program interface according to the user access request, and if the actual openness degree of each database is inconsistent with the corresponding database openness degree limit, generating first-class alarm information containing corresponding alarm content, wherein the database openness degree limit at least comprises non-sharing, conditional sharing, unconditional sharing, conditional opening, unconditional opening and non-opening.
In some embodiments, the method further comprises: and setting a plurality of levels of alarm values for the access flow limit, the API call delay limit, the single password error input number limit and/or the access amount limit.
In some embodiments, the method further comprises:
acquiring a sensitive data tracking alarm configuration, wherein the sensitive data tracking alarm configuration at least comprises the following steps: setting a tracking field and/or sensitive words, checking the user access request, and generating sensitive data tracking alarm information when the number of times that the user access request inquires the sensitive field is greater than a first number and/or the number of times that the search sensitive words are greater than a second number within a set time length;
and performing in-station notification and/or mail notification to a setting management user on the sensitive data tracking alarm information.
In some embodiments, after generating the sensitive data tracking alarm information, the method further includes:
and encrypting the information recorded by the tracking field to disable the sensitive word.
In some embodiments, the method further comprises: and generating a safety monitoring alarm log according to the first type of alarm information, the second type of alarm information and the abnormal operation alarm information.
In some embodiments, the message notification to the setting management user includes a short message notification and/or a mail notification.
In another aspect, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method are implemented.
In another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above method.
The invention has the beneficial effects that:
in the monitoring method and the device for data security operation, the method performs unified security monitoring alarm on a plurality of databases which are uniformly established based on a block data platform, and establishes alarm rules for application program interface service, gateway service and user risk behavior of the plurality of databases under the condition that a data security authority boundary is fuzzy so as to realize timely alarm and response to a high-risk condition.
Furthermore, by establishing sensitive word alarms, finer-grained risk supervision is realized under the condition of unified management and operation of multiple databases. And establishing a log for audit analysis based on the generated alarm information, ensuring that all user behaviors can be recorded and inquired, and helping the user to trace back and source after the safety accident. A series of safe operation management such as pre-service monitoring alarm rule configuration, in-service monitoring, post-service audit trail, alarm response and the like is realized, and the safety and stability of the platform and the safety of user data services are ensured.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present invention will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a flowchart of a monitoring method for data security operation according to an embodiment of the present invention;
fig. 2 is a flowchart of a monitoring method for data security operation according to another embodiment of the present invention;
fig. 3 is a flowchart illustrating alarm handling in a monitoring method for data security operation according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a sensitive data service tracking alarm in a monitoring method for data security operation according to an embodiment of the present invention;
fig. 5 is a logic diagram of a monitoring method for data security operation according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not so relevant to the present invention are omitted.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
It is also noted herein that the term "coupled," if not specifically stated, may refer herein to not only a direct connection, but also an indirect connection in which an intermediate is present.
A database service mode of uniformly constructing a plurality of business system databases based on a block data platform enables the control requirement of data security to be fundamentally changed, namely the traditional security control requirement taking a system as a core is gradually changed to the requirement of security control taking data flow as a main characteristic. After the database service is established uniformly based on the block data platform, the data of each database can be shared, the data is characterized by collection and flow, and the authority boundary of system and data security becomes fuzzy. Therefore, the block data platform is required to provide a series of interface monitoring alarm solutions such as interface security monitoring alarm strategy configuration, strategy execution, alarm message reminding, log-based tracking audit and the like for the data service interface based on a new database service mode, and can find the usability problem and the security problem of the online interface at the first time.
The invention provides a method for monitoring data security operation, which is applied to a block data platform, wherein the block data platform constructs a plurality of databases accessed through a same gateway on a same server, each database is provided with one or more application program interfaces, and each application program interface is connected with the gateway and accessed through the gateway. For example, the database service of a plurality of business systems established on the basis of the same block data platform, wherein the block data is the sum of various types of data related to people, things and things formed in a physical space or an administrative region. Block data is not just "strip set" but "strip set structure". The block data may be divided into person block data, object block data, event block data, and area position block data. The database service is supported by the traditional database technology, and provides various types and versions of standard database storage service, database management service, database operation and maintenance service and database performance monitoring service for tenants in a service form. Furthermore, in the invention, a plurality of service systems establish corresponding databases on the server of the same block data platform, each database is provided with at least one data sharing service interface, the data sharing service interface is also an application program interface, and a user accesses the database of the corresponding service system through the API gateway by setting the API gateway as the entrance of the system.
Specifically, the monitoring method for data security operation, as shown in fig. 1, includes steps S101 to S104:
it should be noted that, in this embodiment, steps S101 to S104 do not limit the order of the steps, and it should be understood that, in different scenarios, the order of the steps may be changed or the steps may be executed in parallel.
Step S101: acquiring at least one first-class alarm configuration corresponding to each application program interface, wherein the first-class alarm configuration at least comprises the following steps: and when the user access request violates any one of the access object identity limit, the access right limit, the access amount and the flow limit, generating first-class alarm information and first-class alarm configuration containing corresponding alarm content.
Step S102: obtaining at least one second type alarm configuration of the API gateway, wherein the second type alarm configuration at least comprises the following steps: and the API calls the delay limit and the API error limit, monitors the working state of the API gateway, and generates second-class alarm information containing corresponding alarm content when the API gateway delays to exceed the API calls the delay limit or the API error occurs.
Step S103: obtaining abnormal operation alarm configuration, wherein the abnormal operation alarm configuration at least comprises the following steps: and checking the user login information, and generating abnormal operation alarm information containing corresponding alarm content when the user login information violates any one of the IP restriction of illegal login, the time restriction of illegal login, the restriction of illegal login or the restriction of single password error input.
Step S104: and performing in-station notification on the first type of alarm information, the second type of alarm information and/or the abnormal operation alarm information and/or performing message notification on a setting management user.
In step S101, first, a first type of alarm configuration corresponding to one or more application program interfaces of each database is configured to implement data sharing service interface alarm, which mainly monitors access behavior of each database, where the first type of alarm configuration is an alarm rule related to an application program interface borrowing function and application, and may include an alarm rule name, a monitoring item, a rule description, a continuous detection frequency, a notification object, a state, whether to enable or not, and other conventional operations. For an application program interface (or data sharing interface), a first type of alert configuration may include: access object identity restrictions, access rights restrictions, and access volume and traffic restrictions. The access object identity limitation is the verification of the validity of the user identity, and the user identity limitation can be specifically identified by verifying the user name and the login password of the user. The access right limit is used for checking the behavior of the user exceeding the access right. The access volume and the flow limitation are used for checking abnormal access behaviors, so that the security of sensitive data is ensured on one hand, and the hardware processing capacity is considered on the other hand.
In some embodiments, in step S101, checking the user access request corresponding to each application program interface at least includes steps S1011 to S1013:
step S1011: and acquiring a user name and/or a login password recorded in a first set field of the user access request, and if the user name and/or the login password are not legal, violating the access object identity limit, and generating first-class alarm information containing corresponding alarm content.
Specifically, the user name and the login password may be checked when the user accesses the data for the first time, or corresponding user information may be checked in each data request and access process. Furthermore, the client authorization state, the user mobile phone number information, the authorization deadline and the like of the user can be checked.
Step S1012: and acquiring the access content recorded in the second set field of the user access request, violating the access authority limit if the access content does not belong to the authorized content corresponding to the access authority limit, and generating first-class alarm information containing corresponding alarm content.
Specifically, the authorization content is set by the user at the initial registration stage, the specific user can only access the corresponding authorization content, and if the authorization content exceeds the corresponding authority range, an alarm is triggered. The authorization content may be signed with the name of the interface to which access is granted, to be checked during access.
Step S1013: and counting the access requests of the users and calculating the times of single-day requests, the number of single-time query pieces and/or the single-day flow corresponding to each application program interface, and if the times of single-day requests, the number of single-time query pieces and/or the single-day flow are higher than the access amount and the flow limit, generating first-class alarm information containing corresponding alarm contents.
Specifically, an access control mechanism is implemented for one or more application program interfaces of each database, and besides the control of the access volume and the access flow, an alarm rule can be set for whether the request time of the application program interface is overtime, whether the response time is overtime and the error reporting condition, so that multidirectional monitoring is realized.
In some embodiments, the first type of alert configuration further includes a database openness limit, and checking the user access request corresponding to each application program interface further includes: and confirming the actual openness degree of the database corresponding to each application program interface according to the user access request, and if the actual openness degree of each database is inconsistent with the corresponding database openness degree limit, generating first-class alarm information containing corresponding alarm content, wherein the database openness degree limit at least comprises non-sharing, conditional sharing, unconditional sharing, conditional opening, unconditional opening and non-opening.
In this embodiment, the database openness is also monitored, and is set at the time of database establishment, including at least 6 cases of no sharing, conditional sharing, unconditional sharing, conditional opening, unconditional opening, and no opening. In the operation process, if the openness degree of the database is changed or tampered, the warning prompt can be timely carried out.
In step S102, a second type of alarm configuration is set for monitoring the operating status of the API gateway. The method mainly comprises an API call delay limit and an API error limit, wherein the API error can comprise: absence or non-release of an API to the environment, absence of API request methods, inability to find backend, inability to find plug-in configuration, request format misappropriation, and scheduling errors, etc. By monitoring the running state of the API gateway, the API call delay limit and the API error alarm are realized.
In step S103, in order to ensure the security of the access behavior, an alarm is set for the abnormal operation of the user, which mainly includes an alarm for the abnormality in the user login behavior, including the limitation of the unauthorized login IP, the limitation of the unauthorized login time, the limitation of the unauthorized login place, and the limitation of the number of times of single password error transmission. In other embodiments, database client tools, system objects, and other high-risk operations may also be monitored.
In step S104, the first-type warning information, the second-type warning information and/or the abnormal operation warning information generated in the steps S101-103 are notified in the station or notified to a designated user by mail or short message. Further, in some embodiments, the user triggering the alert may be blocked from IP or left untreated.
In some embodiments, the method further comprises: and setting a plurality of levels of alarm values for access flow limitation, API call delay limitation, single password error input number limitation and/or access quantity limitation. By setting a plurality of alarm values, a plurality of danger levels are divided, and further, corresponding treatment operations can be set based on different danger levels.
In some embodiments, the method further comprises steps S201 to S202:
step S201: acquiring a sensitive data tracking alarm configuration, wherein the sensitive data tracking alarm configuration at least comprises the following steps: setting a tracking field and/or sensitive words, checking the user access request, and generating sensitive data tracking alarm information when the number of times that the user access request inquires the sensitive field is greater than a first number and/or the number of times that the search sensitive words are greater than a second number within a set time length.
Step S202: and performing in-site notification and/or mail notification to a setting management user on the sensitive data tracking alarm information.
In this embodiment, by setting the sensitive data tracking alarm configuration for the application program interface, data tracking is performed on various services of each service system, and supervision and verification are performed on sensitive data. Specifically, by setting a tracking field, for example, a field related to name data or identification number data in a public security system, or adding a sensitive word such as a set name or identification number, a service tracking log can be generated when a user calls the related data of the sensitive service, thereby realizing the checking and tracing of the use condition of the sensitive information resource. In some embodiments, the set duration may be set to 5 minutes, the first number of times may be set to 20, and the second number of times may be set to 10. When the method is used for triggering the sensitive data tracking alarm, sensitive data tracking alarm information is generated and in-station notification is carried out, and a specified user can be notified through mails or information.
In some embodiments, after generating the sensitive data tracking alarm information, the method further includes: information recorded by the tracking field is encrypted to disable sensitive words. In the present case, the sensitive words are disabled to prevent the high-risk access behavior of the user to the sensitive words.
Illustratively, the block data platform tracks and monitors user behavior after adding a tracking field and/or a sensitive word, and the set judgment basis is as follows: and inquiring more than 20 times of sensitive field service in 5 minutes to be abnormal, searching more than 10 times of sensitive words in 5 minutes to be abnormal, and generating sensitive data tracking alarm information containing corresponding content when a user triggers the abnormal sensitive field service or the abnormal access of the sensitive words in the access process. After the sensitive data tracking alarm information is notified in a station or a mail is notified to a setting manager, the setting manager judges whether to allow continuous access, and if so, the operation is not carried out so that a user can normally use the sensitive data tracking alarm information; if not, the encryption setting is carried out by clicking the in-station notice or the connection attached in the mail, the block data platform carries out encryption processing on the corresponding tracking field or sensitive word, the sensitive field is displayed in an 'x' character encryption mode, and the sensitive word is forbidden to be processed. Furthermore, after encryption, the manager judges whether the tracking field or the sensitive word in service is abnormal or not, and if not, decryption is carried out.
In some embodiments, after step S104, the method further comprises: and generating a safety monitoring alarm log according to the first type alarm information, the second type alarm information and the abnormal operation alarm information. The safety monitoring alarm log is used for recording the time generated according to the first type of alarm information, the second type of alarm information and the abnormal operation alarm information and the specific event content of the alarm, and the safety monitoring alarm log is arranged according to the time sequence. Reports may be generated periodically or in real time for analysis and induction of alarm events. In other embodiments, the security monitoring alarm log may also record sensitive data tracking alarms.
The invention is described in detail below with reference to a specific example:
and the newly-built government affair information system in the new region of the male security uniformly establishes corresponding databases by depending on the block data platform, so that the government affair data of each business department can grow on the block data platform, the block data platform performs centralized and uniform management on the government affair system data, and data sharing and exchange are performed based on the block data platform. After the unified database service, the data is characterized by aggregation and flow, and the authority boundaries of the system and data security become fuzzy. The method comprises the steps of establishing an urban big data service safety operation monitoring alarm center based on a block data platform, collecting key safety big data of the whole platform and related information systems, accumulating data acquisition, treatment, analysis, management and operation capabilities, forming a series of safety operation management capabilities including prior service monitoring alarm rule configuration, in-service monitoring, after-service audit tracking, alarm response and the like, and ensuring safety and controllability of big data safety of new-district cities.
The safety monitoring and management system of the block data platform monitors risk behaviors of the block data platform in real time, wherein the risk behaviors include but are not limited to behaviors of abnormal login of a user, searching and using sensitive data, continuous access when an access peak value is exceeded and the like. The method analyzes the user access behavior and the alarm rule, and carries out safety alarm on abnormal risk behavior through modes of platform message prompt, e-mail, short message notification and the like; and carrying out safety response on illegal behaviors such as cutoff and IP (Internet protocol) sealing attack on the attack behaviors, realizing real-time monitoring and response in the process and improving the safety of platform data assets. The method specifically comprises security monitoring alarm configuration, security monitoring alarm log management, alarm monitoring log audit and security event response.
1. Security monitoring alarm rule configuration
In the monitoring process of the block data platform database service, referring to fig. 2 and fig. 3, at least three types of alarm rules are set, including: the method comprises the following steps of data sharing service interface alarm rule configuration, data service API gateway safety monitoring alarm rule configuration and abnormal operation risk alarm rule configuration, and in some embodiments, the method further comprises sensitive data service tracking alarm configuration. And generating an alarm when monitoring the corresponding illegal alarm configuration, and further carrying out mail notification, in-station message reminding or non-processing. In some embodiments, the user triggering the alert configuration may block the corresponding IP Address (Internet Protocol Address) or leave it pending.
1) Data sharing service interface alerts
And finding a target monitoring task on the monitoring task management page, and clicking a corresponding button to enter a data set and alarm configuration page.
And clicking a setting area frame in the alarm configuration page to add the alarm. And inputting related information in the adding alarm dialog box, and clicking to store. Newly-built alarm information includes: alarm name, screening time and frequency conditions, alarm rule setting and notification mode setting, wherein the notification mode comprises mail and in-station message. Selecting a notification object, setting an alarm level, setting notification template content and the like.
The alarm configuration of the data sharing service interface can be compiled as: the single-day request times exceed a first limited time, the single-day flow exceeds a limited flow, the request time exceeds a first limited time, the response time exceeds a second limited time and the single-day error times exceed the limited times, and further, a plurality of levels are set for the first limited time, the limited flow, the first limited time, the second limited time and the second limited time, for example, values of 4 alarms of one to four levels are set, and the levels respectively correspond to different danger levels. Furthermore, if the interface attribute is a sensitive interface, a legal calling place and a legal calling time can be further set, and a sensitive field and a sensitive word can be set, wherein a plurality of legal calling places and a plurality of legal calling times can be set.
2) Data service API (Application Programming Interface) gateway security monitoring alarm
The monitoring service of combining the block data platform provides flexible and comprehensive monitoring alarm, real-time and visual API monitoring, including: the calling amount, the response time and the like are used for monitoring the operation state of the API and the behavior habit of the user. The alarm configuration can be compiled as: the maximum single-day access times exceed the third limited times, the maximum single-day access amount exceeds the fourth limited times, and the maximum response time exceeds the third limited duration, further, the third limited times, the fourth limited times, and the third limited duration may be set in multiple levels, for example, values of 4 alarms of one to four levels are set, and respectively correspond to different risk levels.
Furthermore, if the interface attribute is a sensitive interface, a legal calling place and a legal calling time can be further set, and a sensitive field and a sensitive word can be set, wherein a plurality of legal calling places and a plurality of legal calling times can be set.
The API monitoring alarm mainly comprises: API call latency and API error information. And if the delay of calling the API by the gateway exceeds the set time length, carrying out exception warning, and if a known or unknown error occurs in the calling process, similarly carrying out exception capturing and warning, wherein captured exception information needs to be recorded into an exception log table. Furthermore, an alarm rule can be customized, an alarm is given for an abnormal condition, and the fault processing time is shortened. The abnormal alarm notification mode related to the gateway safety comprises mail and in-station message.
And generating a call log when the API data service gateway processes the call request, wherein the call log must be recorded once for each call request, including which API is called, caller identity, call parameters, call results, call return values, call time consumption and the like. And synchronizing and displaying the call logs of the APIs in real time, and providing a log export function to allow a user to export in batches according to the APIs or time periods, so that log viewing, log searching and log export are realized.
Based on the data recorded in the call log, the multidimensional statistics can be completed, wherein the statistics comprises the statistics of API call times, the statistics of call modes, the statistics of response time, the statistics of the time of using the API finally, the statistics of API callers, the statistics of API error call times and error rates, and the running condition of the API and the behavior habits of users are monitored.
3) Sensitive data service tracking alarm configuration
The block data platform carries out sensitive data tracking configuration on the service interface, and by setting a tracking field or adding a sensitive word, a service tracking log can be generated when a user calls a sensitive service corresponding to the tracking field or the sensitive word, so that the tracing of the use condition of sensitive information resources is realized.
Referring to fig. 4, after a tracking field and/or a sensitive word is added, a block data platform tracks and monitors user behavior, and the set judgment basis is as follows: and inquiring more than 20 times of sensitive field service in 5 minutes to be abnormal, searching more than 10 times of sensitive words in 5 minutes to be abnormal, and generating sensitive data tracking alarm information containing corresponding content when a user triggers the abnormal sensitive field service or the abnormal access of the sensitive words in the access process. After the sensitive data tracking alarm information is notified in a station or a mail is notified to a setting manager, the setting manager judges whether to allow continuous access, and if so, the operation is not carried out so that a user can normally use the sensitive data tracking alarm information; if not, the encryption setting is carried out by clicking the in-station notice or the connection attached in the mail, the block data platform carries out encryption processing on the corresponding tracking field or sensitive word, the sensitive field is displayed in an 'x' character encryption mode, and the sensitive word is forbidden to be processed. Furthermore, after encryption, the manager judges whether the tracking field or the sensitive word in service is abnormal or not, and if not, decryption is carried out.
4) Abnormal operation risk alarm rule configuration
And the block data platform defines the risk access behaviors required to be monitored through multiple element fine granularities such as IP, user names, database client tools, access time, sensitive objects, return line numbers, system objects and/or high-risk operations. Specifically, in this embodiment, an illegal login IP alarm configuration, an illegal login time alarm configuration, an illegal login place alarm configuration, and a single-day password error input number alarm configuration are set.
The step of setting the illegal login IP alarm configuration comprises the following steps: setting an alarm level, setting a notification mode, adding/deleting a legal login IP, switching an alarm switch state, and searching for the legal login IP. The step of setting the warning configuration of the illegal login time comprises the following steps: setting an alarm level, setting a notification mode, adding/deleting a legal login time period and switching an alarm switch state. The step of setting the alarm configuration of the illegal login place comprises the following steps: setting an alarm level, setting a notification mode, adding/deleting a legal login place, switching an alarm switch state and searching the legal login place. The step of setting the alarm configuration of the single-day password mistake-input times comprises the following steps: editing alarm configuration, setting notification mode and switching alarm switch state.
2. Security monitoring alarm log management
The purpose of security monitoring alarm log management is to ensure that all violations or errors that may cause security problems are identified and reported. The safety monitoring alarm log records and manages detailed information of illegal behaviors or errors, namely safety events corresponding to each alarm. And searching and inquiring the plurality of records by adopting the same element, identifying the interested target event, and fusing the records of the plurality of target events into one event record.
The contents of the safety monitoring alarm log mainly comprise: 1) each event, such as the source, impact and importance of each detected security event, is described. 2) Establishing a record for generating safety related events according to the sources of the safety events; 3) and configuring event identification parameters for describing events which can be collected and can not be collected by each part of the system. 4) The alarm states for all the individual log records are listed and all the requirements for the corresponding event handling scheme are identified. 5) The records of all target events and their alarm states are listed, and all requirements for taking action according to the target events are found, the target events being formed by a plurality of log records. 6) And periodically reporting all the alarms which appear, and respectively processing and analyzing alarm lists corresponding to the plurality of database modules. 7) Log analysis and induction, reporting the results of the wear.
3. Security monitoring alarm log audit
The safety operation center of the block data platform monitors and audits the safety risks of data access and operation in each stage of the data life cycle, is familiar with the data range related to the data access and operation, fully understands the data monitoring and auditing requirements and can judge and deal with the risks; defining log recording requirements, safety monitoring requirements and auditing requirements for internal various data access and operation; recording data operation events, and formulating data security risk behavior identification and evaluation rules; the system has the capability of automatically identifying abnormal or high-risk operation of data and early warning in real time.
The alarm of data abnormal access and abnormal operation is realized by establishing a log monitoring technical tool with uniform data access and operation. In particular, highly sensitive data and privileged accounts access and operate on data are all included in the scope of key monitoring. Carrying out unified processing analysis on various data access and operation, quantifying data security risks caused by the data access and operation, and realizing integral perception of the data security risks;
the method comprises the steps of carrying out safety monitoring and analysis on data sharing and exchange service flow data, recording event information called by a data sharing and exchange service interface, and monitoring whether risk behaviors such as malicious data acquisition and data stealing exist or not. The block data platform carries out overall monitoring on the use conditions of all service interfaces, such as use times, single query number, use users, user IP, use time, use channels and the like, the use channels include but are not limited to a PC client and an APP client, a service request log is formed, all user behaviors can be recorded and queried, and the user can be helped to trace the source after a safety accident. Meanwhile, alarm analysis statistics are generated according to log analysis comparison results, so that the platform can visually know and take relevant response measures conveniently.
The monitoring alarm page can be divided into a latest alarm module and an alarm statistic module.
The latest alarm module is used for displaying an alarm list, and a user can screen and search alarms through processing states, alarm types, alarm levels, starting time and user/system/user IP. Wherein the processing state comprises: new alarm, temporary non-processing, and sealed IP. The alarm types include: data sharing-sharing interface, data service-API gateway, abnormal operation risk. The alert levels include: primary, secondary, tertiary and quaternary.
There are three operations for the alarm. View log, seal/unseal IP, and ignore, respectively. Encapsulating/decapsulating IP and ignoring may cause changes to the state of the alarm. Specifically, clicking a seal IP, and changing the alarm state into the sealed IP; clicking ignore, the alarm state becomes ignored.
The alarm statistic module comprises two functions of alarm statistic trend analysis and alarm event ranking analysis. In the alarm statistical trend analysis, a user can respectively check the change trend conditions of a new alarm, a processed alarm and all alarms through three dimensions of 1 day, 7 days and 1 month. Wherein the processed alarm comprises the sealed IP and the ignored condition. In the alarm event ranking analysis, a user can respectively check the alarm number and the corresponding ranking of each alarm name in a certain month under three alarm types of a data sharing-sharing interface, a data service-API gateway and an abnormal operation risk.
4. Security event response
The data platform sorts and establishes a data security event classification and classification method, and regularly adjusts and perfects according to business requirements; setting alarm response methods of corresponding levels aiming at different levels and types of data security events; and defining early warning cancellation specifications of data security events of different levels and types so as to determine whether to cancel warning according to actual conditions and issue warning cancellation information in time.
When a relevant sensitive information leakage event occurs, the block data platform stops the operation of the sensitive information related functional module, forbids all accesses related to the sensitive information data interface, carries out investigation work and confirms the information leakage source. If the sensitive information is confirmed to be leaked from the block data platform, searching an information source related interface access log, determining responsible persons and responsible users, stopping the integral operation of the block data platform, and performing all-round rectification on the block data platform according to a preset scheme until safety evaluation is passed. If the source of the sensitive information leakage is not the block data platform, the block data platform improves the monitoring of the related sensitive information and prevents the leakage event.
The safety monitoring response module analyzes the user access behavior and the alarm rule and carries out safety alarm on the abnormal risk behavior in a mode of platform message prompt, short message notification and the like; and carrying out safety response on illegal behaviors such as cutoff and IP (Internet protocol) sealing attack on the attack behaviors, realizing real-time monitoring and response in the process and improving the safety of platform data assets. And after the emergency response work is finished, the investigation and treatment and summary evaluation work of the data security events are carried out in time.
Referring to fig. 5, the block data platform provides database service monitoring objects including data sharing service interfaces related to data service APIs, API gateway registration interfaces, and abnormal logins and violations related to risk behaviors. The method comprises the steps of configuring monitoring alarm rules for read events, write events, data events, login events and operation and maintenance events, calling/recording abnormal logs, storing operation logs for nearly 90 days, carrying out risk analysis, abnormal analysis, behavior analysis, operation tracking and log aggregation of the same events, carrying out safety audit or analyzing formed logs in real time in the operation process, and setting safety response operation, wherein the safety response operation comprises the following steps: operation tracking, triggering alarm, alarm statistics, alarm message notification and safety alarm are corresponding.
In another aspect, the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method are implemented.
In another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above method.
In summary, in the monitoring method and apparatus for data security operation, the method performs unified security monitoring and warning on a plurality of databases that are uniformly established based on a block data platform, and establishes warning rules for application program interface services, gateway services, and user risk behaviors of the plurality of databases under the condition that a data security authority boundary is fuzzy, so as to implement timely warning and response on a high risk condition.
Furthermore, by establishing sensitive word alarms, finer-grained risk supervision is realized under the condition of unified management and operation of multiple databases. And establishing a log for audit analysis based on the generated alarm information, ensuring that all user behaviors can be recorded and inquired, and helping the user to trace back and source after the safety accident. A series of safe operation management such as pre-service monitoring alarm rule configuration, in-service monitoring, post-service audit trail, alarm response and the like is realized, and the safety and stability of the platform and the safety of user data services are ensured.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations of both. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A monitoring method for data security operation is applied to a block data platform, the block data platform constructs a plurality of databases accessed through a same gateway on a same server, each database is provided with one or more application program interfaces, each application program interface is connected with the gateway and accessed through the gateway, and the method comprises the following steps:
acquiring at least one first type of alarm configuration corresponding to each application program interface, wherein the first type of alarm configuration at least comprises the following steps: the method comprises the steps of accessing object identity limitation, access right limitation, access quantity and flow limitation, checking user access requests corresponding to application program interfaces, and generating first-class alarm information containing corresponding alarm content when the user access requests violate any one of the access object identity limitation, the access right limitation, the access quantity and the flow limitation;
obtaining at least one second type alarm configuration of the API gateway, wherein the second type alarm configuration at least comprises the following steps: the API calls delay limit and API error limit, monitors the working state of the API gateway, and generates second-class alarm information containing corresponding alarm content when the API gateway delays the time exceeding the API call delay limit or generates API errors;
obtaining abnormal operation alarm configuration, wherein the abnormal operation alarm configuration at least comprises the following steps: checking user login information, and generating abnormal operation alarm information containing corresponding alarm content when the user login information violates any one of the IP restriction of non-legal login, the time restriction of non-legal login, the restriction of non-legal login and the restriction of single password error input times;
and performing in-station notification on the first type of alarm information, the second type of alarm information and/or the abnormal operation alarm information and/or performing message notification on a setting management user.
2. The method for monitoring data security operation according to claim 1, wherein checking the user access request corresponding to each application program interface at least comprises:
acquiring a user name and/or a login password recorded in a first set field of the user access request, and if the user name and/or the login password are not legal and violate the access object identity limit, generating first-class alarm information containing corresponding alarm content;
obtaining access content recorded in a second set field of the user access request, if the access content does not belong to authorized content corresponding to the access permission limit, violating the access permission limit, and generating first-class alarm information containing corresponding alarm content;
and counting the user access requests and calculating the single-day request times, the single-day query number and/or the single-day flow corresponding to each application program interface, and if the single-day request times, the single-day query number and/or the single-day flow are higher than the access amount and the flow limit, generating first-class alarm information containing corresponding alarm content.
3. The method for monitoring data security operation according to claim 1, wherein the first type of alarm configuration further includes a database openness limit, and checking the user access request corresponding to each application program interface further includes:
and confirming the actual openness degree of the database corresponding to each application program interface according to the user access request, and if the actual openness degree of each database is inconsistent with the corresponding database openness degree limit, generating first-class alarm information containing corresponding alarm content, wherein the database openness degree limit at least comprises non-sharing, conditional sharing, unconditional sharing, conditional opening, unconditional opening and non-opening.
4. A method for monitoring data security operations according to claim 3, the method further comprising: and setting a plurality of levels of alarm values for the access flow limit, the API call delay limit, the single password error input number limit and/or the access amount limit.
5. A method for monitoring data security operations as claimed in claim 1, the method further comprising:
acquiring a sensitive data tracking alarm configuration, wherein the sensitive data tracking alarm configuration at least comprises the following steps: setting a tracking field and/or sensitive words, checking the user access request, and generating sensitive data tracking alarm information when the number of times that the user access request inquires the sensitive field is greater than a first number and/or the number of times that the search sensitive words are greater than a second number within a set time length;
and performing in-station notification and/or mail notification to a setting management user on the sensitive data tracking alarm information.
6. The method for monitoring data security operation according to claim 5, after generating the sensitive data tracking alarm information, further comprising:
and encrypting the information recorded by the tracking field to disable the sensitive word.
7. A method for monitoring data security operations as claimed in claim 1, the method further comprising: and generating a safety monitoring alarm log according to the first type of alarm information, the second type of alarm information and the abnormal operation alarm information.
8. The monitoring method of data security operation according to claim 1, wherein the message notification to the setting management user includes a short message notification and/or a mail notification.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 8 are implemented when the processor executes the program.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110318104.7A CN113516337A (en) | 2021-03-25 | 2021-03-25 | Method and device for monitoring data security operation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110318104.7A CN113516337A (en) | 2021-03-25 | 2021-03-25 | Method and device for monitoring data security operation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113516337A true CN113516337A (en) | 2021-10-19 |
Family
ID=78061304
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110318104.7A Pending CN113516337A (en) | 2021-03-25 | 2021-03-25 | Method and device for monitoring data security operation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113516337A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113965417A (en) * | 2021-12-21 | 2022-01-21 | 北京微步在线科技有限公司 | Asset risk detection method and device |
CN114401142A (en) * | 2022-01-18 | 2022-04-26 | 北京网藤科技有限公司 | Industrial network data safety protection system and control method thereof |
CN114884801A (en) * | 2022-06-09 | 2022-08-09 | 奇安信科技集团股份有限公司 | Alarm method, alarm device, electronic equipment and storage medium |
CN114936230A (en) * | 2022-06-13 | 2022-08-23 | 北京天融信网络安全技术有限公司 | Data supervision method and device, storage medium and electronic equipment |
CN115174144A (en) * | 2022-05-30 | 2022-10-11 | 江苏安几科技有限公司 | Zero-trust gateway self-security detection method and device |
CN115225366A (en) * | 2022-07-14 | 2022-10-21 | 国网智能电网研究院有限公司 | Access behavior processing method and device |
CN117290257A (en) * | 2023-11-27 | 2023-12-26 | 天津丈八网络安全科技有限公司 | Software lifecycle standardization management method and system based on plug-in call |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105553940A (en) * | 2015-12-09 | 2016-05-04 | 北京中科云集科技有限公司 | Safety protection method based on big data processing platform |
CN109474586A (en) * | 2018-10-31 | 2019-03-15 | 施勇 | A kind of advanced duration threat analysis method based on user behavior analysis |
CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
CN110443048A (en) * | 2019-07-04 | 2019-11-12 | 广州海颐信息安全技术有限公司 | Data center looks into number system |
CN111752808A (en) * | 2020-07-01 | 2020-10-09 | 浪潮云信息技术股份公司 | Method for implementing data sharing exchange service operation monitoring system |
CN112511360A (en) * | 2021-02-05 | 2021-03-16 | 北京通付盾人工智能技术有限公司 | Multi-source service platform data security component monitoring method and system |
CN112527601A (en) * | 2020-12-17 | 2021-03-19 | 航天信息股份有限公司 | Monitoring early warning method and device |
-
2021
- 2021-03-25 CN CN202110318104.7A patent/CN113516337A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105553940A (en) * | 2015-12-09 | 2016-05-04 | 北京中科云集科技有限公司 | Safety protection method based on big data processing platform |
CN109474586A (en) * | 2018-10-31 | 2019-03-15 | 施勇 | A kind of advanced duration threat analysis method based on user behavior analysis |
CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
CN110443048A (en) * | 2019-07-04 | 2019-11-12 | 广州海颐信息安全技术有限公司 | Data center looks into number system |
CN111752808A (en) * | 2020-07-01 | 2020-10-09 | 浪潮云信息技术股份公司 | Method for implementing data sharing exchange service operation monitoring system |
CN112527601A (en) * | 2020-12-17 | 2021-03-19 | 航天信息股份有限公司 | Monitoring early warning method and device |
CN112511360A (en) * | 2021-02-05 | 2021-03-16 | 北京通付盾人工智能技术有限公司 | Multi-source service platform data security component monitoring method and system |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113965417A (en) * | 2021-12-21 | 2022-01-21 | 北京微步在线科技有限公司 | Asset risk detection method and device |
CN114401142A (en) * | 2022-01-18 | 2022-04-26 | 北京网藤科技有限公司 | Industrial network data safety protection system and control method thereof |
CN115174144A (en) * | 2022-05-30 | 2022-10-11 | 江苏安几科技有限公司 | Zero-trust gateway self-security detection method and device |
CN114884801A (en) * | 2022-06-09 | 2022-08-09 | 奇安信科技集团股份有限公司 | Alarm method, alarm device, electronic equipment and storage medium |
CN114936230A (en) * | 2022-06-13 | 2022-08-23 | 北京天融信网络安全技术有限公司 | Data supervision method and device, storage medium and electronic equipment |
CN115225366A (en) * | 2022-07-14 | 2022-10-21 | 国网智能电网研究院有限公司 | Access behavior processing method and device |
CN117290257A (en) * | 2023-11-27 | 2023-12-26 | 天津丈八网络安全科技有限公司 | Software lifecycle standardization management method and system based on plug-in call |
CN117290257B (en) * | 2023-11-27 | 2024-02-02 | 天津丈八网络安全科技有限公司 | Software lifecycle standardization management method and system based on plug-in call |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113516337A (en) | Method and device for monitoring data security operation | |
Lee et al. | An effective security measures for nuclear power plant using big data analysis approach | |
EP3080741B1 (en) | Systems and methods for cloud security monitoring and threat intelligence | |
CN115733681A (en) | Data security management platform for preventing data loss | |
KR100732789B1 (en) | Method and apparatus for monitoring a database system | |
US8595789B2 (en) | Anomalous activity detection | |
US10019677B2 (en) | Active policy enforcement | |
CN114372286A (en) | Data security management method and device, computer equipment and storage medium | |
CN110443048A (en) | Data center looks into number system | |
JP2005259140A (en) | Method for monitoring database, computer-readable medium for keeping one or more sequences of instruction, and device | |
WO2011054555A1 (en) | Method and system for managing security objects | |
CN110892374A (en) | System and method for providing access management platform | |
CN113792308A (en) | Government affair sensitive data oriented security behavior risk analysis method | |
KR20140035146A (en) | Apparatus and method for information security | |
KR101006413B1 (en) | Method and System for Protecting Customer's Privacy Information in Contact Center | |
KR20110110431A (en) | Apparatus for information security and method thereof | |
CN109684863A (en) | Data leakage prevention method, device, equipment and storage medium | |
US9648039B1 (en) | System and method for securing a network | |
Bezas et al. | Comparative analysis of open source security information & event management systems (SIEMs) | |
KR101180092B1 (en) | Method and system for analyzing security event, and recording medium thereof | |
US20230396640A1 (en) | Security event management system and associated method | |
KR102139062B1 (en) | Security Service system based on cloud | |
KR101973728B1 (en) | Integration security anomaly symptom monitoring system | |
CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
WO2023277846A1 (en) | A security system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211019 |
|
RJ01 | Rejection of invention patent application after publication |