CN113836525B - Cloud service business risk analysis method and device - Google Patents

Cloud service business risk analysis method and device Download PDF

Info

Publication number
CN113836525B
CN113836525B CN202111134753.8A CN202111134753A CN113836525B CN 113836525 B CN113836525 B CN 113836525B CN 202111134753 A CN202111134753 A CN 202111134753A CN 113836525 B CN113836525 B CN 113836525B
Authority
CN
China
Prior art keywords
behavior
cloud service
data
analysis
rules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111134753.8A
Other languages
Chinese (zh)
Other versions
CN113836525A (en
Inventor
刘孝男
李保珲
谢丰
胡华明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Information Technology Security Evaluation Center
Original Assignee
China Information Technology Security Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Information Technology Security Evaluation Center filed Critical China Information Technology Security Evaluation Center
Priority to CN202111134753.8A priority Critical patent/CN113836525B/en
Publication of CN113836525A publication Critical patent/CN113836525A/en
Application granted granted Critical
Publication of CN113836525B publication Critical patent/CN113836525B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a cloud service business risk analysis method and device, wherein the cloud service business risk analysis method comprises the following steps: firstly, collecting operation log data of a cloud service provider user; then, processing the operation log data based on a preset audit rule to obtain behavior event data; finally, generating an analysis result according to the behavior event data; and the behavior analysis result is whether the operation behavior of the cloud service user is at risk or not. Therefore, the purpose of accurately finding whether the cloud service provider operation behaviors have risks or not to effectively avoid the risks of the cloud service provider operation behaviors and guarantee the safety of the cloud service provider platform is achieved.

Description

Cloud service business risk analysis method and device
Technical Field
The application relates to the field of cloud service, in particular to a cloud service business risk analysis method and device.
Background
In recent years, with the great development of cloud platforms in China, the computing capacity of the cloud platforms is stronger and the scale of cloud manufacturers is larger and larger.
Because the behavior users of the cloud service providers have a large number of management operation behavior interactions, a series of security risk problems may exist in the process, so that the reliability of the cloud service is reduced, and potential safety hazards are brought to the users using the cloud service.
Disclosure of Invention
In view of the above, the application provides a method and a device for analyzing cloud service business behavior risks, which are used for finding out cloud service business operation behavior risks so as to effectively avoid the cloud service business operation behavior risks, thereby guaranteeing the safety of a cloud service business platform.
The first aspect of the application provides a cloud service business risk analysis method, which comprises the following steps:
Collecting operation log data of a cloud service provider user;
processing the operation log data based on a preset audit rule to obtain behavior event data;
generating an analysis result according to the behavior event data; and the behavior analysis result is whether the operation behavior of the cloud service user is at risk or not.
Optionally, the processing the operation log data based on a preset audit rule, after obtaining the behavior event data, further includes:
matching the behavior event data in the behavior image of the cloud service provider user to obtain a matching result;
Generating an analysis report according to the matching result; the analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.
Optionally, the collecting operation log data of the cloud service provider user includes:
Remotely collecting operation log data of a cloud service provider user through a containment protocol and/or a hypertext transfer protocol interface;
And acquiring operation log data of the cloud service provider user in an off-line uploading mode.
Optionally, the processing the operation log data based on the preset audit rule to obtain behavior event data includes:
Integrating the operation log data according to preset audit rules to obtain a data mapping which can be preprocessed;
and converting the data mapping to obtain behavior event data in a unified format.
Optionally, the method for generating the behavior portrait includes:
The method comprises the steps of performing identification and classification on historical behavior event data of cloud service provider users to obtain behavior type data of a plurality of categories;
for each behavior type data, scoring the behavior type data by using a scoring rule corresponding to an auditing rule to obtain the score of the behavior type data;
and generating a behavior portrait of the cloud service provider user based on the scores of all the behavior type data.
Optionally, after generating the analysis report according to the matching result, the method further includes:
determining operation behaviors with a preset number of abnormal operations in the analysis report, and generating abnormal operation behavior labels;
And displaying all abnormal operation behavior labels.
Optionally, the cloud service business risk analysis method further includes:
Receiving a retrieval instruction input by an evaluation personnel;
Responding to the search instruction to obtain a tracking log; wherein the tracking log is derivable and graphically presentable; the graph includes abnormal operation behavior.
Optionally, the cloud service business risk analysis method further includes:
and receiving and responding to the audit rule management instruction.
Optionally, the cloud service business risk analysis method further includes:
A behavior representation management instruction is received and responded.
The second aspect of the present application provides an analysis device for risk of cloud service business, comprising:
The acquisition unit is used for acquiring operation log data of the cloud service provider user;
The processing unit is used for processing the operation log data based on a preset audit rule to obtain behavior event data;
the analysis unit is used for generating an analysis result according to the behavior event data; and the behavior analysis result is whether the operation behavior of the cloud service user is at risk or not.
Optionally, the cloud service business risk analysis device further includes:
The matching unit is used for matching the behavior event data in the behavior portraits of the cloud service provider user to obtain a matching result;
The generating unit is used for generating an analysis report according to the matching result; the analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.
Optionally, the acquisition unit includes:
The collecting subunit is used for remotely collecting operation log data of the cloud service provider user through a containment protocol and/or a hypertext transfer protocol interface;
And the acquisition unit is used for acquiring the operation log data of the cloud service provider user in an off-line uploading mode.
Optionally, the processing unit includes:
the integrating unit is used for integrating the operation log data according to a preset audit rule to obtain a data mapping which can be preprocessed;
And the conversion unit is used for converting the data mapping to obtain behavior event data in a uniform format.
Optionally, the behavior portrait generating unit includes:
The classification unit is used for identifying and classifying the historical behavior event data of the cloud service provider user to obtain behavior type data of a plurality of categories;
The scoring unit is used for scoring the behavior type data by utilizing scoring rules corresponding to the auditing rules aiming at each piece of behavior type data to obtain the score of the behavior type data;
And the generation subunit of the behavior portraits is used for generating the behavior portraits of the cloud service provider users based on the scores of all the behavior type data.
Optionally, the cloud service business risk analysis device further includes:
the determining unit is used for determining operation behaviors of a preset number of operation abnormalities in the analysis report and generating abnormal operation behavior labels;
and the display unit is used for displaying all the abnormal operation behavior labels.
Optionally, the cloud service business risk analysis device further includes:
the receiving unit is used for receiving a search instruction input by an evaluation person;
The first response unit is used for responding to the search instruction to obtain a tracking log; wherein the tracking log is derivable and graphically presentable; the graph includes abnormal operation behavior.
Optionally, the cloud service business risk analysis device further includes:
And the second response unit is used for receiving and responding to the audit rule management instruction.
Optionally, the cloud service business risk analysis device further includes:
And the third response unit is used for receiving and responding to the behavior portrait management instruction.
A third aspect of the present application provides a server comprising:
One or more processors;
a storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of cloud service business risk analysis of any of the first aspects.
A fourth aspect of the present application provides a computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method for analyzing risk of cloud service business according to any of the first aspects.
As can be seen from the above scheme, the present application provides a method and an apparatus for analyzing risk of cloud service business, where the method for analyzing risk of cloud service business includes: firstly, collecting operation log data of a cloud service provider user; then, processing the operation log data based on a preset audit rule to obtain behavior event data; finally, generating an analysis result according to the behavior event data; and the behavior analysis result is whether the operation behavior of the cloud service user is at risk or not. Therefore, the purpose of accurately finding whether the cloud service provider operation behaviors have risks or not to effectively avoid the risks of the cloud service provider operation behaviors and guarantee the safety of the cloud service provider platform is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a specific flowchart of a method for analyzing risk of cloud service business behavior according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for processing operation log data to obtain behavior event data according to a preset audit rule according to another embodiment of the present application;
FIG. 3 is a flowchart of a method for analyzing risk of behavior of cloud service business according to another embodiment of the present application;
FIG. 4 is a flowchart of a method for generating an image according to another embodiment of the present application;
FIG. 5 is a schematic diagram of a specific architecture for implementing the present application according to another embodiment of the present application;
FIG. 6 is a schematic diagram of a functional architecture of an operational behavior audit system according to another embodiment of the present application;
FIG. 7 is a schematic diagram of a system deployment topology according to another embodiment of the present application;
Fig. 8 is a schematic diagram of an analysis device for risk of cloud service business according to another embodiment of the present application;
Fig. 9 is a schematic diagram of a server for implementing a method for analyzing risk of cloud service business according to another embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that the terms "first," "second," and the like herein are merely used to distinguish between different devices, modules, or units and are not intended to limit the order or interdependence of functions performed by such devices, modules, or units, but the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but also other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
First, it should be noted that, in the existing cloud security architecture system: business security, security operation, data security, network security, application security, host security and identity management, which are classified as the responsibility of the user; cloud product security, virtualization security, hardware security and physical security are classified as the responsibility range of cloud service manufacturers; virtualization security, hardware security and physical security are classified into the responsibility areas of cloud service providers.
At present, in the auditing process of cloud service providers, characteristic analysis and induction are carried out on operation behaviors with higher risk degrees, so that a special auditing rule base is formed. Firstly, a series of strategies are formulated aiming at operation behaviors such as account login, object access and the like, so that an evaluation personnel can be helped to timely and accurately find operation behavior problems existing in cloud service providers, and some user operation risks of management user behaviors on a cloud platform virtualization layer are objectively analyzed, summarized and reported; secondly, the asset security of the cloud service provider platform is also affected by means of network intrusion, penetration and the like, so that the protection security risk of the cloud service provider platform also needs to be audited from the aspect of network security. Summarizing, the security problem in this aspect mainly includes 5 big user operation risk behaviors, decentralized risk identified by network security devices, security risk identified by physical host audit, and the like, and the specific analysis on the cloud service business behavior rule category includes: managing resource operation security risks and managing agent operation security risks. Managing resource operation security risks includes intrusion prevention system (Intrusion Prevention System, IPS) application security risks and physical host security audit risks; the management agent operation security risk includes a host operation behavior risk, a data center operation behavior risk, a virtual machine operation behavior risk, a network operation behavior risk, and a storage operation behavior risk.
The IPS application security risk rule is based on a risk log of security equipment such as IPS application or a firewall, and can identify the type and version of software running on a server, and meanwhile, the type, version and possible 0day vulnerability of the software running on a target server can be identified in an auxiliary mode by matching with Web traffic, so that illegal cloud resource operation behaviors under the intrusion condition can be audited and found. Based on the original IPS risk log, an attack type corresponding to the service is identified from the original IPS risk log, wherein the attack type comprises a vulnerability of 0day software, and a software version with the vulnerability, such as a 0day vulnerability of a Struts1.0 and Struts2.0 application, possibly exists in the corresponding target application, so that the Web Shell user permission is further broken through application service software. And then the security under the management resource of the cloud service provider is affected by the penetration of the Web Shell user authority. As shown in table 1, a Web application security type and a corresponding description.
TABLE 1
Physical hosting is a physical underlying service for cloud service providers, and is generally not directly accessible to administrative users; the availability and any operation of the physical host can influence the security risk of the virtual machine system on the host, and influence the data leakage and the availability risk of the service system.
Based on the physical host security audit log, account security, network operation and disk operation on the host are analyzed.
The physical host security audit risk log is used for auditing the host security on the physical layer, and the audit event types are shown in table 2:
TABLE 2
The physical host security audit and IPS joint audit cases are analyzed through two cases:
Case 1: host secure penetration initiated by Struts 20 day vulnerability
1. Case phenomenon:
A large amount of information about failed login attempt is found in a physical host security audit log of an operator environment, and the behavior is abnormal from a virtual machine IP on a host, but the risk of the behavior is not audited by an operator.
2. Platform audit log analysis:
1) The audit platform discovers a large number of logs with login failure by analyzing physical security audit logs and comes from the same IP address of the virtual machine;
2) The auditing platform discovers that a large number of addresses simulating normal requests exist on a time axis before login failure by analyzing logs of an IPS application firewall, and the platform analyzes that a Struts2 application exists on a target server;
3) Carrying out joint analysis through the IP address dimension information, finding that a large number of URL address requests simulating normal requests exist in the IP address, and simultaneously, strtus application marks exist on the target virtual server; the physical machine audits the security log to find out that the IP has a large number of abnormal login failure behaviors.
3. Analysis results:
Because the IP virtual machine has a Struts2 Web application 0day vulnerability, normal request information from an external network IP exists in an IPS log (Web attack requests are forged into normal requests through a simulation means); the IP virtual machine is analyzed from the audit log of the physical host to carry out a large number of attempted logins (password blasting and the like) on the physical host. The method and the system indicate the possibility that the virtual host has a Struts2 application web vulnerability and a webshell, the virtual host is subjected to penetration attack, related behaviors have risks, and a large number of attempted login (unsuccessful login) attacks are carried out on the current physical host. The whole event influence can enable the intranet to permeate the safety and high risk of the physical host.
4. Rule formation:
By case analysis we can form the rules needed for the case from the IPS log and the host audit log, the host audit log rules are shown in table 3, the IPS log rules are shown in table 4:
Host event type Operation of Description of the invention
USER_LOGIN Multiple source IP login failures Is triggered when a user logs in and fails multiple times.
TABLE 3 Table 3
TABLE 4 Table 4
Case 2: host security penetration initiated by tomcat application uploading functional vulnerabilities
1. Case phenomenon:
The IPS log of a certain operator environment discovers a large number of identical address requests, and the number of the identical address requests is obviously several times higher than that of other ordinary request addresses, the information of multiple-attempt login authentication of the target address server IP is discovered in the host security audit log, and the information is from the same virtual machine IP on the host, and the behavior is abnormal but is not audited by operators.
2. Platform audit log analysis:
1) The IPS log analysis finds that a large number of identical http requests exist, the access quantity of the request address is obviously higher than that of other addresses by a plurality of times, and meanwhile, a Tomcat service application mark exists on a target virtual server;
2) The audit platform discovers a large number of logs with login failure by analyzing physical security audit logs and comes from the same IP address of the virtual machine;
3) Performing joint analysis through the IP address dimension information to find that the IP address target server address is a webshell address relative to the jsp service path address; the physical machine audit security log discovers that the IP has a large number of abnormal login behaviors.
3. Analysis results:
because the Tomcat Web application on the IP virtual machine has uploading loopholes and the suffix of the uploading file is not checked, the unsafe jsp webshell file is successfully uploaded; meanwhile, a large number of request calls are sent to the jsp service to run webshell commands; based on the server shell environment, a large number of attempted logins (password blasting and the like) are carried out on the main physical host of the server shell environment, the related behaviors have high risk, root authorities of the virtual machine are obtained through uploading jspwebshell, and safety high risk penetration of the physical host can be achieved through an intranet.
4. Rule formation:
By case analysis we can form the rules needed for the case from the IPS log and the host audit log, the host audit log rules are shown in table 5, and the IPS log rules are shown in table 6:
Host event type Operation of Description of the invention
USER_LOGIN Multiple source IP login failures Is triggered when a user logs in and fails multiple times.
TABLE 5
TABLE 6
Management agent operation of a cloud service provider platform virtualization layer is an important audit analysis target of the audit device, wherein the cloud service provider audit operation behavior event types comprise: host operation behavior, data center operation behavior, virtual machine operation behavior, network operation behavior, and storage operation behavior.
The host operation behavior rules mainly form operation behavior events in the aspects of user login, authorization, passwords and the like; the risk of operation behavior is analyzed from multiple dimensions of time, place, operation target object, behavior result and the like, and the main manifestation is as shown in table 7:
TABLE 7
The data center operation behavior rules mainly form operation behavior events in the aspects of user login, authorization, passwords, data import and export and the like; the risk of operation behavior is analyzed from multiple dimensions of time, place, operation target object, behavior result and the like, and the main manifestation is as shown in table 8:
TABLE 8
The virtual machine operation behavior rules mainly form operation behavior events in the aspects of virtual machine cloning, virtual machine deleting, virtual machine starting, closing, snapshot, virtual machine creating and the like of a user; the risk of operation behavior is analyzed from multiple dimensions such as time, place, operation target object, behavior result and the like, and the main embodiment is as shown in table 9:
TABLE 9
The network operation behavior rules mainly form operation behavior events in terms of network access control list (AccessControlLists, ACL) configuration, network allocation, network reclamation and the like of users; the risk of operation behavior is analyzed from multiple dimensions of time, place, operation target object, behavior result and the like, and the risk of operation behavior is mainly represented as shown in table 10:
Table 10
Storing operation behavior rules mainly to form operation behavior events in aspects of hanging, deleting, expanding, recovering, distributing and the like of users; the risk of operation behavior is analyzed from multiple dimensions such as time, place, operation target object, behavior result and the like, and the risk of operation behavior is mainly represented as shown in table 11:
/>
TABLE 11
Based on the above audit rule, the embodiment of the application provides a cloud service business risk analysis method, as shown in fig. 1, specifically including the following steps:
s101, collecting operation log data of cloud service provider users.
Optionally, in another embodiment of the present application, an implementation manner of step S101 specifically includes: remotely collecting operation log data of a cloud service provider user through a containment protocol and/or a hypertext transfer protocol interface; and acquiring operation log data of the cloud service provider user in an off-line uploading mode.
The manner of remotely collecting the operation log data of the cloud service provider user through Secure Shell (SSH) may be, but is not limited to: the log collector collects source data based on configured target collecting server log collecting configuration data, and specifically comprises three steps, namely, configuring SSH remote server information, creating remote SSH collecting configuration information, configuring in a background adaptation logstash and sending collecting end collecting data by SSH.
The manner in which the operation log data of the cloud facilitator user is collected remotely through the hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) interface may be, but is not limited to: and the log collector collects the HTTP source log file based on the HTTP address collection configuration data. The method specifically comprises the following two steps: configuring HTTP remote address information; the background adaptation logstash configures and locally issues the HTTP acquisition end to acquire data.
The manner of acquiring the operation log data of the cloud service provider user through the off-line uploading mode can be, but is not limited to: an offline file log collection is selected to configure a host, network, virtual machine, storage, data center log directory (logstash). Specifically, the method comprises three steps: the offline log last time to the server; newly creating remote local service acquisition configuration information and selecting corresponding uploaded offline logs; the background adaptation logstash configures and locally collects data at the collection end.
S102, processing operation log data based on a preset audit rule to obtain behavior event data.
Specifically, whether the current situation A is met is judged, and if so, the corresponding behavior type and description information, namely behavior event data, can be obtained through matching, inquiring and other modes.
The audit rule is defined by taking the source log data collected by the log as a foundation bed, and converting the source log data preprocessing analysis into a cloud service provider operation behavior event object through the collection flow, wherein the event object model is an audit rule management subsystem. The behavior operation risks are analyzed by distinguishing 1 or more dimension surfaces of behaviors in time, places, compliance agents and behavior results through the overall analysis of normal behavior audit and abnormal behaviors, so that whether the behavior operation of the manager is a compliance and safe operation is mined.
For example: when the situation that [ any user ] executes [ hanging ] operation [ any result ] at [ any place ] in [ 8 o 'clock-6 o' clock in the morning ] occurs, the risk of the storage operation behavior is currently indicated, the specific behavior type is hanging, and the specific descriptive information is the non-working time hanging of the user.
Of course, in the specific implementation process of the present application, the audit rule may also be managed, so in another embodiment of the present application, an implementation of the method for analyzing risk of cloud service business further includes: and receiving and responding to the audit rule management instruction.
Specifically, the audit rule management instructions may include, but are not limited to: new creation, deletion modification, activation, deactivation, weight setting of audit rules, etc.
The cloud service business operation behaviors are defined as unified behavior events by using the behavior data after data acquisition preprocessing as reference events, and operation risk behaviors existing in the operation event behaviors are expressed by using different dimensions (time, targets, agents, event occurrence results and the like); and the relevant rules are defined through ELASTICSEARCH DSL flexible and expressive query languages. Wherein the risk rules are defined in ELASTICSEARCH DSL language and ELASTIC SQL rule formats.
Risk rule format content samples are for example as follows:
ELASTICDSL statement sample:
ELASTICSQL statement sample:
SELECT HISTOGRAM("@timestamp",,interval 5 minute)ti,,userId,,COUNT(*)c FROM openstack_logs3_newGROU PBY ti,,userId HAVING c>3.
Optionally, in another embodiment of the present application, an implementation manner of step S102, as shown in fig. 2, includes:
S201, integrating the operation log data according to preset audit rules to obtain a data map capable of being preprocessed.
For the original behavior log of the cloud service provider, the auditing device carries out preprocessing analysis on the large class of management resource behaviors and agent operation behaviors 2, and carries out preprocessing analysis on different management agent operation subclasses such as: log analysis and preprocessing are performed on the different behaviors of the OpenStack, VCenter, hyper-V platform (host operation behavior, data center operation behavior, virtual machine operation behavior, network operation behavior, storage operation behavior).
The user login log of the OpenStack log is horizon-access.log; the cloud hard disk usage log is cinder-volume. The cloud host usage log is nova-computer log; the network usage log is neutron-server.
S202, converting the data mapping to obtain behavior event data in a unified format.
Wherein, the unified format of the behavior event data comprises the following field information:
time, source address IP, source object (mainly referred to as operator), target IP, operation target object, event type, operation behavior type, information, operation result, level, and the like.
Such as :{"timestamp":15300280101,,"sourceIp":"127.0.11.3",,"sourceObj":"admin1",,"destIP":"127.0.1",,"destObj":" virtual machine a "," eventType ": virtual machine behavior", "actionType": virtual machine clone "," msg ":..the source log msg", "EVENTLEVEL": error "," actionResult ":" }.
Specifically, after behavior event data in a uniform format is obtained, the behavior event data is stored in an elastic search database of the auditing device.
The risk rule management is processed and stored in a database by a server audit rule management service after being operated by a browser; the cloud service business auditing device user performs operations such as adding, deleting, defining and the like on the risk rules based on risk rule management to manage the operation risk behaviors of the cloud service business.
S103, generating an analysis result according to the behavior event data.
The behavior analysis result is whether the operation behavior of the cloud service user is at risk.
It will be appreciated that different cloud service users may have their own operational habits, and for this purpose, in another embodiment of the present application, an implementation after step S102, as shown in fig. 3, further includes:
S301, matching behavior event data in behavior portraits of cloud service provider users to obtain matching results.
Wherein, the definition of the behavior portrait includes: identifying a related agent list by an audit task through the operation behavior portrait; scoring and labeling the agent through the operation behavior event of the agent; the scoring rule is based on the auditing rule, and the scoring is carried out within 1-100 on different risk times; the same audit rule and different scoring rules are processed by adopting a weighted average method.
The data source for building the behavior portraits is behavior log data related to the operation behaviors of a cloud service user, and comprises starting and stopping of a virtual machine, creation of the virtual machine, deletion of the virtual machine, cloning of the virtual machine, snapshot of the virtual machine, restarting of the virtual machine, closing of the virtual machine, login and logout of a cloud platform, change of host configuration, disk allocation, disk deletion, disk hanging operation, disk expansion, disk reclamation, network creation, network allocation, network ACL configuration, network ACL deletion, login of a host user, shutdown of the host, password modification of the host, authorization of the host user and the like.
Of course, in the specific implementation process of the present application, the behavior portraits may also be managed, so in another embodiment of the present application, an implementation method of the cloud service business risk analysis method further includes: a behavior representation management instruction is received and responded.
Specifically, the behavior representation management instructions may include, but are not limited to: performing operations such as creating, deleting, modifying and changing the user portraits on the behavior portraits; performing operations such as creating, deleting, modifying and the like on tag rules of the behavior portraits; and performing operations such as heart sword, deletion, modification and the like on the scoring rule of the behavior portrait. And after the audit task is executed, a behavior portrait task is established.
The behavior portrait manager clicks the behavior portrait through a browser, selects an agent (namely a user) identified by an audit task, performs portrait generation and portrait update operations on the agent, and performs grading and labeling data statistical analysis on agent operation events in the portrait generation and portrait update tasks.
Optionally, in another embodiment of the present application, an implementation method of the image generating method, as shown in fig. 4, includes:
S401, historical behavior event data of cloud service provider users are identified and classified, and behavior type data of multiple categories are obtained.
The historical behavior event data sources of the cloud service provider users are mainly called and read through a cloud platform interface. Specifically, the cloud platform interface calling mode is a mode of calling through a cloud platform SDK and an API interface, and data such as cloud platform assets, configuration, operation behaviors and the like are read from a vSphere management platform and an OpenStack management platform, wherein the mode needs to read only a permission user name and a password; the protocol reading mode mainly comprises the steps of obtaining system logs such as cloud platform configuration, operation behaviors and the like from a cloud platform host, a physical host and a virtual machine through a Syslog protocol, and reading data such as system configuration, a network interface, a CPU, loads, memories, disks and the like from the cloud platform host, the virtual machine, a network and the like through an SNMP protocol.
And S402, scoring the behavior type data by utilizing scoring rules corresponding to the auditing rules aiming at each piece of behavior type data to obtain the score of the behavior type data.
Specifically, the scoring formula may employ, but is not limited to:
Composite mean score=avg (sum (score value).
And calculating the score value of each rule by weight by acquiring the related score rule of the audit rule, summing the weight calculation values of all score rules, and finally calculating by comprehensive averaging.
S403, generating behavior portraits of the cloud service provider user based on the scores of all the behavior type data.
Specifically, all rule scores are analyzed and displayed on the task portrait of the manager through a radar chart, and the display content is as follows: performing audit rule risk analysis based on log event data; analysis, processing and results of the operational behavior context of the risk event; portrayal analysis based mainly on user operation behavior; and analyzing and displaying the key Top operation behavior labels of the user.
S302, generating an analysis report according to the matching result.
The analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.
In the actual application process of the application, the audit analysis of the source log data is performed according to the audit rule, and the source log of the formed audit task has a time zone which is based on the final offline data; the corresponding behavior risk logs can be subjected to rule analysis according to the auditing rules; the effective behavior log can identify the operation context; and performing risk audit through the operation context and audit rules.
Likewise, each audit task can be accessed through the cloud platform data access entrance, and security assessment personnel set basic information of the cloud platform to be audited, namely operations such as new creation, deletion, modification and the like of the audit task; starting, restarting, stopping and other operations of the auditing task; persistent storage and retrieval of audit tasks; configuration of an audit task, wherein the configuration content at least comprises related rules and audit object logs of audit required by the audit task; the starting time of the task can be customized, and the task delay starting is supported.
And the audit task device manager clicks and starts the audit task through a browser, and transmits the audit task to a subsystem task center server end for starting a background task, and data analysis and risk rule inspection statistics are carried out in the task execution process.
Optionally, in another embodiment of the present application, after obtaining the analysis report, an implementation manner of the analysis method of the risk of cloud service business further includes: determining operation behaviors with a preset number of abnormal operations in an analysis report, and generating abnormal operation behavior labels; and all abnormal operation behavior tags are displayed.
Because the audit work needs to be supported by historical evidence, the operation behavior tracing module can provide all cloud platform operation behavior tracing functions for security assessment personnel, including data center operation behavior, host operation behavior, virtual machine operation behavior, network operation behavior and storage operation behavior tracing. The security evaluation personnel can input the combination of the host name, the behavior type, the cloud manager name, the IP address, the time period and other search conditions, and the combination is processed by a special operation behavior tracing engine to trace the information of users, virtual machines, target addresses, hardware equipment and the like. Meanwhile, abnormal behaviors are supported to be displayed in a graph mode, and operation behavior information of a designated host, a virtual machine, an IP and a user is derived. Thus, in another embodiment of the present application, an implementation of a method for analyzing risk of cloud service business behavior further includes: receiving and responding to a search instruction input by an evaluation person to obtain a tracking log; wherein the tracking log is derivable and can be displayed in a graphical manner; the graph includes abnormal operation behavior.
Operational behavior trace back should trace back the data in operational behavior events, including: backtracking data center operation behaviors, host operation behaviors, virtual machine operation behaviors, network operation behaviors and storage operation behaviors; the full evaluation personnel can input the combination of the retrieval conditions such as the host name, the behavior type, the cloud manager name, the IP address, the time period and the like; the function of supporting a large amount of data and being capable of carrying out quick retrieval; the method has a trace data export function; support to show the abnormal behavior graphically. The operation behavior tracing management is operated by the browser and then is transmitted to the behavior tracing service processing search engine; and the user traceability behavior engine of the cloud service business behavior auditing device performs multidimensional combination analysis, traceability and traceability data derivation on related behaviors.
In the practical application process of the application, basic functions such as system configuration, user authority management and the like are also provided for security assessment personnel, and the specific functions are as follows: supporting user account management; supporting role management; supporting data dictionary configuration; supporting password modification and password complexity verification; the password must be modified for initial login; it is required to provide multi-user role-based access control functions.
The system management of the cloud service provider operation behavior upgrading device is mainly used for providing management, use and distribution of functions such as platform data dictionary, user account, role, multi-user role access control and the like for an administrator. Mainly comprises the following steps: new addition, modification, deletion, disablement, role assignment, etc. of user accounts; new addition, modification, deletion, authorization, etc. of roles; new addition, modification, deletion, configuration of dictionary values, and the like of the data dictionary; access control rights allocation for multiple users, etc.
The system administrator clicks user account management, role management, data dictionary configuration and access control of multi-user roles through a browser, so that different users access and control different related module operations through the roles.
In the practical application process of the application, a big data user portrait technology is adopted to store and analyze the operation behaviors of a cloud platform user for a long period, the statistical rules in the behavior data are summarized, the labels of the operation behavior data of a cloud service provider are obtained, the labels in the portraits are searched, the historical operation behaviors are traced back, and are rapidly matched and analyzed, an operation behavior analysis report is generated, and when whether the operation behaviors of the user are abnormal or not is detected, the used device consists of four modules, namely data acquisition, data storage, data analysis, management and application, and the specific architecture is shown in figure 5.
The acquisition layer gathers log information of OpenStack and vSphere cloud platforms; the data storage layer comprises a MySQL relational database, a non-relational database and a file system; the data analysis engine consists of a stream and a batch processing frame which are mature in industry, and behavior portrayal results of users are stored in relational data; the management and application layer displays behavior portraits, evaluation reports and behavior trace logs on one hand, and is responsible for adding, deleting, restarting, stopping and other operations of basic configuration and audit tasks of the system on the other hand.
The system adopts a front-back end separation architecture, and the front end uses a reaction frame technology to complete UI function interaction; the back end adopts SpringBoot micro-service architecture. The system comprises a main function, an audit task management function, an audit rule management function, data acquisition configuration management, audit task report management, manager behavior portraits, behavior log tracing and other modules; interaction with the front end is performed through a unified Restful service gateway. The data store includes base user data and log analysis data; the basic user data is stored in a Mysql relational database, and the log analysis data is mainly stored and analyzed and searched by an elastic search database.
The unified Restful service gateway is adopted in the micro-service to play a role in the interaction process of the background micro-service component and the front-end UI, so that UI programs are prevented from directly interacting with all micro-service subsystems, and the micro-service subsystems can be laterally expanded through the self resource requirements, so that the high availability of the system is achieved.
The elastic search database is used for storing behavior risk events, the elastic search meets the requirement of large data volume logs on the storage data level, meanwhile, the method has remarkable advantages in full text retrieval, and in addition, near-real-time query efficiency can be realized under large data volume. The operational behaviour auditing system functional architecture is shown in figure 6.
The application is deployed in a Docker mode and is divided into a WEB application server, an APP application server and a DB data server; the WEB application server mainly deploys UI front-end service, unifies gateway service and microservice registration center; APP application service to deploy system management service, JOB task subsystem, acquisition module, audit business micro service and so on required by the platform; the DB data server is used for deploying an elastic search database, a Mysql database, a Mongo database and Kibana visual analysis modules. Reference may be made specifically to fig. 7.
According to the scheme, the application provides a cloud service business behavior risk analysis method, which comprises the following steps: firstly, collecting operation log data of a cloud service provider user; then, processing operation log data based on a preset audit rule to obtain behavior event data; finally, generating an analysis result according to the behavior event data; the behavior analysis result is whether the operation behavior of the cloud service user is at risk. Therefore, the purpose of accurately finding whether the cloud service provider operation behaviors have risks or not to effectively avoid the risks of the cloud service provider operation behaviors and guarantee the safety of the cloud service provider platform is achieved.
Another embodiment of the present application provides an analysis device for risk of cloud service business, as shown in fig. 8, which specifically includes:
And the acquisition unit 801 is used for acquiring operation log data of the cloud service provider user.
Optionally, in another embodiment of the present application, an implementation of the acquisition unit 801 includes:
And the acquisition subunit is used for remotely acquiring the operation log data of the cloud service provider user through the containment protocol and/or the hypertext transfer protocol interface.
And the acquisition unit is used for acquiring the operation log data of the cloud service provider user in an off-line uploading mode.
The specific working process of the unit disclosed in the above embodiment of the present application can be referred to the corresponding method embodiment, and will not be described herein.
The processing unit 802 is configured to process the operation log data based on a preset audit rule to obtain behavior event data.
Optionally, in another embodiment of the present application, an implementation of the processing unit 802 includes:
and the integrating unit is used for integrating the operation log data according to a preset audit rule to obtain a preprocessed data map.
And the conversion unit is used for converting the data mapping to obtain behavior event data in a uniform format.
The specific working process of the unit disclosed in the above embodiment of the present application may refer to the content of the corresponding method embodiment, as shown in fig. 2, and will not be described herein.
And an analysis unit 803 for generating an analysis result according to the behavior event data. The behavior analysis result is whether the operation behavior of the cloud service user is at risk.
The specific working process of the unit disclosed in the above embodiment of the present application may refer to the content of the corresponding method embodiment, as shown in fig. 1, and will not be described herein.
Optionally, in another embodiment of the present application, an implementation manner of the analysis device for risk of cloud service business further includes:
And the matching unit is used for matching the behavior event data in the behavior image of the cloud service provider user to obtain a matching result.
And the generating unit is used for generating an analysis report according to the matching result.
The analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.
The specific working process of the unit disclosed in the above embodiment of the present application may refer to the content of the corresponding method embodiment, as shown in fig. 3, and will not be described herein.
Optionally, in another embodiment of the present application, an implementation manner of the generation unit of the behavior image includes:
the classification unit is used for identifying and classifying the historical behavior event data of the cloud service provider user to obtain behavior type data of a plurality of categories.
And the scoring unit is used for scoring the behavior type data by utilizing the scoring rule corresponding to the auditing rule aiming at each piece of behavior type data to obtain the score of the behavior type data.
And the generation subunit of the behavior portraits is used for generating the behavior portraits of the cloud service provider users based on the scores of all the behavior type data.
The specific working process of the unit disclosed in the above embodiment of the present application can be referred to the content of the corresponding method embodiment, as shown in fig. 4, and will not be described herein.
Optionally, in another embodiment of the present application, an implementation manner of the analysis device for risk of cloud service business further includes:
the determining unit is used for determining the operation behaviors of the preset number of operation abnormalities in the analysis report and generating abnormal operation behavior labels.
The display unit is used for displaying all abnormal operation behavior labels.
The specific working process of the unit disclosed in the above embodiment of the present application can be referred to the corresponding method embodiment, and will not be described herein.
Optionally, in another embodiment of the present application, an implementation manner of the analysis device for risk of cloud service business further includes:
the receiving unit is used for receiving a search instruction input by an evaluation person;
The first response unit is used for responding to the search instruction to obtain a tracking log; wherein the tracking log is derivable and can be displayed in a graphical manner; the graph includes abnormal operation behavior.
The specific working process of the unit disclosed in the above embodiment of the present application can be referred to the corresponding method embodiment, and will not be described herein.
Optionally, in another embodiment of the present application, an implementation manner of the analysis device for risk of cloud service business further includes:
And the second response unit is used for receiving and responding to the audit rule management instruction.
The specific working process of the unit disclosed in the above embodiment of the present application can be referred to the corresponding method embodiment, and will not be described herein.
Optionally, in another embodiment of the present application, an implementation manner of the analysis device for risk of cloud service business further includes:
And the third response unit is used for receiving and responding to the behavior portrait management instruction.
The specific working process of the unit disclosed in the above embodiment of the present application can be referred to the corresponding method embodiment, and will not be described herein.
According to the scheme, the application provides an analysis device for cloud service business behavior risks: first, an acquisition unit 801 acquires operation log data of a cloud facilitator user; then, the processing unit 802 processes the operation log data based on a preset audit rule to obtain behavior event data; finally, the analysis unit 803 generates an analysis result from the behavioral event data; the behavior analysis result is whether the operation behavior of the cloud service user is at risk. Therefore, the purpose of accurately finding whether the cloud service provider operation behaviors have risks or not to effectively avoid the risks of the cloud service provider operation behaviors and guarantee the safety of the cloud service provider platform is achieved.
Another embodiment of the present application provides a server, as shown in fig. 9, including:
One or more processors 901.
A storage 902, on which one or more programs are stored.
The one or more programs, when executed by the one or more processors 901, cause the one or more processors 901 to implement a method of analyzing cloud service business risk as in any of the embodiments described above.
Another embodiment of the present application provides a computer storage medium having a computer program stored thereon, wherein the computer program when executed by a processor implements the method for analyzing risk of cloud service business as described in any of the above embodiments.
In the above embodiments of the present disclosure, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus and method embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in various embodiments of the present disclosure may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion. The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in essence or a part contributing to the prior art or a part of the technical solution, or in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a live device, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present disclosure. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those skilled in the art will be able to make or use the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A method for analyzing risk of cloud service business behavior, comprising:
Collecting operation log data of a cloud service provider user;
Processing the operation log data based on a preset audit rule to obtain behavior event data; the auditing rules are special auditing rules formed by carrying out feature analysis and induction on operation behaviors with higher risk degrees of cloud service providers aiming at the special security problems of the cloud service providers, and the auditing rules comprise host operation behavior rules, data center operation behavior rules, virtual machine operation behavior rules, network operation behavior rules and storage operation behavior rules;
carrying out overall analysis on the behavior event data based on time, place, compliance agent and behavior result to generate analysis result; the behavior analysis result is whether the operation behavior of the cloud service provider user is at risk or not;
Matching the behavior event data in the behavior image of the cloud service provider user to obtain a matching result; the behavioral portraits are determined based on scores of behavioral type data for respective categories of the cloud facilitator user, the scores of behavioral type data for the respective categories being determined by historical behavioral event data of the cloud facilitator and the audit rules; wherein, the behavior portraits corresponding to different users are different;
Generating an analysis report according to the matching result; the analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.
2. The method of analyzing of claim 1, wherein the collecting operation log data of the cloud facilitator user comprises:
Remotely collecting operation log data of a cloud service provider user through a containment protocol and/or a hypertext transfer protocol interface;
And acquiring operation log data of the cloud service provider user in an off-line uploading mode.
3. The analysis method according to claim 1, wherein the processing the operation log data based on the preset audit rule to obtain behavior event data includes:
Integrating the operation log data according to preset audit rules to obtain a data mapping which can be preprocessed;
and converting the data mapping to obtain behavior event data in a unified format.
4. The analysis method according to claim 1, wherein the behavioral representation generation method includes:
The method comprises the steps of performing identification and classification on historical behavior event data of cloud service provider users to obtain behavior type data of a plurality of categories;
for each behavior type data, scoring the behavior type data by using a scoring rule corresponding to an auditing rule to obtain the score of the behavior type data;
and generating a behavior portrait of the cloud service provider user based on the scores of all the behavior type data.
5. The method according to claim 1, wherein after generating an analysis report according to the matching result, further comprising:
determining operation behaviors with a preset number of abnormal operations in the analysis report, and generating abnormal operation behavior labels;
And displaying all abnormal operation behavior labels.
6. The method of analysis of claim 1, further comprising:
Receiving a retrieval instruction input by an evaluation personnel;
Responding to the search instruction to obtain a tracking log; wherein the tracking log is derivable and graphically presentable; the graph includes abnormal operation behavior.
7. The method of analysis according to claim 1, further comprising
And receiving and responding to the audit rule management instruction.
8. The method of analysis according to claim 1, further comprising
A behavior representation management instruction is received and responded.
9. An analysis device for risk of cloud service business behavior, comprising:
The acquisition unit is used for acquiring operation log data of the cloud service provider user;
The processing unit is used for processing the operation log data based on a preset audit rule to obtain behavior event data; the auditing rules are special auditing rules formed by carrying out feature analysis and induction on operation behaviors with higher risk degrees of cloud service providers aiming at the special security problems of the cloud service providers, and the auditing rules comprise host operation behavior rules, data center operation behavior rules, virtual machine operation behavior rules, network operation behavior rules and storage operation behavior rules;
The analysis unit is used for carrying out overall analysis on the behavior event data based on time, place, compliance agents and behavior results to generate analysis results; the behavior analysis result is whether the operation behavior of the cloud service provider user is at risk or not;
The matching unit is used for matching the behavior event data in the behavior portraits of the cloud service provider user to obtain a matching result; the behavioral portraits are determined based on scores of behavioral type data for respective categories of the cloud facilitator user, the scores of behavioral type data for the respective categories being determined by historical behavioral event data of the cloud facilitator and the audit rules; wherein, the behavior portraits corresponding to different users are different;
The generating unit is used for generating an analysis report according to the matching result; the analysis report is used for determining whether the operation behavior of the cloud service provider user is abnormal or not.
CN202111134753.8A 2021-09-27 2021-09-27 Cloud service business risk analysis method and device Active CN113836525B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111134753.8A CN113836525B (en) 2021-09-27 2021-09-27 Cloud service business risk analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111134753.8A CN113836525B (en) 2021-09-27 2021-09-27 Cloud service business risk analysis method and device

Publications (2)

Publication Number Publication Date
CN113836525A CN113836525A (en) 2021-12-24
CN113836525B true CN113836525B (en) 2024-05-07

Family

ID=78970580

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111134753.8A Active CN113836525B (en) 2021-09-27 2021-09-27 Cloud service business risk analysis method and device

Country Status (1)

Country Link
CN (1) CN113836525B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108268354A (en) * 2016-12-30 2018-07-10 腾讯科技(深圳)有限公司 Data safety monitoring method, background server, terminal and system
US10210548B1 (en) * 2013-11-25 2019-02-19 Groupon, Inc. Predictive recommendation system using absolute relevance
CN109471846A (en) * 2018-11-02 2019-03-15 中国电子科技网络信息安全有限公司 User behavior auditing system and method on a kind of cloud based on cloud log analysis
CN111080440A (en) * 2019-12-18 2020-04-28 上海良鑫网络科技有限公司 Big data wind control management system
CN111107072A (en) * 2019-12-11 2020-05-05 中国科学院信息工程研究所 Authentication graph embedding-based abnormal login behavior detection method and system
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN111709765A (en) * 2020-03-25 2020-09-25 中国电子科技集团公司电子科学研究院 User portrait scoring method and device and storage medium
CN112114995A (en) * 2020-09-29 2020-12-22 平安普惠企业管理有限公司 Process-based terminal anomaly analysis method, device, equipment and storage medium
CN112765003A (en) * 2020-12-31 2021-05-07 北方工业大学 Risk prediction method based on APP behavior log

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10210548B1 (en) * 2013-11-25 2019-02-19 Groupon, Inc. Predictive recommendation system using absolute relevance
CN108268354A (en) * 2016-12-30 2018-07-10 腾讯科技(深圳)有限公司 Data safety monitoring method, background server, terminal and system
CN109471846A (en) * 2018-11-02 2019-03-15 中国电子科技网络信息安全有限公司 User behavior auditing system and method on a kind of cloud based on cloud log analysis
CN111107072A (en) * 2019-12-11 2020-05-05 中国科学院信息工程研究所 Authentication graph embedding-based abnormal login behavior detection method and system
CN111080440A (en) * 2019-12-18 2020-04-28 上海良鑫网络科技有限公司 Big data wind control management system
CN111245793A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 Method and device for analyzing abnormity of network data
CN111709765A (en) * 2020-03-25 2020-09-25 中国电子科技集团公司电子科学研究院 User portrait scoring method and device and storage medium
CN112114995A (en) * 2020-09-29 2020-12-22 平安普惠企业管理有限公司 Process-based terminal anomaly analysis method, device, equipment and storage medium
CN112765003A (en) * 2020-12-31 2021-05-07 北方工业大学 Risk prediction method based on APP behavior log

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Danchen Wang ; Yang Xu ; Peng Xu.Information System's Security Evaluation of Dynamic Behavior Based on Service Composition.2015 10th International Conference on Intelligent Systems and Knowledge Engineering(ISKE).2015,112-120. *
基于API调用分析的Android应用行为意图推测;沈科,叶晓俊,刘孝男,李斌;清华大学学报(自然科学版);20171130;第57卷(第11期);1139-1144 *
基于数据挖掘的网络货运平台承运人异常用户识别和预测研究;徐桥;信息科技;20210215(第2期);20-45 *

Also Published As

Publication number Publication date
CN113836525A (en) 2021-12-24

Similar Documents

Publication Publication Date Title
US11798028B2 (en) Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit
US9954888B2 (en) Security actions for computing assets based on enrichment information
US10540502B1 (en) Software assurance for heterogeneous distributed computing systems
US20120311562A1 (en) Extendable event processing
US9104706B2 (en) Meta-directory control and evaluation of events
CN106888106A (en) The extensive detecting system of IT assets in intelligent grid
US20210281599A1 (en) Cyber Security System and Method Using Intelligent Agents
CN102571476B (en) A kind of method and apparatus of monitoring terminal command line in real time
JP2003216576A (en) Method and system for monitoring weak points
CN101321084A (en) Method and apparatus for generating configuration rules for computing entities within a computing environment using association rule mining
US11240119B2 (en) Network operation
CN106775929A (en) A kind of virtual platform safety monitoring method and system
US20070078841A1 (en) System and method for network resource management
CN110971464A (en) Operation and maintenance automatic system suitable for disaster recovery center
CN104038466A (en) Intrusion detection system, method and device for cloud calculating environment
US20130111018A1 (en) Passive monitoring of virtual systems using agent-less, offline indexing
JP2016192185A (en) Spoofing detection system and spoofing detection method
CN110705726A (en) Operation and maintenance auditing method, system and device for industrial equipment
KR101765828B1 (en) Apparatus and method for detecting vulnerability of cloud system
KR100926735B1 (en) Web source security management system and method
Cinque et al. Entropy-based security analytics: Measurements from a critical information system
CN113965497B (en) Server abnormity identification method and device, computer equipment and readable storage medium
CN111400720A (en) Terminal information processing method, system and device and readable storage medium
CN116895046B (en) Abnormal operation and maintenance data processing method based on virtualization
CN113836525B (en) Cloud service business risk analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant