CN113849810A - Risk operation behavior identification method, device, equipment and storage medium - Google Patents
Risk operation behavior identification method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113849810A CN113849810A CN202111139826.2A CN202111139826A CN113849810A CN 113849810 A CN113849810 A CN 113849810A CN 202111139826 A CN202111139826 A CN 202111139826A CN 113849810 A CN113849810 A CN 113849810A
- Authority
- CN
- China
- Prior art keywords
- risk
- operation behavior
- data
- behavior
- behavior data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Abstract
The invention relates to the field of artificial intelligence, and discloses a method, a device, equipment and a storage medium for identifying a risk operation behavior, which are used for improving the accuracy of identifying the risk operation behavior of a terminal. The identification method of the risk operation behavior comprises the following steps: acquiring operation behavior data through a preset monitoring system to obtain initial operation event data; acquiring a risk operation behavior strategy through a preset risk strategy system, and performing risk operation behavior identification on the initial operation event data to obtain candidate risk operation behavior data; performing risk content identification on the candidate risk operation behavior data to obtain a risk content identification result; and calculating a risk operation score according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score. In addition, the invention also relates to a block chain technology, and the target risk operation behavior data can be stored in the block chain nodes.
Description
Technical Field
The invention relates to the field of keyword matching, in particular to a method, a device, equipment and a storage medium for identifying risk operation behaviors.
Background
The staff is the last line of defense of the information security of the enterprise, and the information security consciousness of the staff directly influences the information security protection capability of the enterprise. Once the weak information security awareness of the staff is utilized by lawless persons, irreparable loss is likely to be caused to the enterprise, so how to improve the information security awareness of the staff of the enterprise is always an important work for information security management of the enterprise. The traditional method for improving the safety awareness of the staff mainly carries out information safety training regularly or the staff actively participates in the information safety training.
Due to the fact that information safety consciousness of the staff is different, the individual difference of the staff, the individual difference of different organizations and the action data difference and weakness of the staff in different information safety directions are not considered in unified information safety training, the effect of improving the whole information safety consciousness of the enterprise staff after training is not high, and the corresponding information safety training cannot be accurately carried out according to the action event analysis of the enterprise staff. Based on this, accurately obtaining the behavior data of each employee at the terminal is the key for improving the safety awareness of the employee.
Most of existing analysis methods for terminal behavior data are based on software operation logs, and behavior data on other operating system layers, such as file operation, interface screenshot, mail receiving and sending and the like, are ignored, so that the terminal behavior data are not comprehensively acquired, and the technical problem that terminal risk operation behavior identification is inaccurate exists.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for identifying a risk operation behavior, which are used for improving the accuracy of identifying the risk operation behavior of a terminal.
The invention provides a method for identifying risk operation behaviors in a first aspect, which comprises the following steps:
collecting operation behavior data, and converting the operation behavior data into an operation behavior event to obtain initial operation event data, wherein the initial operation event data comprises at least one of the following data: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
performing risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data;
according to the operation behavior type, performing risk content identification on the candidate risk operation behavior data to obtain a risk content identification result;
and calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score.
Optionally, in a first implementation manner of the first aspect of the present invention, the operation behavior data includes: intercepting operation data and/or non-intercepting operation data; the collecting operational behavior data comprises:
monitoring an operation behavior and judging whether the operation behavior triggers a preset interception condition or not;
if so, intercepting the operation behavior to obtain intercepted operation data;
if not, recording the operation behavior type, the operation behavior content, the operation identity data, the operation behavior time or the operation terminal data corresponding to the operation behavior to a preset operation log to obtain non-intercepted operation data.
Optionally, in a second implementation manner of the first aspect of the present invention, the acquiring operation behavior data and converting the operation behavior data into an operation behavior event to obtain initial operation event data includes:
collecting operation behavior data through a plurality of monitoring plug-ins, wherein each monitoring plug-in corresponds to operation behavior data of one operation behavior type;
analyzing the operation behavior data to obtain an analysis result, and extracting operation behavior event parameters in the analysis result;
and according to a preset data format, carrying out standardized format conversion on the operation behavior event parameters to obtain initial operation event data.
Optionally, in a third implementation manner of the first aspect of the present invention, the collecting operation behavior data by a plurality of monitoring plug-ins includes:
receiving an acquisition instruction of operation behavior data, and sending a corresponding monitoring strategy acquisition request according to a terminal identifier and an identity identifier in the acquisition instruction to obtain a plurality of monitoring plug-in identifiers;
updating configuration parameters of the monitoring plug-in corresponding to each monitoring plug-in identifier to obtain a target monitoring plug-in;
and acquiring operation behavior data through the target monitoring plug-in to obtain the operation behavior data.
Optionally, in a fourth implementation manner of the first aspect of the present invention, the performing, according to a preset risk operation behavior policy, risk operation behavior identification on the initial operation event data to obtain candidate risk operation behavior data includes:
sending a risk policy acquisition request based on the operation identity data and the operation terminal data;
and generating a risk operation behavior strategy according to the risk strategy acquisition request, and performing risk operation identification of data dimension, event dimension, time interval dimension and authority dimension on the initial operation event data according to the risk operation behavior strategy to obtain candidate risk operation behavior data.
Optionally, in a fifth implementation manner of the first aspect of the present invention, the performing risk content identification on the candidate risk operation behavior data according to the operation behavior type to obtain a risk content identification result includes:
calling a corresponding preset risk content identification algorithm according to the operation behavior type in the candidate risk operation behavior data, wherein the preset risk content identification algorithm comprises at least one of the following algorithms: a keyword extraction function, an illegal link identification function and a file scanning function;
performing keyword identification on the operation behavior content in the candidate risk operation behavior data through the keyword extraction function to obtain risk keywords;
performing illegal link extraction on the operation behavior content in the candidate risk operation behavior data through the illegal link identification function to obtain a risk link;
performing illegal file scanning on the operation behavior content in the candidate risk operation behavior data through the file scanning function to obtain a risk file;
and combining the risk keywords, the risk links and the risk files to obtain a risk content identification result.
Optionally, in a sixth implementation manner of the first aspect of the present invention, the calculating, according to the risk content identification result, a risk operation score corresponding to the candidate risk operation behavior data, and determining, according to the risk operation score, target risk operation behavior data in the candidate risk operation behavior data includes:
analyzing the risk content identification result to obtain the number of risk contents in the risk content identification result, and calculating the hit rate of the risk contents according to the number of the risk contents;
acquiring a weight coefficient corresponding to the operation behavior type, calculating a risk operation score of the risk content identification result according to the risk content hit rate and the weight coefficient corresponding to the operation behavior type, and judging whether the risk operation score is greater than a preset risk threshold value;
and if the risk operation score is larger than a preset risk threshold, setting candidate risk operation behavior data corresponding to the risk content identification result with the risk operation score larger than the preset risk threshold as target risk operation behavior data.
The second aspect of the present invention provides an apparatus for identifying a risk operation behavior, including:
the acquisition module is used for acquiring operation behavior data and converting the operation behavior data into operation behavior events to obtain initial operation event data, wherein the initial operation event data comprises at least one of the following data: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
the matching module is used for carrying out risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data;
the identification module is used for carrying out risk content identification on the candidate risk operation behavior data according to the operation behavior type to obtain a risk content identification result;
and the calculation module is used for calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score.
Optionally, in a first implementation manner of the second aspect of the present invention, the operation behavior data includes: intercepting operation data and/or non-intercepting operation data; the risk operation behavior identification device further comprises:
the monitoring module is used for monitoring the operation behavior and judging whether the operation behavior triggers a preset interception condition or not;
the intercepting module is used for intercepting the operation behavior if the operation behavior is the same as the operation behavior, so as to obtain intercepting operation data;
and if not, recording the operation behavior type, the operation behavior content, the operation identity data, the operation behavior time or the operation terminal data corresponding to the operation behavior to a preset operation log to obtain non-intercepted operation data.
Optionally, in a second implementation manner of the second aspect of the present invention, the acquisition module includes:
the acquisition unit is used for acquiring operation behavior data through a plurality of monitoring plug-ins, and each monitoring plug-in corresponds to operation behavior data of one operation behavior type;
the analysis unit is used for analyzing the operation behavior data to obtain an analysis result and extracting operation behavior event parameters in the analysis result;
a conversion unit, configured to perform standardized format conversion on the operation behavior event parameter according to a preset data format to obtain initial operation event data, where the initial operation event data includes at least one of the following: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data.
Optionally, in a third implementation manner of the second aspect of the present invention, the acquisition unit is specifically configured to:
receiving an acquisition instruction of operation behavior data, and sending a corresponding monitoring strategy acquisition request according to a terminal identifier and an identity identifier in the acquisition instruction to obtain a plurality of monitoring plug-in identifiers;
updating configuration parameters of the monitoring plug-in corresponding to each monitoring plug-in identifier to obtain a target monitoring plug-in;
and acquiring operation behavior data through the target monitoring plug-in to obtain the operation behavior data, wherein each monitoring plug-in corresponds to the operation behavior data of one operation behavior type.
Optionally, in a fourth implementation manner of the second aspect of the present invention, the matching module is specifically configured to:
sending a risk policy acquisition request based on the operation identity data and the operation terminal data;
and generating a risk operation behavior strategy according to the risk strategy acquisition request, and performing risk operation identification of data dimension, event dimension, time interval dimension and authority dimension on the initial operation event data according to the risk operation behavior strategy to obtain candidate risk operation behavior data.
Optionally, in a fifth implementation manner of the second aspect of the present invention, the identification module is specifically configured to:
calling a corresponding preset risk content identification algorithm according to the operation behavior type in the candidate risk operation behavior data, wherein the preset risk content identification algorithm comprises at least one of the following algorithms: a keyword extraction function, an illegal link identification function and a file scanning function;
performing keyword identification on the operation behavior content in the candidate risk operation behavior data through the keyword extraction function to obtain risk keywords;
performing illegal link extraction on the operation behavior content in the candidate risk operation behavior data through the illegal link identification function to obtain a risk link;
performing illegal file scanning on the operation behavior content in the candidate risk operation behavior data through the file scanning function to obtain a risk file;
and combining the risk keywords, the risk links and the risk files to obtain a risk content identification result.
Optionally, in a sixth implementation manner of the second aspect of the present invention, the calculation module is specifically configured to:
analyzing the risk content identification result to obtain the number of risk contents in the risk content identification result, and calculating the hit rate of the risk contents according to the number of the risk contents;
acquiring a weight coefficient corresponding to the operation behavior type, calculating a risk operation score of the risk content identification result according to the risk content hit rate and the weight coefficient corresponding to the operation behavior type, and judging whether the risk operation score is greater than a preset risk threshold value;
and if the risk operation score is larger than a preset risk threshold, setting candidate risk operation behavior data corresponding to the risk content identification result with the risk operation score larger than the preset risk threshold as target risk operation behavior data.
A third aspect of the present invention provides an apparatus for identifying a risk operation behavior, including: a memory and at least one processor, the memory having stored therein a computer program; the at least one processor calls the computer program in the memory to cause the risk operational behavior recognition device to perform the risk operational behavior recognition method described above.
A fourth aspect of the present invention provides a computer-readable storage medium having stored therein a computer program which, when run on a computer, causes the computer to execute the above-described method of identifying a risky operation behavior.
In the technical scheme provided by the invention, operation behavior data are collected and converted into operation behavior events to obtain initial operation event data, wherein the initial operation event data comprise at least one of the following data: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data; performing risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data; according to the operation behavior type, performing risk content identification on the candidate risk operation behavior data to obtain a risk content identification result; and calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score. In the embodiment of the invention, a terminal collects operation behavior data, converts the operation behavior data into an operation behavior event to obtain initial operation event data, carries out risk operation behavior identification on the initial operation event data to obtain candidate risk operation behavior data with risks, further identifies risk content in the candidate risk operation behavior data, carries out risk operation score calculation on the candidate risk operation behavior data based on the identified risk content identification result, and further determines target risk operation behavior data. The method and the device can improve the accuracy of identifying the terminal risk operation behavior.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a method for identifying risk operation behavior according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another embodiment of the method for identifying risk operation behavior in the embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of a risk operation behavior recognition apparatus according to an embodiment of the present invention;
fig. 4 is a schematic diagram of another embodiment of the risk operation behavior recognition device in the embodiment of the invention;
fig. 5 is a schematic diagram of an embodiment of a risk operation behavior identification device in an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method, a device, equipment and a storage medium for identifying a risk operation behavior, which are used for improving the accuracy of identifying the risk operation behavior of a terminal.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For understanding, a specific flow of the embodiment of the present invention is described below, and referring to fig. 1, an embodiment of the method for identifying a risk operation behavior in the embodiment of the present invention includes:
101. collecting operation behavior data, and converting the operation behavior data into an operation behavior event to obtain initial operation event data, wherein the initial operation event data comprises at least one of the following data: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
it is to be understood that the executing subject of the present invention may be a risk operation behavior recognition device, and may also be a terminal or a server, which is not limited herein. The embodiment of the present invention is described by taking a terminal as an execution subject.
The server may be an independent server, or may be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), a big data and artificial intelligence platform, and the like.
The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, Artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
In this embodiment, the terminal carries out operation behavior data acquisition through the control plug-in, and the control plug-in is installed at the terminal for monitor all operation behaviors on the terminal, and gather operation behavior data, operation behavior data includes: the method comprises the following steps of file downloading, file uploading, mail receiving and sending, link access, service opening, account registration, account login, software installation, screenshot, IP (Internet protocol) setting, permission modification and other operation system-level operation behavior data, wherein a monitoring plug-in is preinstalled in a terminal and has system-level data acquisition permission, configuration data of the monitoring plug-in is controlled and issued by a server, the terminal does not have the modification permission of the monitoring plug-in, the correctness and integrity of operation behavior data acquisition are guaranteed, and a data base is provided for identification of risk operation behaviors.
In this embodiment, after the terminal acquires the operation behavior data, the terminal performs event conversion processing on the operation behavior data, encapsulates the operation behavior data of different operation behavior types into operation behavior events of corresponding types, and sets corresponding operation behavior type identifiers, for example, the operation behavior data of a file download type sets a file download type identifier, the operation behavior data of a file upload type sets a file upload type identifier, the terminal further encapsulates the corresponding operation behavior types, operation behavior contents, operation identity data, operation behavior time, or operation terminal data into the operation behavior event to obtain initial operation event data, where the operation behavior contents refer to data acted by the operation behavior, for example, the operation behavior contents of a file download type is a downloaded file, the operation behavior contents of a mail receiving and sending type is mail contents, and the operation behavior data of a mail receiving and sending type is mail contents, And receiving the sender information, wherein the operation behavior content of the link access type is an access link. The terminal can comprehensively acquire all operation behaviors on the terminal in real time through the pre-installed monitoring plug-in, and a data basis is provided for identification of the risk operation behaviors, so that the risk operation behaviors can be accurately detected, and the operation identity data refers to user identity data of corresponding behavior operations, such as employee accounts, user identity data and the like bound on a terminal operation system, and is not limited specifically.
102. Performing risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data;
in this embodiment, the risk operation behavior policy is used to match the risk operation behavior of the terminal, for example, the risk operation behavior policy may be "access illegal link", "log in internal system not within the authority range", "upload internal file", and the like, the risk operation behavior policy is quantifiable data, for example, the quantized data corresponding to "access illegal link" may be an illegal link list or a legal link list, the quantized data corresponding to "log in internal system not within the authority range" may be an internal system list with log in authority or a user list with internal system log in authority, the terminal performs risk operation identification of different dimensions on the initial operation event data through the quantified risk operation behavior policy, so as to obtain candidate risk operation behavior data, the candidate risk operation behavior data is used to indicate that the initial operation event data with risk operation behavior exists, the risk operation behavior of the terminal can be accurately identified while the risk operation behavior strategy is flexibly configured.
103. According to the operation behavior type, performing risk content identification on the candidate risk operation behavior data to obtain a risk content identification result;
in this embodiment, after the terminal identifies candidate risk operation behavior data having a risk operation behavior from the initial operation event data, according to an operation behavior type in the candidate risk operation behavior data, performing risk content identification on the candidate risk operation behavior data, for example, if the terminal identifies candidate risk operation behavior data of a file upload type, the terminal performs risk content scanning on an uploaded file to determine whether the uploaded file includes internal file content, and if the terminal scans candidate risk operation behavior data of a mail outgoing type, the terminal performs risk content identification on the mail content outgoing, so as to determine whether the mail outgoing includes non-outgoing content. The risk content identification mode includes character matching, identification model judgment, condition verification and the like, and is not limited specifically.
104. And calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score.
In this embodiment, the terminal calculates a risk operation score of the terminal through a preset risk operation score algorithm, specifically, the terminal calculates a risk level of the risk operation, that is, a risk operation score, by calculating a risk content hit rate in a risk content identification result and a weight value of an operation behavior type corresponding to the risk content identification result, and when the risk operation score is greater than a preset risk critical value, the terminal sets candidate risk operation behavior data corresponding to the risk operation score greater than the preset risk critical value as target risk operation behavior data and reports the target risk operation behavior data to the server, so that the server sends a risk early warning message.
Further, the server stores the target risk operation behavior data in a blockchain database, which is not limited herein.
In the embodiment of the invention, the terminal acquires operation behavior data to obtain initial operation event data, then carries out risk operation behavior identification on the initial operation event data to obtain candidate risk operation behavior data with risks, further identifies risk content in the candidate risk operation behavior data, carries out risk operation score calculation on the candidate risk operation behavior data based on the identified risk content identification result, and further determines target risk operation behavior data. The method and the device can improve the accuracy of identifying the terminal risk operation behavior.
Referring to fig. 2, another embodiment of the method for identifying a risk operation behavior according to an embodiment of the present invention includes:
201. collecting operation behavior data through a plurality of monitoring plug-ins, wherein each monitoring plug-in corresponds to operation behavior data of one operation behavior type;
specifically, the terminal receives an acquisition instruction of operation behavior data, and sends a corresponding monitoring strategy acquisition request according to a terminal identifier and an identity identifier in the acquisition instruction to obtain a plurality of monitoring plug-in identifiers; the terminal updates configuration parameters of the monitoring plug-in corresponding to each monitoring plug-in identifier to obtain a target monitoring plug-in; and the terminal acquires the operation behavior data through the target monitoring plug-in to obtain the operation behavior data, wherein each monitoring plug-in corresponds to the operation behavior data of one operation behavior type.
In this optional embodiment, the collecting instruction is triggered by a monitoring plug-in on the terminal, for example, the monitoring plug-in automatically triggers the collecting instruction when the terminal is turned on, or the monitoring plug-in automatically sends the collecting instruction when detecting that the configuration parameter changes, the configuration parameter of the monitoring plug-in is controlled by the server, when the monitoring plug-in receives the collecting instruction, the monitoring plug-in carries the terminal identifier and the identity identifier to send a monitoring policy acquisition request to the server, the server issues a plurality of monitoring plug-in identifiers and the configuration parameter corresponding to each monitoring plug-in identifier according to the monitoring policy acquisition request, the terminal updates the configuration parameter of the preset monitoring plug-in according to the plurality of monitoring plug-in identifiers to obtain the target monitoring plug-in, the target monitoring plug-in includes the updated monitoring plug-in and the non-updated monitoring plug-in, and the terminal then collects the operation behavior data according to the operation behavior type corresponding to the target monitoring plug-in, the monitoring strategy of the terminal can be flexibly controlled by matching with the use of the monitoring plug-in, and the timeliness and the efficiency of risk behavior identification are improved.
Further, the operational behavior data includes: intercepting operation data and/or non-intercepting operation data; collecting operational behavior data includes: the terminal monitors the operation behavior and judges whether the operation behavior triggers a preset interception condition or not; if so, intercepting the operation behavior by the terminal to obtain intercepted operation data; if not, the terminal records the operation behavior type, the operation behavior content, the operation identity data, the operation behavior time or the operation terminal data corresponding to the operation behavior to a preset operation log to obtain non-intercepted operation data.
In this optional embodiment, the operation behavior data collected by the monitoring plugin includes interception operation data and non-interception operation data, in order to further improve security of enterprise data, the terminal is provided with an interception plugin for intercepting risk operations of the terminal in real time, such as internal file outgoing, development source code outgoing, and the like, and the interception plugin is used to judge whether the operation behavior of the terminal triggers a preset interception condition or not in real time to identify the risk operation of the terminal, when the operation behavior triggers the preset interception condition, the monitoring plugin intercepts the operation behavior and records the interception operation data to a preset interception log, and when the operation behavior does not trigger the preset interception condition, the terminal records the operation behavior type, the operation behavior content, the operation identity data, the operation behavior time, or the operation terminal data corresponding to the operation behavior to the preset operation log to obtain the non-interception operation data, the terminal combines the intercepted operation data and the non-intercepted operation data to obtain operation behavior data for subsequent risk operation identification, and can obtain more complete operation behavior data so as to improve the accuracy of risk operation identification.
202. Analyzing the operation behavior data to obtain an analysis result, and extracting operation behavior event parameters in the analysis result;
in this embodiment, the monitoring plug-in is installed at the terminal and is controlled by the server, after the terminal acquires the operation behavior data collected by the monitoring plug-in, the operation behavior data is analyzed to obtain an analysis result, and then operation behavior event parameters in the analysis result, that is, parameters for analyzing the operation behavior event, are extracted, where the operation behavior event parameters include operation behavior generation time, an operation behavior action object, an operation behavior execution identity, operation behavior exchange data, and the like.
203. According to a preset data format, carrying out standardized format conversion on the operation behavior event parameters to obtain initial operation event data;
in this embodiment, the terminal performs standardized format conversion (encapsulation) on the operation behavior event parameter according to a preset data format to obtain initial operation event data, where the initial operation event data includes at least one of the following: the operation behavior type, the operation behavior content, the operation identity data, the operation behavior time or the operation terminal data, and the initial operation event data has a preset data format, so that the processing efficiency of the terminal on the operation event can be improved.
204. Performing risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data;
specifically, the terminal sends a risk policy acquisition request based on the operation identity data and the operation terminal data; the terminal generates a risk operation behavior strategy according to the risk strategy acquisition request, and performs risk operation behavior identification of data dimension, event dimension, time interval dimension and authority dimension on the initial operation event data according to the risk operation behavior strategy to obtain candidate risk operation behavior data.
In this optional embodiment, the candidate risk operation behavior data includes initial operation event data with data illegal operation, initial operation event data with risk event, initial operation event data in non-time period, and initial operation event data outside the identity authority range.
In this optional embodiment, the risk operation behavior policy may be a risk operation behavior policy configured in the risk policy configuration platform, or may be a risk operation behavior policy automatically generated by the terminal after performing risk analysis on the operation behavior data. The terminal carries operation identity data and operation terminal data to send a risk strategy obtaining request, the operation identity data and the operation terminal data are used for screening corresponding risk operation behavior strategies, and terminals and operation terminals with different identity data correspond to different risk operation behavior strategies and are acting objects of the risk operation behavior strategies.
In this optional embodiment, after receiving the risk operation behavior policy returned by the risk policy acquisition request, the terminal performs risk operation matching of the data dimension, the event dimension, the time interval dimension, and the authority dimension on the initial operation event data, so as to obtain candidate risk operation behavior data, where the candidate risk operation behavior data includes initial operation event data with data illegal operation, initial operation event data with risk event, initial operation event data in non-time interval, and initial operation event data outside the identity authority range, the initial operation event data with data illegal operation refers to illegal operation behaviors of data, such as illegal download files, illegal upload files, etc., the initial operation event data with risk event refers to risk operation behaviors of data, such as upload internal files, outbound internal system interface screenshots, etc., the initial operation event data in the non-time period refers to risk operation behaviors in the non-legal time period, such as database backup in a non-working day, entertainment video downloading in a working day and the like, and the initial operation event data outside the identity authority range refers to risk operation behaviors outside the authority corresponding to the operation identity data, such as logging in an account of another person, operating an account of another person and the like. Through multi-dimensional risk operation behavior identification, the risk operation behavior of the terminal can be detected more comprehensively.
205. According to the operation behavior type, performing risk content identification on the candidate risk operation behavior data to obtain a risk content identification result;
specifically, the terminal calls a corresponding preset risk content identification algorithm according to an operation behavior type in the candidate risk operation behavior data, wherein the preset risk content identification algorithm includes at least one of the following: a keyword extraction function, an illegal link identification function and a file scanning function; the terminal identifies the operation behavior content in the candidate risk operation behavior data through a keyword extraction function to obtain risk keywords; the terminal performs illegal link extraction on operation behavior contents in the candidate risk operation behavior data through the illegal link identification function to obtain a risk link; the terminal scans illegal files for the operation behavior contents in the candidate risk operation behavior data through a file scanning function to obtain a risk file; and combining the risk keywords, the risk links and the risk files by the terminal to obtain a risk content identification result.
In the optional embodiment, the terminal identifies the risk content of the candidate risk operation behavior data by a preset risk content identification algorithm, the preset risk content identification algorithm comprises at least one of a keyword extraction algorithm, an illegal link identification algorithm and a file scanning identification algorithm, the terminal respectively adopts the keyword extraction algorithm, the illegal link identification algorithm and the file scanning algorithm to identify the keyword, extract the illegal link and scan the illegal file of the operation behavior content in the candidate risk operation behavior data to obtain a risk keyword, a risk link and a risk file, the server combines the risk keyword, the risk link and the risk file to obtain a risk content identification result, the risk content identification result is further risk data of the candidate risk operation behavior data and can reflect the risk content in the candidate risk operation behavior data, for subsequent risk operation score calculations.
206. And calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score.
Specifically, the terminal analyzes the risk content identification result to obtain the number of risk contents in the risk content identification result, and calculates the hit rate of the risk contents according to the number of the risk contents; the terminal obtains a weight coefficient corresponding to the operation behavior type, carries out risk operation score calculation on the risk content identification result according to the risk content hit rate and the weight coefficient corresponding to the operation behavior type, and judges whether the risk operation score is larger than a preset risk threshold value or not; and if the risk operation score is larger than the preset risk threshold, setting candidate risk operation behavior data corresponding to the risk content identification result with the risk operation score larger than the preset risk threshold as target risk operation behavior data by the terminal.
In the optional embodiment, the operational behavior data of different operational behavior types correspond to different weight coefficients, the weight coefficients are used for measuring the risk degree of the terminal operational behavior, the higher the risk degree is, the higher the weight coefficients are, the server calculates the risk content hit rate corresponding to the risk content identification result, that is, the proportion of the risk content to the corresponding operational behavior content, then obtains the weight coefficient corresponding to the operational behavior type, calculates the risk operation score according to the risk content hit rate and the weight coefficients, finally the server judges whether the risk operation score is greater than a preset risk threshold, if the risk operation score is greater than the preset risk threshold, sets the candidate risk operational behavior data corresponding to the risk content identification result with the risk operation score greater than the preset risk threshold as the target risk operational behavior data, and further performs risk early warning and risk terminal marking, and providing data evidence for subsequent oriented risk consciousness improvement training, and reporting the corresponding candidate risk operation behavior data to a server by the terminal if the risk operation score is less than or equal to a preset risk threshold value, wherein the candidate risk operation behavior data is used as a data basis for subsequent risk operation behavior strategies and monitoring plug-in optimization.
In the embodiment of the invention, a terminal acquires operation behavior data through a plurality of monitoring plugins to obtain initial operation event data, each monitoring plugin correspondingly monitors operation behavior data of one operation behavior type, the monitoring plugins analyze and standardize the operation behavior data after acquiring the operation behavior data to obtain the initial operation event data, then the terminal identifies risk operation behaviors of the initial operation event data to obtain candidate risk operation behavior data with risks, further identifies risk contents in the candidate risk operation behavior data, and calculates risk operation scores of the candidate risk operation behavior data based on identified risk content identification results to further determine target risk operation behavior data. The method and the device can improve the accuracy of identifying the terminal risk operation behavior.
With reference to fig. 3, the method for identifying a risk operational behavior in the embodiment of the present invention is described above, and an embodiment of an apparatus for identifying a risk operational behavior in the embodiment of the present invention includes:
the acquisition module 301 is configured to acquire operation behavior data, convert the operation behavior data into an operation behavior event, and obtain initial operation event data, where the initial operation event data includes at least one of the following: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
a matching module 302, configured to perform risk operation behavior identification on the initial operation event data according to a preset risk operation behavior policy to obtain candidate risk operation behavior data;
the identification module 303 is configured to perform risk content identification on the candidate risk operation behavior data according to the operation behavior type to obtain a risk content identification result;
a calculating module 304, configured to calculate, according to the risk content identification result, a risk operation score corresponding to the candidate risk operation behavior data, and determine, according to the risk operation score, target risk operation behavior data in the candidate risk operation behavior data.
In the embodiment of the invention, a terminal acquires operation behavior data of the terminal to obtain initial operation event data, performs risk operation behavior identification on the initial operation event data to obtain candidate risk operation behavior data with risks, further identifies risk content in the candidate risk operation behavior data, performs risk operation score calculation on the candidate risk operation behavior data based on the identified risk content identification result, and further determines target risk operation behavior data. The method and the device can improve the accuracy of identifying the terminal risk operation behavior.
Referring to fig. 4, another embodiment of the risk operation behavior recognition apparatus according to the embodiment of the present invention includes:
the acquisition module 301 is configured to acquire operation behavior data, convert the operation behavior data into an operation behavior event, and obtain initial operation event data, where the initial operation event data includes at least one of the following: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
a matching module 302, configured to perform risk operation behavior identification on the initial operation event data according to a preset risk operation behavior policy to obtain candidate risk operation behavior data;
the identification module 303 is configured to perform risk content identification on the candidate risk operation behavior data according to the operation behavior type to obtain a risk content identification result;
a calculating module 304, configured to calculate, according to the risk content identification result, a risk operation score corresponding to the candidate risk operation behavior data, and determine, according to the risk operation score, target risk operation behavior data in the candidate risk operation behavior data.
Optionally, the operation behavior data includes: intercepting operation data and/or non-intercepting operation data; the risk operation behavior identification device further comprises:
the monitoring module 305 is configured to monitor an operation behavior and determine whether the operation behavior triggers a preset interception condition;
the intercepting module 306 is configured to intercept the operation behavior if the operation behavior is detected to obtain intercepted operation data;
and a recording module 307, configured to record, if not, an operation behavior type, an operation behavior content, operation identity data, operation behavior time, or operation terminal data corresponding to the operation behavior to a preset operation log, so as to obtain non-intercepted operation data.
Optionally, the acquisition module 301 includes:
the acquisition unit 3011 is configured to acquire operation behavior data through a plurality of monitoring plug-ins, where each monitoring plug-in corresponds to operation behavior data of one operation behavior type;
the analyzing unit 3012 is configured to analyze the operation behavior data to obtain an analysis result, and extract an operation behavior event parameter in the analysis result;
a conversion unit 3013, configured to perform standardized format conversion on the operation behavior event parameter according to a preset data format to obtain initial operation event data, where the initial operation event data includes at least one of the following: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data.
Optionally, the acquisition unit 3011 is specifically configured to:
receiving an acquisition instruction of operation behavior data, and sending a corresponding monitoring strategy acquisition request according to a terminal identifier and an identity identifier in the acquisition instruction to obtain a plurality of monitoring plug-in identifiers;
updating configuration parameters of the monitoring plug-in corresponding to each monitoring plug-in identifier to obtain a target monitoring plug-in;
and acquiring operation behavior data through the target monitoring plug-in to obtain the operation behavior data, wherein each monitoring plug-in corresponds to the operation behavior data of one operation behavior type.
Optionally, the matching module 302 is specifically configured to:
sending a risk policy acquisition request based on the operation identity data and the operation terminal data;
and according to the risk strategy acquisition request, generating a risk operation behavior strategy, and performing risk operation identification of data dimension, event dimension, time interval dimension and authority dimension on the initial operation event data according to the risk operation behavior strategy to obtain candidate risk operation behavior data.
Optionally, the identifying module 303 is specifically configured to:
calling a corresponding preset risk content identification algorithm according to the operation behavior type in the candidate risk operation behavior data, wherein the preset risk content identification algorithm comprises at least one of the following algorithms: a keyword extraction function, an illegal link identification function and a file scanning function;
performing keyword identification on operation behavior contents in the candidate risk operation behavior data through a keyword extraction function to obtain risk keywords;
carrying out illegal link extraction on operation behavior contents in the candidate risk operation behavior data through the illegal link identification function to obtain a risk link;
carrying out illegal file scanning on the operation behavior content in the candidate risk operation behavior data through a file scanning function to obtain a risk file;
and combining the risk keywords, the risk links and the risk files to obtain a risk content identification result.
Optionally, the calculating module 304 is specifically configured to:
analyzing the risk content identification result to obtain the number of risk contents in the risk content identification result, and calculating the hit rate of the risk contents according to the number of the risk contents;
acquiring a weight coefficient corresponding to the operation behavior type, calculating a risk operation score of the risk content identification result according to the risk content hit rate and the weight coefficient corresponding to the operation behavior type, and judging whether the risk operation score is greater than a preset risk threshold value;
and if the risk operation score is larger than the preset risk threshold, setting candidate risk operation behavior data corresponding to the risk content identification result with the risk operation score larger than the preset risk threshold as target risk operation behavior data.
In the embodiment of the invention, a terminal acquires operation behavior data of the terminal through a plurality of monitoring plugins to obtain initial operation event data, wherein each monitoring plugin correspondingly monitors operation behavior data of one operation behavior type, the monitoring plugins analyze and standardize the operation behavior data after acquiring the operation behavior data to obtain the initial operation event data, then the terminal identifies risk operation behaviors of the initial operation event data to obtain candidate risk operation behavior data with risks, further identifies risk contents in the candidate risk operation behavior data, and calculates risk operation scores of the candidate risk operation behavior data based on identified risk content identification results to further determine target risk operation behavior data. The method and the device can improve the accuracy of identifying the terminal risk operation behavior.
Fig. 3 and fig. 4 describe the identification apparatus of the risk operation behavior in the embodiment of the present invention in detail from the perspective of the modular functional entity, and the identification apparatus of the risk operation behavior in the embodiment of the present invention is described in detail from the perspective of hardware processing.
Fig. 5 is a schematic structural diagram of an apparatus for identifying a risky operation behavior, according to an embodiment of the present invention, where the apparatus 500 for identifying a risky operation behavior may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 510 (e.g., one or more processors) and a memory 520, and one or more storage media 530 (e.g., one or more mass storage devices) for storing applications 533 or data 532. Memory 520 and storage media 530 may be, among other things, transient or persistent storage. The program stored on the storage medium 530 may include one or more modules (not shown), each of which may include a series of computer program operations in the identification device 500 of risk operational behavior. Still further, the processor 510 may be configured to communicate with the storage medium 530 to execute a series of computer program operations in the storage medium 530 on the identification device 500 of risky operational behaviors.
The apparatus 500 for identifying risky operational behaviors may also include one or more power supplies 540, one or more wired or wireless network interfaces 550, one or more input-output interfaces 560, and/or one or more operating systems 531, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc. Those skilled in the art will appreciate that the configuration of the risk operational behavior recognition device illustrated in fig. 5 does not constitute a limitation of the risk operational behavior recognition device and may include more or fewer components than illustrated, or some components may be combined, or a different arrangement of components.
The present invention also provides an identification device for a risk operational behavior, the computer device includes a memory and a processor, the memory stores a computer readable computer program, and when the computer readable computer program is executed by the processor, the processor executes the steps of the identification method for a risk operational behavior in the above embodiments.
The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and which may also be a volatile computer-readable storage medium, having stored thereon a computer program, which, when run on a computer, causes the computer to perform the steps of the method for identifying a risky operational behaviour.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several computer programs to enable a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. The method for identifying the risk operation behaviors is characterized by comprising the following steps:
collecting operation behavior data, and converting the operation behavior data into an operation behavior event to obtain initial operation event data, wherein the initial operation event data comprises at least one of the following data: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
performing risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data;
according to the operation behavior type, performing risk content identification on the candidate risk operation behavior data to obtain a risk content identification result;
and calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score.
2. The method for identifying risk operational behavior of claim 1, wherein the operational behavior data comprises: intercepting operation data and/or non-intercepting operation data; the collecting operational behavior data comprises:
monitoring an operation behavior and judging whether the operation behavior triggers a preset interception condition or not;
if so, intercepting the operation behavior to obtain intercepted operation data;
if not, recording the operation behavior type, the operation behavior content, the operation identity data, the operation behavior time or the operation terminal data corresponding to the operation behavior to a preset operation log to obtain non-intercepted operation data.
3. The method for identifying risky operational behaviors of claim 1, wherein the collecting operational behavior data and converting the operational behavior data into operational behavior events to obtain initial operational event data comprises:
collecting operation behavior data through a plurality of monitoring plug-ins, wherein each monitoring plug-in corresponds to operation behavior data of one operation behavior type;
analyzing the operation behavior data to obtain an analysis result, and extracting operation behavior event parameters in the analysis result;
and according to a preset data format, carrying out standardized format conversion on the operation behavior event parameters to obtain initial operation event data.
4. The method for identifying risky operational behaviors of claim 3, wherein the collecting operational behavior data by a plurality of monitoring plug-ins comprises:
receiving an acquisition instruction of operation behavior data, and sending a corresponding monitoring strategy acquisition request according to a terminal identifier and an identity identifier in the acquisition instruction to obtain a plurality of monitoring plug-in identifiers;
updating configuration parameters of the monitoring plug-in corresponding to each monitoring plug-in identifier to obtain a target monitoring plug-in;
and acquiring operation behavior data through the target monitoring plug-in to obtain the operation behavior data.
5. The method for identifying a risk operational behavior according to claim 1, wherein the identifying a risk operational behavior on the initial operational event data according to a preset risk operational behavior policy to obtain candidate risk operational behavior data comprises:
sending a risk policy acquisition request based on the operation identity data and the operation terminal data;
and generating a risk operation behavior strategy according to the risk strategy acquisition request, and performing risk operation identification of data dimension, event dimension, time interval dimension and authority dimension on the initial operation event data according to the risk operation behavior strategy to obtain candidate risk operation behavior data.
6. The method for identifying the risky operation behaviors according to any one of claims 1 to 5, wherein the identifying the risk content of the candidate risky operation behavior data according to the operation behavior type to obtain a risk content identification result comprises:
calling a corresponding preset risk content identification algorithm according to the operation behavior type in the candidate risk operation behavior data, wherein the preset risk content identification algorithm comprises at least one of the following algorithms: a keyword extraction function, an illegal link identification function and a file scanning function;
performing keyword identification on the operation behavior content in the candidate risk operation behavior data through the keyword extraction function to obtain risk keywords;
performing illegal link extraction on the operation behavior content in the candidate risk operation behavior data through the illegal link identification function to obtain a risk link;
performing illegal file scanning on the operation behavior content in the candidate risk operation behavior data through the file scanning function to obtain a risk file;
and combining the risk keywords, the risk links and the risk files to obtain a risk content identification result.
7. The method for identifying the risk operational behavior according to claim 1, wherein the calculating a risk operational score corresponding to the candidate risk operational behavior data according to the risk content identification result, and determining target risk operational behavior data in the candidate risk operational behavior data according to the risk operational score comprises:
analyzing the risk content identification result to obtain the number of risk contents in the risk content identification result, and calculating the hit rate of the risk contents according to the number of the risk contents;
acquiring a weight coefficient corresponding to the operation behavior type, calculating a risk operation score of the risk content identification result according to the risk content hit rate and the weight coefficient corresponding to the operation behavior type, and judging whether the risk operation score is greater than a preset risk threshold value;
and if the risk operation score is larger than a preset risk threshold, setting candidate risk operation behavior data corresponding to the risk content identification result with the risk operation score larger than the preset risk threshold as target risk operation behavior data.
8. An apparatus for identifying a risk operational behavior, the apparatus comprising:
the acquisition module is used for acquiring operation behavior data and converting the operation behavior data into operation behavior events to obtain initial operation event data, wherein the initial operation event data comprises at least one of the following data: operation behavior type, operation behavior content, operation identity data, operation behavior time or operation terminal data;
the matching module is used for carrying out risk operation behavior identification on the initial operation event data according to a preset risk operation behavior strategy to obtain candidate risk operation behavior data;
the identification module is used for carrying out risk content identification on the candidate risk operation behavior data according to the operation behavior type to obtain a risk content identification result;
and the calculation module is used for calculating a risk operation score corresponding to the candidate risk operation behavior data according to the risk content identification result, and determining target risk operation behavior data in the candidate risk operation behavior data according to the risk operation score.
9. An identification device of a risk operation behavior, characterized in that the identification device of the risk operation behavior comprises: a memory and at least one processor, the memory having stored therein a computer program;
the at least one processor calls the computer program in the memory to cause the risk operational behavior identification device to perform the risk operational behavior identification method according to any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method for identifying a risk operational behaviour according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111139826.2A CN113849810A (en) | 2021-09-28 | 2021-09-28 | Risk operation behavior identification method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111139826.2A CN113849810A (en) | 2021-09-28 | 2021-09-28 | Risk operation behavior identification method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113849810A true CN113849810A (en) | 2021-12-28 |
Family
ID=78980681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111139826.2A Pending CN113849810A (en) | 2021-09-28 | 2021-09-28 | Risk operation behavior identification method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113849810A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114723269A (en) * | 2022-03-31 | 2022-07-08 | 支付宝(杭州)信息技术有限公司 | Method, device and equipment for risk prevention and control of event |
-
2021
- 2021-09-28 CN CN202111139826.2A patent/CN113849810A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114723269A (en) * | 2022-03-31 | 2022-07-08 | 支付宝(杭州)信息技术有限公司 | Method, device and equipment for risk prevention and control of event |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| CN110324310A (en) | Networked asset fingerprint identification method, system and equipment | |
| CN108964995A (en) | Log correlation analysis method based on time shaft event | |
| CN109587125B (en) | Network security big data analysis method, system and related device | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN108156131A (en) | Webshell detection methods, electronic equipment and computer storage media | |
| CN105069355A (en) | Static detection method and apparatus for webshell deformation | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN113918526A (en) | Log processing method and device, computer equipment and storage medium | |
| CN116861446A (en) | Data security assessment method and system | |
| CN112437034B (en) | False terminal detection method and device, storage medium and electronic device | |
| CN113886829B (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
| CN113849810A (en) | Risk operation behavior identification method, device, equipment and storage medium | |
| CN111930726A (en) | Off-line form-based grade protection evaluation data acquisition and analysis method and system | |
| CN117176441A (en) | System and method for detecting security log event of network equipment | |
| CN112528325B (en) | Data information security processing method and system | |
| CN116248393A (en) | Intranet data transmission loophole scanning device and system | |
| CN115509854A (en) | Inspection processing method, inspection server and inspection system | |
| Shakya et al. | Intrusion detection system using back propagation algorithm and compare its performance with self organizing map | |
| CN113839956A (en) | Data security evaluation method, device, equipment and storage medium | |
| US20210051107A1 (en) | Access origin classification device, access origin classification method, and program | |
| CN113055368A (en) | Web scanning identification method and device and computer storage medium | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| CN117807590B (en) | Information security prediction and monitoring system and method based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |