CN114117311B - Data access risk detection method and device, computer equipment and storage medium - Google Patents

Data access risk detection method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN114117311B
CN114117311B CN202210084154.8A CN202210084154A CN114117311B CN 114117311 B CN114117311 B CN 114117311B CN 202210084154 A CN202210084154 A CN 202210084154A CN 114117311 B CN114117311 B CN 114117311B
Authority
CN
China
Prior art keywords
risk
access
data
link
data access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210084154.8A
Other languages
Chinese (zh)
Other versions
CN114117311A (en
Inventor
黄俊辉
刘小龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Hongtu Technology Co ltd
Original Assignee
Shenzhen Hongtu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Hongtu Technology Co ltd filed Critical Shenzhen Hongtu Technology Co ltd
Priority to CN202210084154.8A priority Critical patent/CN114117311B/en
Publication of CN114117311A publication Critical patent/CN114117311A/en
Application granted granted Critical
Publication of CN114117311B publication Critical patent/CN114117311B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • G06F16/972Access to data in other repository systems, e.g. legacy data or dynamic Web page generation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9558Details of hyperlinks; Management of linked annotations

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the invention discloses a data access risk detection method and device, computer equipment and a storage medium. The method comprises the following steps: acquiring a request of a terminal for accessing a service; determining the flow direction of an access path according to the request; acquiring access data by adopting a byte enhancement technology to obtain data access link information; analyzing the importance degree of each branch in the data access link information; calculating risk probability according to the importance degree; judging whether the risk probability exceeds a set threshold value; if the risk probability exceeds a set threshold value, carrying out risk early warning; and if the access data does not exceed the set threshold, executing the acquisition of the access data by adopting the byte enhancement technology to obtain data access link information. By implementing the method provided by the embodiment of the invention, the data access circulation path between the applications in the system can be automatically found and obtained, the risk detection accuracy is high, and the whole process is simple.

Description

Data access risk detection method and device, computer equipment and storage medium
Technical Field
The present invention relates to a data processing method, and more particularly, to a data access risk detection method, apparatus, computer device, and storage medium.
Background
With the accelerated development of the digital transformation of a plurality of enterprises, a data network consisting of application systems is gradually built, and the data value is continuously highlighted in the process of fusing the data with the service. The huge value of mass data is followed by data security events caused by leakage, and the data leakage events become an unavoidable reality.
At present, the data flow range covers scenes of lack of risk detection concerning internal link circulation, internal application, external sharing and the like, the change of a network architecture increases data circulation paths, the more data are accessed, the greater the leaked risk is, how to effectively detect and evaluate the access data risk, and the security capability required by each enterprise is formed, the existing data risk detection technology can carry out early warning and prevention on data leakage to different degrees, most of the existing data risk detection technology surrounds a single link or node in the whole life cycle of data, a risk detection means taking data circulation and use as dimensions is lacked, each node on the data circulation path cannot be detected and connected in series, the risk detection often involves using an algorithm model or a comparison model, the error of the model or the algorithm is that a computer cannot carry out self-repairing, and the larger influence is caused on algorithms of different levels, the detection precision is not enough, and a large error may exist; under each single application system of an enterprise, a plurality of subsystems still exist, each subsystem has a next-level branch, the complexity of the detection technology is combined, the whole flow of detection is disordered and complicated, and the operation and composition of the existing risk detection technology are complex due to the fact that the data circulation condition cannot be effectively combed.
In summary, the existing data access risk detection means lacks correlation, and does not introduce concepts and methods of link tracking, and cannot evaluate risks from the perspective of data flow, and lacks correlation to each node flowing through in the data access process; the evaluation mode is single, the risk of a single node is used for evaluation, the condition of mishit is easy to occur, a method for evaluating by combining multi-node risks is lacked, the risk evaluation precision is poor, and the accuracy is lacked; the process and the composition are disordered, the risk is not detected by a simplified induction method, and the hierarchical relationship between the system and the data circulation is not played friendly.
Therefore, a new method is needed to be designed, the data access circulation path between the applications in the system is automatically found and acquired, the risk detection accuracy is high, and the whole process is simple.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a data access risk detection method, a data access risk detection device, a computer device and a storage medium.
In order to achieve the purpose, the invention adopts the following technical scheme: the data access risk detection method comprises the following steps:
acquiring a request of a terminal for accessing a service;
determining the flow direction of an access path according to the request;
acquiring access data by adopting a byte enhancement technology to obtain data access link information;
analyzing the importance degree of each branch in the data access link information;
calculating risk probability according to the importance degree;
judging whether the risk probability exceeds a set threshold value;
if the risk probability exceeds a set threshold value, carrying out risk early warning;
and if the risk probability does not exceed a set threshold value, executing the acquisition of the access data by adopting the byte enhancement technology to obtain data access link information.
The further technical scheme is as follows: the determining the flow direction of the access path according to the request comprises:
generating a global tracking identifier according to the request;
generating and calling a corresponding link node identifier according to the request;
and determining context relationship information according to the link node identification to obtain the flow direction of the access path.
The further technical scheme is as follows: determining context information according to the link node identifier to obtain an access path flow direction, including:
recording the father node identification of the link node identification;
and determining context relationship information according to the incidence relation between the link node identification and the father node identification, and generating an access path flow direction by combining the global tracking identification.
The further technical scheme is as follows: the acquiring access data by adopting the byte enhancement technology to obtain the data access link information comprises the following steps:
deploying the probe to an application system needing to capture link information;
acquiring access data by adopting a byte enhancement technology;
and transmitting the access data, and collecting calling information in the access data to obtain data access link information.
The further technical scheme is as follows: the data access link information includes a link ID, a link node identification, a parent node identification, a node name, a call start time, and a call end time.
The further technical scheme is as follows: the calculating the risk probability according to the importance degree comprises the following steps:
calculating the product of the importance degree of each branch and the probability of the risk of the branch node to obtain the branch risk probability;
and calculating the sum of the risk probabilities of all the branches to obtain the risk probability.
The invention also provides a data access risk detection device, comprising:
a request acquisition unit for acquiring a request for accessing a service of a terminal;
a flow direction determining unit, configured to determine a flow direction of the access path according to the request;
the acquisition unit is used for acquiring the access data by adopting a byte enhancement technology to obtain data access link information;
the analysis unit is used for analyzing the importance degree of each branch in the data access link information;
a probability calculation unit for calculating a risk probability according to the importance degree;
the judging unit is used for judging whether the risk probability exceeds a set threshold value or not;
and the early warning unit is used for carrying out risk early warning if the risk probability exceeds a set threshold value.
The further technical scheme is as follows: the flow direction determination unit includes:
the global identification generation subunit is used for generating a global tracking identification according to the request;
a node identifier generating subunit, configured to generate and call a corresponding link node identifier according to the request;
and the context determining subunit is configured to determine context information according to the link node identifier, so as to obtain an access path flow direction.
The invention also provides computer equipment which comprises a memory and a processor, wherein the memory is stored with a computer program, and the processor realizes the method when executing the computer program.
The invention also provides a storage medium storing a computer program which, when executed by a processor, implements the method described above.
Compared with the prior art, the invention has the beneficial effects that: according to the method, the flow direction of the access path is determined by determining the data access circulation path among the applications in the system according to the request of the terminal, the access data corresponding to the request is collected to determine the information of the data access link, the risk probability of the whole access link is determined by adopting the importance degree of each branch, whether the risk access behavior exists is determined according to the set threshold, the risk early warning is carried out on the link of the risk access behavior, the data access circulation path among the applications in the system is automatically found and obtained, the risk detection accuracy is high, and the whole process is simple.
The invention is further described below with reference to the accompanying drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario of a data access risk detection method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a data access risk detection method according to an embodiment of the present invention;
fig. 3 is a schematic sub-flow diagram of a data access risk detection method according to an embodiment of the present invention;
fig. 4 is a schematic sub-flow diagram of a data access risk detection method according to an embodiment of the present invention;
fig. 5 is a schematic sub-flow diagram of a data access risk detection method according to an embodiment of the present invention;
fig. 6 is a schematic sub-flow diagram of a data access risk detection method according to an embodiment of the present invention;
FIG. 7 is a schematic block diagram of a data access risk detection apparatus provided by an embodiment of the present invention;
fig. 8 is a schematic block diagram of a flow direction determination unit of a data access risk detection apparatus provided in an embodiment of the present invention;
FIG. 9 is a schematic block diagram of a context determination subunit of the data access risk detection apparatus according to the present invention;
fig. 10 is a schematic block diagram of an acquisition unit of the data access risk detection apparatus provided in the embodiment of the present invention;
fig. 11 is a schematic block diagram of a probability calculation unit of a data access risk detection apparatus according to an embodiment of the present invention;
FIG. 12 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of a data access risk detection method according to an embodiment of the present invention. Fig. 2 is a schematic flowchart of a data access risk detection method according to an embodiment of the present invention. The data access risk detection method is applied to a server. The server and the terminal carry out data interaction, the server is provided with an agent, namely an application client, the application client on the server can communicate with the management terminal, the management terminal uses a special server, when the terminal and the server carry out data interaction, namely the terminal initiates a business process, and accesses the service, the server can generate a global tracking identifier, namely a link ID, and generate and call a corresponding link node identifier when a user initiates a request or an access, and determine a context relationship, so as to determine the access path flow direction corresponding to the access or the request, and acquire access data, the data access link information corresponding to the access data carries the corresponding link ID, the link node identifier and the corresponding context relationship, so as to determine the risk probability of each branch in the data access link information, calculate the total risk probability, and when the total risk probability exceeds a threshold value, and performing risk early warning, automatically acquiring a data flow path of the application system, collecting, integrating and storing the acquired data access link information, and finally performing comprehensive detection on the link data access risk to further prevent the data leakage risk.
Fig. 2 is a schematic flow chart of a data access risk detection method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S170.
S110, acquiring a request of the terminal for accessing the service.
In this embodiment, the request refers to a request instruction corresponding to the terminal accessing the service and initiating the access.
A user initiates a service flow at a terminal according to requirements and operates on the terminal; in the process of operating a terminal, a user has an access behavior to an application system service; in the process of accessing services and pages, a request needs to be initiated first to acquire corresponding server response content; data flows during requests and service calls, the process flows through the associated application services, interfaces, databases, etc. For example, an operation of placing an order by a user, the path may cover corresponding service order-web service, product-service, order-service, and the like, and the related database may include a product-DB (product database), an order-DB (order database), and the like.
And S120, determining the flow direction of the access path according to the request.
In this embodiment, the access path flow direction refers to the context of each parent node through which the request passes and the corresponding link ID.
These access paths flow to a link trace engine built into the server that is independent of the user platform and the API interface itself, and can conveniently trace the data access call links. And carrying out identification definition on each node calling process of a data circulation path in the data access process, finally forming a completed data access request link, and defining a completed data access request by using a global identification so as to realize the association of each data access call.
In an embodiment, referring to fig. 3, the step S120 may include steps S121 to S123.
And S121, generating a global tracking identifier according to the request.
In this embodiment, the global tracking identifier refers to a link ID, and the link ID has global property and uniqueness, and in the same complete request link, the link ID is not superimposed with the addition of nodes, and is an identification number for identifying the whole link through which the current request passes.
And S122, generating and calling a corresponding link node identifier according to the request.
In this embodiment, the link node identifier refers to the current node number of each call.
Specifically, according to the process of calling the service each time, the link tracking engine creates a current node number corresponding to each call, and the node numbers are overlapped with the increase of the calls. For example, the number of the calling node of the service a is 1, the number of the calling node of the service B is 2, the numbers of the child nodes related to the service a are 1.1, 1.2, 1.3.. 1.x, and the numbers of the child nodes related to the service B are 2.1, 2.2, 2.3.. 2. x.
And S123, determining context relationship information according to the link node identification to obtain the flow direction of the access path.
In an embodiment, referring to fig. 4, the step S123 may include steps S1231 to S1232.
S1231, recording a father node identifier of the link node identifier;
s1232, determining context relationship information according to the incidence relation between the link node identification and the father node identification, and generating an access path flow direction by combining the global tracking identification.
The link tracking engine may then record the number identifier of the superior father node of the currently called node, for example, in the same request link whose link ID is 001, there are three nodes 0, 1, and 1.1, the father node of the node 1 is the node 0, and the father node of the node 1.1 is the node 1; associating two adjacent calling relations through the association relation between the current node and the father node, for example, if the node number of the service B calling C is marked as 1.1, the father node number is the node number 1 of the service A calling B; in order to associate each call with a complete link, each call takes a global tracking identification link ID, which is transmitted along with context information, concatenating each node with the entire link association.
Specifically, a node is used for marking the flow direction of the access path, wherein the node comprises a link ID, a father node number and a current node number; each time a user accesses an application client, a globally unique identifier is generated, the identifier is a link ID, and a certain access of the user is identified by the link ID, the one access of the user may involve a plurality of services, namely a plurality of method interface functions in the case of a plurality of processes, data transferred among the plurality of services is generally divided into a header and a Body part, like http has a header and a Body part, rockmq also has Message header, Message Body, the Body part generally puts business data, rockmq is Message middleware of a queue model, when a user accesses the next service, the globally unique link ID and the context information of the current node are placed at the head of the communication data and transmitted to the next service, and all interface function information under the service is uploaded to a data receiving place to summarize data after processing one service.
The context information is identified by using the father node number and the current node number, namely the context information comprises the number information of the father node and the current node; the father node number and the current node number have a strict sequential relationship and are identified by using natural numbers, the father node number generally comes from the current node number of the previous node, the father node number of the first node is set to be 0, the current node is 1, when the second node receives the data of the first node, the current node number of the first node is obtained from the context relationship and is used as the father node number of the second node, then the current node number is used as the current node number based on the father node number +1, and so on until the node is finished, and the following is the schematic content written in the link access information:
node (link ID (2fa91f5cf3941171), parent node number (0), current node number (1)), node (link ID (2fa91f5cf3941171), parent node number (1), current node number (2)), node (link ID (2fa91f5cf3941171), parent node number (2), current node number (3)), node (link ID (2fa91f5cf3941171), parent node number (3), current node number (4)) … …
The link identification mode is convenient and clear.
And S130, acquiring access data by adopting a byte enhancement technology to obtain data access link information.
In this embodiment, the data access link information refers to information called each time carried in the access data.
In an embodiment, referring to fig. 5, the step S130 may include steps S131 to S133.
S131, deploying the probe to an application system needing to capture link information;
and S132, acquiring access data by adopting a byte enhancement technology.
In this embodiment, the access data collected by the byte enhancement technology can be referred to chinese patent CN202110337078.2, and is not described herein again.
S133, transmitting the access data, and collecting calling information in the access data to obtain data access link information.
The method comprises the steps of deploying a probe to an application system needing to capture link information in advance; through byte code increase, non-invasive acquisition is carried out on data access link information; the probe transmits access data in an HTTP mode, and the collection of information called each time according to the access data comprises the following steps: the link ID, the node number, the parent node number, the node name, the call start time, the call end time, and the like, and the information of each call, that is, the data access link information is shown in table 1.
TABLE 1 data Access Link information
Figure DEST_PATH_IMAGE002
After the access data transmitted by the probe is subjected to integration analysis processing, data access link information is formed and stored in a corresponding storage medium, and the storage medium supports MySQL, H2 and the like for data storage.
For the formation of the data access link information, the nodes with the same link ID can be extracted to obtain the target node, and the target node refers to the node with the same link ID. And classifying the nodes with the same link ID of the target data so as to facilitate the subsequent fault analysis and data flow analysis of the application operation and maintenance management. And extracting the context relationship information of the target node by the management terminal. In this embodiment, each target node has a link ID, a parent node number, and a current node number, so that after the target node is determined, the access path flow direction is determined according to the context information. And sequencing the access sequence of the nodes by the management terminal according to the context relationship information to obtain a sequencing result. And extracting the application interface information of the request and the response of each node by the management terminal according to the sequencing result to obtain an access link information graph based on the application interface. In this embodiment, the access link information graph based on the application interface is an information graph formed by access paths of the application interface for requests and responses of each node, so as to form data access link information.
In this embodiment, the sorting result refers to the order of node access, and is sorted according to the time sequence.
In this embodiment, the data access link information includes a link ID, a link node identifier, a parent node identifier, a node name, a call start time, and a call end time.
And S140, analyzing the importance degree of each branch in the data access link information.
In this embodiment, the importance level of each branch refers to the importance level of each data access link branch, that is, the corresponding weight value.
Reading link information of a data access from a data storage medium;
according to the classification and grading conditions of specific fields of data access, recording the importance degree of the node path, and using the letter IkTo show, the judgment of the importance degree is generally divided into two methods: one is empirical, which is based on a trade-off for the entire system, and then the sum of the importance of all systems is set to 1, and thenDividing; the second is to assign importance levels according to industry-to-data rating specifications and standards. For example, according to the field grading, the "general" corresponds to the importance 0.3, the "secret" corresponds to the importance 0.5, and the "absolute" corresponds to the importance 0.7.
And S150, calculating the risk probability according to the importance degree.
In this embodiment, the risk probability refers to the probability that the entire data access link has an access risk.
In an embodiment, referring to fig. 6, the step S150 may include steps S151 to S152.
And S151, calculating the product of the importance degree of each branch and the probability of the risk of the branch node to obtain the branch risk probability.
In this embodiment, the branch risk probability refers to the product of the importance of each branch and the probability of risk occurrence of the branch node.
According to the formula Rk=Ik*PkCalculating the current risk value P of a certain branch nodekThe more paths for acquiring the data field, the greater the risk probability, which is related to the number of paths for data access.
And S152, calculating the sum of the risk probabilities of all the branches to obtain the risk probability.
Since the branch nodes in the whole access link are many and not unique, assuming that there are N nodes in one completion request link, the risk value of each branch node is superimposed by the risk value possibly existing in the final whole data access link, and the calculation formula is R = R1+R2+R3+...+Rn
And S160, judging whether the risk probability exceeds a set threshold value.
In this embodiment, the set threshold includes a high risk threshold and a medium risk threshold.
Specifically, the risk probability is compared with a preset threshold value to obtain a final risk comment result. For example, if the set risk threshold is 0.8, and the calculated result indicates that the risk probability is not less than 0.8, it indicates that the data access link is at high risk, and the data field corresponding to the link is also at high risk; setting a risk threshold value to be 0.5, and if the calculated result shows that the risk probability is not less than 0.5 but less than 0.8, the data access link is at medium risk, and a data field corresponding to the link is also at medium risk; the set risk threshold is 0.3, and if the calculated result shows that the risk probability is not less than 0.3 but less than 0.5, it represents that the data access link is at low risk, and the data field corresponding to the link is also at low risk.
S170, if the risk probability exceeds a set threshold value, carrying out risk early warning;
if the risk of the data access link is high risk, providing corresponding risk early warning prompt, and providing basis and assistance for a risk behavior blocking and intercepting tool of a third party; and if the risk of the data access link is the medium-low risk, performing manual intervention, performing further judgment and evaluation, and continuously monitoring the data field of the corresponding link to prevent the possibility of further risk expansion.
If the risk probability does not exceed the set threshold, the step S130 is executed.
And constructing a link risk analysis and evaluation formula, and calculating the importance degree and risk probability of each branch related to the link in the data access process so as to evaluate and detect the importance degree and risk condition of the whole link, improve the shortage of precautionary measures against risks and reduce the risk value as much as possible.
The method comprises the steps of obtaining link information of a flowing path from the inside of data circulation, automatically realizing the combing and collecting of link assets, correlating the importance degree and risk probability of each branch in a link, and comprehensively evaluating and detecting data access risks, wherein the whole risk detection and grading process does not influence and interfere the logic industry of the original application system. The method can realize automatic discovery and acquisition of data access circulation paths among all applications in the system, and acquire the data flow service condition from a perfect view angle; link circulation is combined with a risk analysis formula, and a more accurate risk detection means is provided; the concept of full link is introduced to track and analyze data access, and a new idea is provided for data security analysis in an application system. Monitoring the access frequency of important data fields for an enterprise application system, and focusing on frequently accessed field information; the method provides convenience for enterprise security personnel to acquire the internal data circulation condition; the data access risk detection process is automatic, and the data security risk prevention efficiency is ensured; based on the link risk analysis method, the data access risk of the enterprise application system is discovered and evaluated in advance, so that a risk response means and scheme are further prepared.
According to the data access risk detection method, the data access circulation path among the applications in the system is determined according to the request of the terminal, the flow direction of the access path is determined, the access data corresponding to the request is collected, the data access link information is determined, the risk probability of the whole access link is determined by calculating the risk probability of each branch according to the importance degree of each branch, whether risk access behaviors exist or not is determined according to the set threshold, risk early warning is carried out on the links of the risk access behaviors, the data access circulation path among the applications in the system is automatically found and obtained, the risk detection accuracy is high, and the whole process is simple.
Fig. 7 is a schematic block diagram of a data access risk detection apparatus 300 according to an embodiment of the present invention. As shown in fig. 7, the present invention further provides a data access risk detection apparatus 300 corresponding to the above data access risk detection method. The data access risk detection apparatus 300 includes means for performing the above-described data access risk detection method, and the apparatus may be configured in a server. Specifically, referring to fig. 7, the data access risk detection apparatus 300 includes a request acquisition unit 301, a flow direction determination unit 302, a collection unit 303, an analysis unit 304, a probability calculation unit 305, a judgment unit 306, and an early warning unit 307.
A request acquisition unit 301, configured to acquire a request for accessing a service by a terminal; a flow direction determining unit 302, configured to determine a flow direction of the access path according to the request; the acquisition unit 303 is configured to acquire access data by using a byte enhancement technology to obtain data access link information; an analyzing unit 304, configured to analyze importance levels of the branches in the data access link information; a probability calculation unit 305 for calculating a risk probability according to the importance degree; a determining unit 306, configured to determine whether the risk probability exceeds a set threshold; and if the risk probability does not exceed a set threshold value, executing the acquisition of the access data by adopting the byte enhancement technology to obtain data access link information. And an early warning unit 307, configured to perform risk early warning if the risk probability exceeds a set threshold.
In an embodiment, as shown in fig. 8, the flow direction determining unit 302 includes a global identity generating subunit 3021, a node identity generating subunit 3022, and a context determining subunit 3023.
A global identifier generating subunit 3021, configured to generate a global tracking identifier according to the request; a node identifier generating subunit 3022, configured to generate and invoke a corresponding link node identifier according to the request; a context determining subunit 3023, configured to determine context information according to the link node identifier, so as to obtain an access path flow direction.
In an embodiment, as shown in fig. 9, the context determining subunit 3023 includes a recording module 30231 and a flow direction generating module 30232.
A recording module 30231, configured to record a parent node identifier of the link node identifier; a flow direction generating module 30232, configured to determine context information according to an association relationship between the link node identifier and the parent node identifier, and generate an access path flow direction by combining the global trace identifier.
In one embodiment, as shown in fig. 10, the acquisition unit 303 includes a deployment sub-unit 3031, a data acquisition sub-unit 3032, and a collection sub-unit 3033.
A deployment subunit 3031, configured to deploy the probe to an application system that needs to capture link information; a data acquisition subunit 3032, configured to acquire access data by using a byte enhancement technique; and the collecting subunit 3033 is configured to transmit the access data, and collect call information in the access data to obtain data access link information.
In one embodiment, as shown in fig. 11, the probability calculation unit 305 includes a product calculation subunit 3051 and a summation subunit 3052.
The product calculation subunit 3051 is configured to calculate a product of the importance degree of each branch and the probability of the risk occurring at the branch node, so as to obtain a branch risk probability; and the summation subunit 3052 is configured to calculate a sum of the risk probabilities of all the branches to obtain the risk probability.
It should be noted that, as can be clearly understood by those skilled in the art, for the specific implementation processes of the data access risk detection apparatus 300 and each unit, reference may be made to the corresponding descriptions in the foregoing method embodiments, and for convenience and brevity of description, no further description is provided herein.
The data access risk detection apparatus 300 may be implemented in the form of a computer program that can be run on a computer device as shown in fig. 12.
Referring to fig. 12, fig. 12 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, wherein the server may be an independent server or a server cluster composed of a plurality of servers.
Referring to fig. 12, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer programs 5032 include program instructions that, when executed, cause the processor 502 to perform a data access risk detection method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of the computer program 5032 in the non-volatile storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 may be caused to perform a data access risk detection method.
The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the configuration shown in fig. 12 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation of the computer device 500 to which the present application may be applied, and that a particular computer device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to run the computer program 5032 stored in the memory to implement the following steps:
acquiring a request of a terminal for accessing a service; determining the flow direction of an access path according to the request; acquiring access data by adopting a byte enhancement technology to obtain data access link information; analyzing the importance degree of each branch in the data access link information; calculating risk probability according to the importance degree; judging whether the risk probability exceeds a set threshold value; if the risk probability exceeds a set threshold value, carrying out risk early warning; and if the risk probability does not exceed a set threshold value, executing the acquisition of the access data by adopting the byte enhancement technology to obtain data access link information.
In an embodiment, when the processor 502 implements the step of determining the flow direction of the access path according to the request, the following steps are specifically implemented:
generating a global tracking identifier according to the request; generating and calling a corresponding link node identifier according to the request; and determining context relationship information according to the link node identification to obtain the flow direction of the access path.
In an embodiment, when implementing the step of determining context information according to the link node identifier to obtain an access path flow direction, the processor 502 specifically implements the following steps:
recording the father node identification of the link node identification; and determining context relationship information according to the incidence relation between the link node identification and the father node identification, and generating an access path flow direction by combining the global tracking identification.
In an embodiment, when implementing the step of acquiring access data by using the byte enhancement technology to obtain data access link information, the processor 502 specifically implements the following steps:
deploying the probe to an application system needing to capture link information; acquiring access data by adopting a byte enhancement technology; and transmitting the access data, and collecting calling information in the access data to obtain data access link information.
The data access link information comprises a link ID, a link node identifier, a father node identifier, a node name, a calling start time and a calling end time.
In an embodiment, when the processor 502 implements the step of calculating the risk probability according to the importance degree, the following steps are specifically implemented:
calculating the product of the importance degree of each branch and the probability of the risk of the branch node to obtain the branch risk probability; and calculating the sum of the risk probabilities of all the branches to obtain the risk probability.
It should be understood that in the embodiment of the present Application, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will be understood by those skilled in the art that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program instructing associated hardware. The computer program includes program instructions, and the computer program may be stored in a storage medium, which is a computer-readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer-readable storage medium. The storage medium stores a computer program, wherein the computer program, when executed by a processor, causes the processor to perform the steps of:
acquiring a request of a terminal for accessing a service; determining the flow direction of an access path according to the request; acquiring access data by adopting a byte enhancement technology to obtain data access link information; analyzing the importance degree of each branch in the data access link information; calculating risk probability according to the importance degree; judging whether the risk probability exceeds a set threshold value; if the risk probability exceeds a set threshold value, carrying out risk early warning; and if the risk probability does not exceed a set threshold value, executing the acquisition of the access data by adopting the byte enhancement technology to obtain data access link information.
In an embodiment, when the processor executes the computer program to implement the step of determining the access path flow direction according to the request, the following steps are specifically implemented:
generating a global tracking identifier according to the request; generating and calling a corresponding link node identifier according to the request; and determining context relationship information according to the link node identification to obtain the flow direction of the access path.
In an embodiment, when the processor executes the computer program to implement the determining context information according to the link node identifier to obtain the access path flow direction step, the following steps are specifically implemented:
recording the father node identification of the link node identification; and determining context relationship information according to the incidence relation between the link node identification and the father node identification, and generating an access path flow direction by combining the global tracking identification.
In an embodiment, when the processor executes the computer program to realize the step of acquiring access data by using the byte enhancement technology to obtain the data access link information, the following steps are specifically realized:
deploying the probe to an application system needing to capture link information; acquiring access data by adopting a byte enhancement technology; and transmitting the access data, and collecting calling information in the access data to obtain data access link information.
The data access link information comprises a link ID, a link node identifier, a father node identifier, a node name, a calling start time and a calling end time.
In an embodiment, when the step of calculating the risk probability according to the importance degree is implemented by the processor executing the computer program, the following steps are specifically implemented:
calculating the product of the importance degree of each branch and the probability of the risk of the branch node to obtain the branch risk probability; and calculating the sum of the risk probabilities of all the branches to obtain the risk probability.
The storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, which can store various computer readable storage media.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, various elements or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be merged, divided and deleted according to actual needs. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a terminal, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1. The data access risk detection method is characterized by comprising the following steps:
acquiring a request of a terminal for accessing a service;
determining the flow direction of an access path according to the request;
acquiring access data by adopting a byte enhancement technology to obtain data access link information;
analyzing the importance degree of each branch in the data access link information;
calculating risk probability according to the importance degree;
judging whether the risk probability exceeds a set threshold value;
if the risk probability exceeds a set threshold value, carrying out risk early warning;
if the risk probability does not exceed a set threshold value, executing the acquisition of access data by adopting the byte enhancement technology to obtain data access link information;
the determining the flow direction of the access path according to the request comprises:
generating a global tracking identifier according to the request;
generating and calling a corresponding link node identifier according to the request;
and determining context relationship information according to the link node identification to obtain the flow direction of the access path.
2. The method for detecting data access risk according to claim 1, wherein the determining context information according to the link node identifier to obtain an access path flow direction comprises:
recording the father node identification of the link node identification;
and determining context relationship information according to the incidence relation between the link node identification and the father node identification, and generating an access path flow direction by combining the global tracking identification.
3. The method for detecting data access risk according to claim 1, wherein the acquiring access data by byte enhancement technology to obtain data access link information comprises:
deploying the probe to an application system needing to capture link information;
acquiring access data by adopting a byte enhancement technology;
and transmitting the access data, and collecting calling information in the access data to obtain data access link information.
4. The data access risk detection method of claim 3, wherein the data access link information comprises a link ID, a link node identification, a parent node identification, a node name, a call start time, and a call end time.
5. The method according to claim 1, wherein the calculating a risk probability according to the importance degree comprises:
calculating the product of the importance degree of each branch and the probability of the risk of the branch node to obtain the branch risk probability;
and calculating the sum of the risk probabilities of all the branches to obtain the risk probability.
6. Data access risk detection apparatus, comprising:
a request acquisition unit for acquiring a request for accessing a service of a terminal;
a flow direction determining unit, configured to determine a flow direction of the access path according to the request;
the acquisition unit is used for acquiring the access data by adopting a byte enhancement technology to obtain data access link information;
the analysis unit is used for analyzing the importance degree of each branch in the data access link information;
a probability calculation unit for calculating a risk probability according to the importance degree;
the judging unit is used for judging whether the risk probability exceeds a set threshold value or not;
the early warning unit is used for carrying out risk early warning if the risk probability exceeds a set threshold;
the flow direction determination unit includes:
the global identification generation subunit is used for generating a global tracking identification according to the request;
a node identifier generating subunit, configured to generate and call a corresponding link node identifier according to the request;
and the context determining subunit is configured to determine context information according to the link node identifier, so as to obtain an access path flow direction.
7. A computer arrangement, characterized in that the computer arrangement comprises a memory having stored thereon a computer program and a processor implementing the method according to any of claims 1-5 when executing the computer program.
8. A storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 5.
CN202210084154.8A 2022-01-25 2022-01-25 Data access risk detection method and device, computer equipment and storage medium Active CN114117311B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210084154.8A CN114117311B (en) 2022-01-25 2022-01-25 Data access risk detection method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210084154.8A CN114117311B (en) 2022-01-25 2022-01-25 Data access risk detection method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114117311A CN114117311A (en) 2022-03-01
CN114117311B true CN114117311B (en) 2022-04-19

Family

ID=80361017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210084154.8A Active CN114117311B (en) 2022-01-25 2022-01-25 Data access risk detection method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114117311B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114817968B (en) * 2022-06-29 2022-10-14 深圳红途科技有限公司 Method, device and equipment for tracing path of featureless data and storage medium
CN114817340B (en) * 2022-06-30 2022-09-13 深圳红途科技有限公司 Data tracing method and device, computer equipment and storage medium
CN114861213B (en) * 2022-07-07 2022-10-28 广东省科技基础条件平台中心 Full-period intelligent management system and method for scientific and technological projects
CN115589307A (en) * 2022-09-07 2023-01-10 支付宝(杭州)信息技术有限公司 Risk monitoring method and device for distributed system
CN116055219B (en) * 2023-03-07 2023-06-20 北京安胜华信科技有限公司 API-based access link anti-skip method, system, terminal and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105574600A (en) * 2014-10-17 2016-05-11 国家电网公司 Power grid communication service oriented communication risk early warning and risk avoidance method
US10044745B1 (en) * 2015-10-12 2018-08-07 Palantir Technologies, Inc. Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
CN108833126A (en) * 2018-04-02 2018-11-16 平安科技(深圳)有限公司 Electronic device, data link method for prewarning risk and storage medium
CN109327439A (en) * 2018-09-29 2019-02-12 武汉极意网络科技有限公司 Risk Identification Method, device, storage medium and the equipment of service request data
US10728272B1 (en) * 2014-12-17 2020-07-28 Amazon Technologies, Inc. Risk scoring in a connected graph
CN111666186A (en) * 2020-04-26 2020-09-15 杭州数梦工场科技有限公司 Data access abnormity detection method and device, storage medium and computer equipment
CN112039885A (en) * 2020-08-31 2020-12-04 绿盟科技集团股份有限公司 Website risk assessment method and device
CN112287345A (en) * 2020-10-29 2021-01-29 中南大学 Credible edge computing system based on intelligent risk detection
CN112686773A (en) * 2020-12-17 2021-04-20 贵州电网有限责任公司 Method for constructing power metering full-link key service abnormity positioning model based on fusion service topology
CN112738137A (en) * 2021-03-30 2021-04-30 深圳红途创程科技有限公司 Data acquisition and link processing method and device, computer equipment and storage medium
CN113206844A (en) * 2021-04-28 2021-08-03 北京链道科技有限公司 Data sharing method for preventing data leakage

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110730246A (en) * 2019-10-23 2020-01-24 家乡互动(厦门)网络科技有限公司 Distributed link tracking method under micro-service architecture
CN113572757B (en) * 2021-07-21 2022-10-11 中国工商银行股份有限公司 Server access risk monitoring method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105574600A (en) * 2014-10-17 2016-05-11 国家电网公司 Power grid communication service oriented communication risk early warning and risk avoidance method
US10728272B1 (en) * 2014-12-17 2020-07-28 Amazon Technologies, Inc. Risk scoring in a connected graph
US10044745B1 (en) * 2015-10-12 2018-08-07 Palantir Technologies, Inc. Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
CN108833126A (en) * 2018-04-02 2018-11-16 平安科技(深圳)有限公司 Electronic device, data link method for prewarning risk and storage medium
CN109327439A (en) * 2018-09-29 2019-02-12 武汉极意网络科技有限公司 Risk Identification Method, device, storage medium and the equipment of service request data
CN111666186A (en) * 2020-04-26 2020-09-15 杭州数梦工场科技有限公司 Data access abnormity detection method and device, storage medium and computer equipment
CN112039885A (en) * 2020-08-31 2020-12-04 绿盟科技集团股份有限公司 Website risk assessment method and device
CN112287345A (en) * 2020-10-29 2021-01-29 中南大学 Credible edge computing system based on intelligent risk detection
CN112686773A (en) * 2020-12-17 2021-04-20 贵州电网有限责任公司 Method for constructing power metering full-link key service abnormity positioning model based on fusion service topology
CN112738137A (en) * 2021-03-30 2021-04-30 深圳红途创程科技有限公司 Data acquisition and link processing method and device, computer equipment and storage medium
CN113206844A (en) * 2021-04-28 2021-08-03 北京链道科技有限公司 Data sharing method for preventing data leakage

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Enforcing a Risk Assessment Approach in Access Control Policies Management: Analysis, Correlation Study and Model Enhancement;Pierrette Annie EVINA 等;《2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC)》;20190722;1866-1871 *
面向大数据环境下的数据安全治理技术;许杰 等;《通信技术》;20211210;第54卷(第12期);2659-2665 *

Also Published As

Publication number Publication date
CN114117311A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN114117311B (en) Data access risk detection method and device, computer equipment and storage medium
CN111221743B (en) Automatic test method and system
He et al. An evaluation study on log parsing and its use in log mining
US8707268B2 (en) Testing operations of software
US7792950B2 (en) Coverage analysis of program code that accesses a database
Raja et al. Defining and evaluating a measure of open source project survivability
WO2015080742A1 (en) Production sampling for determining code coverage
CN109690571A (en) Group echo system and method based on study
CN111191601A (en) Method, device, server and storage medium for identifying peer users
CN106201857B (en) The choosing method and device of test case
CN110046086B (en) Expected data generation method and device for test and electronic equipment
CN117376228B (en) Network security testing tool determining method and device
CN113138906A (en) Call chain data acquisition method, device, equipment and storage medium
CN111241821B (en) Method and device for determining behavior characteristics of user
CN115022201B (en) Data processing function test method, device, equipment and storage medium
CN114697127B (en) Service session risk processing method based on cloud computing and server
CN110263618A (en) The alternative manner and device of one seed nucleus body model
CN115203061A (en) Interface automation test method and device, electronic equipment and storage medium
CN111683102B (en) FTP behavior data processing method, and method and device for identifying abnormal FTP behavior
CN113590495A (en) Method, device, equipment and storage medium for determining test coverage rate
CN113791980A (en) Test case conversion analysis method, device, equipment and storage medium
CN111800409A (en) Interface attack detection method and device
EP3671467A1 (en) Gui application testing using bots
CN113569879A (en) Training method of abnormal recognition model, abnormal account recognition method and related device
Shatnawi Comparison of threshold identification techniques for object‐oriented software metrics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant