CN114139178A - Data link-based data security monitoring method and device and computer equipment - Google Patents
Data link-based data security monitoring method and device and computer equipment Download PDFInfo
- Publication number
- CN114139178A CN114139178A CN202111421645.9A CN202111421645A CN114139178A CN 114139178 A CN114139178 A CN 114139178A CN 202111421645 A CN202111421645 A CN 202111421645A CN 114139178 A CN114139178 A CN 114139178A
- Authority
- CN
- China
- Prior art keywords
- data
- log information
- asset
- link
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to a data security monitoring method, a data security monitoring device and computer equipment based on a data link, wherein the method comprises the following steps: establishing a data transfer link by taking assets corresponding to different types of asset information in the collected log information as nodes; and carrying out risk analysis on the log information, and determining the node of the asset corresponding to the log information in the data stream transfer link when determining that the log information has risk. The method comprises the steps of acquiring different types of asset information by collecting log information, constructing a data transfer link by taking the asset information as a node, and acquiring an access relation between assets and data; by carrying out risk analysis on the log information, judging whether risks exist and acquiring asset information corresponding to the risk log information, and finding out a node corresponding to the asset in a data link, the problem that the safety risk of data in which link in the circulation process occurs cannot be identified is solved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a data security monitoring method and apparatus based on a data link, and a computer device.
Background
Today, large data technologies are widely applied, data sharing and flowing are normal, and multiple links of sharing and information processing cause difficulty in data circulation tracking and control. In a complex circulation environment, the primary requirement of data security is how to ensure the security of sensitive data such as confidential data of various organizations and personal data of users. It is a challenge to prevent data from being illegally copied, spread and tampered during use and circulation. Based on the risk analysis of the probe flow, various risk events can be discovered by analyzing the probe flow data. However, the method can only identify and discover security risk behaviors of various services, and cannot well sort out which link of data in the circulation process has a security risk problem under the enterprise-based business logic scene.
An effective solution is not provided at present for the problem of how to identify which link of data in the circulation process has a security risk.
Disclosure of Invention
The embodiment provides a data security monitoring method and device based on a data link and computer equipment, so as to solve the problem of how to identify which link of data in a circulation process has a security risk.
In a first aspect, in this embodiment, a data link-based data security monitoring method is provided, where the method includes:
establishing a data transfer link by taking assets corresponding to different types of asset information in the collected log information as nodes;
and carrying out risk analysis on the log information, and determining the node of the asset corresponding to the log information in a data stream transfer link when the log information is determined to have risk.
In some embodiments, the constructing a data flow link by using assets corresponding to different types of asset information in the collected log information as nodes includes:
and generating a circulation process of the service data among the asset nodes based on the service flow by taking the assets as the nodes, and constructing a data circulation link.
In some of these embodiments, said risk analyzing said log information comprises:
matching the log information with a preset risk strategy;
when the log information is matched with the log information, determining that the log information has risks; when not matched, determining that the log information has no risk.
In some embodiments, the matching the log information with a preset risk policy includes:
extracting specific fields in the business data contained in the log information based on an extraction rule;
and carrying out statistical analysis on the specific field based on statistical and judgment rules to obtain a statistical result, and comparing the statistical result with a specific threshold value to determine a matching result.
In some embodiments, the determining that the asset corresponding to the log information is in the node in the data stream diversion link includes:
and when the log information is determined to have risks, acquiring asset information corresponding to the log information, marking the assets corresponding to the asset information, and acquiring nodes corresponding to the asset information in a data transfer link.
In some embodiments, the determining that the asset corresponding to the log information is in the data stream diversion link further includes:
and when the log information is determined to have risks, acquiring asset information corresponding to the log information, and listing assets corresponding to the asset information into a blacklist.
In some embodiments, the data link-based data security monitoring method further includes:
and displaying the nodes corresponding to the asset information with risks in the data circulation link.
In a second aspect, in this embodiment, there is provided a data link-based data security monitoring apparatus, including:
the link construction module is used for constructing a data transfer link by taking assets corresponding to different types of asset information in the collected log information as nodes;
and the node determining module is used for carrying out risk analysis on the log information and determining the node of the asset corresponding to the log information in the data stream transfer link when the log information is determined to have risk.
In a third aspect, in the present embodiment, there is provided a computer device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to perform any one of the above-mentioned data link-based data security monitoring methods.
In a fourth aspect, in the present embodiment, a storage medium is provided, on which a computer program is stored, and the program is executed by a processor to implement any one of the above-mentioned data link-based data security monitoring methods.
Compared with the related art, the data link-based data security monitoring method provided in this embodiment acquires different types of asset information by collecting log information, constructs a data transfer link by using the asset information as a node, performs risk analysis on the log information, determines whether the log information has a risk and acquires asset information corresponding to the log information having the risk, finds a node corresponding to the asset in the data link, and solves the problem that it is impossible to identify which link of data in the transfer process has a security risk in the related art.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic application environment diagram of a data link-based data security monitoring method according to an embodiment of the present application.
Fig. 2 is a flowchart of a data link-based data security monitoring method according to an embodiment of the present application.
Fig. 3 is a flowchart of risk analysis on log information according to an embodiment of the present application.
Fig. 4 is a flowchart of a data link-based data security monitoring method according to a preferred embodiment of the present application.
Fig. 5 is a block diagram of a data link-based data security monitoring apparatus according to an embodiment of the present application.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
The data link-based data security monitoring method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. The assets 102 access the service data 104 through the network and perform operations such as increasing, deleting, checking, copying, storing and the like on the corresponding service data according to the service flow, and the quantity of the assets and the data is not limited. The assets 102 may be, but are not limited to, various account number assets, application assets, host assets, database assets, etc., such as accounts, applications, hosts, interfaces, databases, data tables, servers, personal computers, laptops, smartphones, tablets, portable wearable devices, etc. The business data 104 is data containing business information created according to various business scenarios and business processes, and may contain important data related to confidential information or personal privacy. The data link-based data security monitoring method provided by the embodiment of the application may be executed at an asset end, and the asset end may include one or more processors and a memory for storing data, where the processor may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA. The memory may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the data link-based data security monitoring method in the present embodiment, and the processor executes various functional applications and data processing by running the computer programs stored in the memory, so as to implement the method described above. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some embodiments, the memory may further include memory remotely located from the processor. It will be understood by those of ordinary skill in the art that the structure shown in fig. 1 is merely exemplary and is not intended to limit the types and communication manners of the asset or service data. For example, the asset and business data may also include more or fewer quantities and types than shown in FIG. 1, or have a different configuration or different manner of communication than shown in FIG. 1.
In this embodiment, a data security monitoring method based on a data link is provided, and fig. 2 is a flowchart of the data security monitoring method based on the data link according to this embodiment. The embodiment is a process of extracting asset information based on log information, constructing a data circulation link, and positioning the position of a risk asset in the data circulation link according to risk information in the log information. As shown in fig. 2, the process includes the following steps:
step S201, assets corresponding to different types of asset information in the collected log information are used as nodes, and a data circulation link is constructed;
in the data security monitoring platform, log information records information such as operation types, asset identifications, operation time, operation objects of assets on service data, change values of the assets before and after modification of the service data and the like; the log may be an audit log, a traffic log, or the like. The collection may be by flow probe technology for collection of log information. The asset information in the log may include asset information related to the business data and the business process, and may also include unrelated asset information. The method provided by the embodiment of the application only collects the asset information related to the service data, and constructs the data transfer link according to the transfer process of the service data between the corresponding assets. The data flow link is usually established according to a service scene, and may include data flow links corresponding to a plurality of service flows, and a single asset node may also correspond to a plurality of data flow links.
Step S202, risk analysis is carried out on the log information, and when the log information is determined to have risk, the node of the asset corresponding to the log information in the data stream transfer link is determined.
The log information comprises different types of asset information and operation information of the assets on the business data. In the data circulation process, based on different service scenes, different types of assets have different operation types on service data, and the allowed operation authorities are different. In addition, the business data can confirm whether the data has safety risks or not through risk analysis. According to the monitoring requirement of data security, risk analysis needs to be carried out on log information to confirm the flow direction of business data in a data transfer link and whether the operation of assets on the business data meets the requirements of the data transfer link and the operation authority or not to confirm whether the risk of illegal operations such as leakage, tampering and the like exists in the data or not. When the operation of the assets on the business data in the log information is found not to be in accordance with the requirements of the authority of the assets and the data transfer link or the operation of the key information in the business data is abnormal, the log information is determined to have risks, and the assets corresponding to the risk information correspond to the nodes in the data transfer link.
Through the steps S201 to S202, the data security monitoring method based on the data link provided in this embodiment acquires asset information of different types by collecting log information, constructs a data transfer link with the asset information as a node, acquires an access relationship between assets and data, and provides a method for visualizing a transfer direction of the data between the assets; by carrying out risk analysis on the log information, judging whether the log information has risks and obtaining asset information corresponding to the log information with the risks, and finding out a node corresponding to the asset in a data link, the problem that in the related technology, which link of data in the circulation process has safety risks cannot be identified is solved.
In some of these embodiments, a method for building data flow links with assets as nodes is described. Optionally, the constructing a data flow link by using assets corresponding to different types of asset information in the collected log information as nodes includes:
and with the assets as nodes, generating a circulation process of the business data among the asset nodes based on the business process, and constructing a data circulation link.
The business process constructs an asset and data interaction process based on the internal logic, and realizes the business value and function on the basis. The data flow link corresponds each business process with the assets and business data for realizing the process on the basis of the business process. The data flow link includes asset nodes and the flow of data between the asset nodes. For example, the data collection and storage process, and the corresponding data flow link may be a data collection node, a wireless gateway node, a data reception service node, a data processing service node, a data storage service node, a database, and the like. The service data realizes transmission and processing between nodes in the data link, and finally realizes the corresponding function of the service flow. The corresponding nodes and service data in the data link have definite identification attributes, and can correspond to the asset information and the service data information in the log information.
In the method for constructing a data flow link based on a business process provided in this embodiment, the interactive relationship and process between assets and business data are embodied through the business process, the data flow link is associated with business scenes and functions through the business process, the method for constructing a data flow link is enriched, the functions and roles of related asset nodes in the data flow link are embodied in a visual manner, and a foundation is laid for subsequent risk localization.
In some of these embodiments, a method of risk analysis of log information is involved. Fig. 3 is a flowchart of risk analysis on log information according to an embodiment of the present application. Optionally, as shown in fig. 3, performing risk analysis on the log information includes the following steps:
step S301, matching the log information with a preset risk strategy;
and (3) aiming at various scenes of business data risk occurrence, such as unauthorized leakage, copying and tampering, and combining the data circulation link to establish a risk strategy for related asset nodes and business data in the link. The risk policy may include a business compliance monitoring policy, a data exception call monitoring policy, a data flow direction monitoring policy, and the like. For example, the business compliance monitoring policy can determine whether the asset node operation through which each kind of business data flows is compliant or not and whether an unauthorized operation exists or not; the data flow direction monitoring policy may determine whether the flow direction of the service data matches a corresponding flow direction in the data flow link, whether an abnormal data flow direction exists, and the like. The risk strategies are different according to different service scenes and processes and different role functions of the assets in the links, and users can select and configure different risk strategies for different asset nodes and service data in the data circulation links according to requirements. And matching the assets, the business data and the related operation information in the log information with the corresponding risk strategies to confirm whether risks exist.
Step S302, when the log information is matched with the log information, determining that the log information has risks; when there is no match, it is determined that there is no risk of the log information.
If the assets, the business data and the related operation information in the log information are successfully matched with the corresponding risk strategies, the log information is indicated to have risk behaviors, the behaviors can be the unauthorized operation of the assets, and the data can have flow direction abnormity or other safety risks.
Through the steps S301 to S302, in the method for risk analysis of log information provided in this embodiment, a risk policy is formulated for asset nodes and service data in a data transfer communication path, a decision policy for data security is subdivided and dispersed in each asset and service data in a link in a targeted manner, and a corresponding policy setting is performed for data security risk possibly generated in each link, so that single-node anomaly monitoring of a data transfer link is realized, and the comprehensiveness and feasibility of a data risk policy are improved; and matching the risk strategy with the log information to determine whether the risk exists, and providing an implementation range and an implementation mode of risk judgment based on the log information.
In some of these embodiments, specific methods of matching log information to risk policies are involved. Optionally, matching the log information with a preset risk policy includes:
extracting specific fields in the business data contained in the log information based on an extraction rule; and carrying out statistical analysis on the specific field based on the statistical and judgment rules to obtain a statistical result, and comparing the statistical result with a specific threshold value to determine a matching result.
The risk policy can use different rules to filter and match log information, including matching rules, extraction rules, statistical rules, judgment rules, etc. The matching rule can realize partial screening of data, and can be combined with other rules for further matching. The matching rule may be some screening conditions, such as regular matching, or keyword matching, and SQL statement where condition, and the like, and may also match the flow direction of the data flow at a certain node in the data flow link, for example, match only the data flowing out from a certain node. The extraction rule is to extract sensitive fields from the data obtained after screening, for example, there are 100 data fields, and only 10 important fields are extracted for analysis. The statistical and decision rule carries out statistical analysis on specific values of specific fields or the occurrence frequency of a specific value, and the statistical analysis method comprises grouping statistics, duplicate removal statistics, grouping summation, variance calculation and the like; and obtaining a statistical value by using a statistical method, and comparing and calculating the statistical value with a specific threshold value, wherein the calculation method comprises standard deviation calculation, logic calculation, four arithmetic calculation and the like, and when the result of the comparison and calculation meets a specific requirement, the matching is determined to be successful.
According to the matching method of the log information and the risk policy, most of non-key data and non-key fields are removed from the matching rule and the extraction rule, analysis is performed only on important fields, occupation of a server disk and memory consumption are saved, and calculation performance is improved; the statistics and judgment rules provide rich statistics methods for judging the security of the key data so as to ensure that the key data can be judged and blocked in time when high-risk behaviors such as data leakage, data tampering, data traversal, high-frequency access and the like occur in various service scenes. The rules may be applied individually or in combination with each other as desired, or may be applied out of a predetermined order. The method provided by the embodiment provides a feasible judgment method for the safety of the service data in various service scenes.
In some of these embodiments, a method of determining an asset node to which risk log information corresponds.
Optionally, determining a node of the asset corresponding to the log information in the data stream forwarding link includes:
and when the log information is determined to have risk, acquiring asset information corresponding to the log information, marking the asset corresponding to the asset information, and acquiring a node corresponding to the asset information in a data transfer link.
And determining that the log information has a risk, namely that the business data in the log information is abnormal or the operation of the assets on the business data does not conform to the authority of the assets and the requirements of the data circulation link. Because the log information records the operation type of the assets to the service data, the asset identification, the operation time, the operation object, the change value of the service data before and after modification and other information, if the service data is abnormal, the asset identification causing the abnormality can be positioned according to the operation information of the assets to the service data, if the operation of the assets does not meet the requirements of the authority and the data transfer link, the asset identification can be directly positioned, and then the node corresponding to the asset identification is found in the data transfer link. Meanwhile, information of the asset may be sent to a data warehouse ETL (Extract-Transform-Load) through a messaging system such as Kafka for asset marking and storage.
In the method for determining asset nodes corresponding to risk log information provided in this embodiment, assets corresponding to the risk log information are obtained from the log information, and nodes corresponding to the assets are found in the data transfer link, so that association between a risk event and a risk asset and the data transfer link nodes is realized, and the problem that in the related art, which link of data in the transfer process has a security risk cannot be identified is solved. Marking and storing the risk assets provides a foundation for subsequent risk blocking and node risk display.
In some of these embodiments, specific measures are involved to block the at-risk assets. Optionally, determining a node of the asset corresponding to the log information in the data stream forwarding link further includes:
and when the log information is determined to have risk, acquiring asset information corresponding to the log information, and listing assets corresponding to the asset information into a blacklist.
And after the assets are judged to have risks, asset marking is carried out on the assets, and the assets are stored in a database so as to be used for inquiring and monitoring a data transfer link. The data flow link blacklists the asset based on asset marking. The assets comprise accounts, applications, hosts, interfaces, databases, data tables and the like, and the blacklist is different in use mode aiming at different types of assets. After adding to the blacklist, the user may select a processing mode for the assets on the blacklist, for example, blocking of the assets and the business data, disabling or limiting the service, and the like.
According to the method for blocking the risky assets provided by the embodiment, the subsequent operation of the risky assets on the business data is blocked through the blacklist, the risks of further unauthorized operation of the risky assets or further leakage or tampering of the business data and the like are avoided, and data safety is maintained.
In some of these embodiments, exposure to an at-risk asset is involved. Optionally, the data security monitoring method based on the data link further includes:
and displaying the node corresponding to the asset information with the risk in the data circulation link.
After the node corresponding to the asset identifier is found in the data transfer link in the method, the data transfer link can collect all risk events under the node, and node risk display is performed in a system page.
In the node risk display method provided in this embodiment, all risk events under the node are collected in the data flow link, and node risk display is performed, so that the node and corresponding business data risk are visualized, and a business decision basis is provided for a user.
The present embodiment is described and illustrated below by means of preferred embodiments.
Fig. 4 is a flow chart of the data link-based data security monitoring method of the preferred embodiment. As shown in fig. 4, the method includes the steps of:
step S401, taking assets corresponding to the asset information in the log information as nodes, and constructing a service flow based on a service scene and service logic;
step S402, taking assets as nodes, generating a circulation process of business data among the asset nodes based on a business process, and constructing a data circulation link;
step S403, setting a risk strategy for asset nodes and service data in a data transfer link;
step S404, matching the asset information in the log information with a risk strategy;
step S405, extracting specific fields in the service data contained in the log information based on the extraction rule; and carrying out statistical analysis on the specific field based on the statistical and judgment rules to obtain a statistical result, and comparing the statistical result with a specific threshold value to determine a matching result.
Step S406, when the log information is determined to have risk, asset information corresponding to the log information is obtained, the asset corresponding to the asset information is marked, and a node corresponding to the asset information is obtained in the data transfer link.
Step S407, when it is determined that the log information has a risk, acquiring asset information corresponding to the log information, and blacklisting assets corresponding to the asset information.
And step S408, displaying the nodes corresponding to the asset information with risks in the data circulation link.
Through the steps S401 to S408, in the data security monitoring method based on the data link provided in the preferred embodiment, different types of asset information are obtained by collecting log information, a business process is constructed by using the asset information as a node, a data flow link is constructed on the basis of the business process, an access relationship between the asset and the data is obtained, and a method for visualizing a flow direction of the data between the assets is provided; by carrying out risk analysis on the log information, judging whether the log information has risks and acquiring asset information corresponding to the log information with the risks, finding a node corresponding to the asset in a data link, solving the problem that the safety risk of the data in which link in the circulation process can not be identified in the related technology, marking and blocking the asset according to a positioning result, avoiding further data leakage risks and improving data safety.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
In some embodiments, the present application further provides a data security monitoring device based on a data link, where the device is used to implement the foregoing embodiments and preferred embodiments, and details are not repeated for what has been described. The terms "module," "unit," "subunit," and the like as used below may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of a data link-based data security monitoring apparatus according to this embodiment, and as shown in fig. 5, the apparatus includes: a link construction module 51 and a node determination module 53.
And a link constructing module 51, configured to construct a data transfer link by using assets corresponding to different types of asset information in the collected log information as nodes.
And the node determining module 53 is configured to perform risk analysis on the log information, and determine a node of the asset corresponding to the log information in the data stream forwarding link when determining that the log information has a risk.
In the data security monitoring device based on the data link in this embodiment, the link construction module 51 acquires asset information of different types by collecting log information and constructs a data transfer link, so as to acquire an access relationship between assets and data and provide a method for visualizing a transfer direction of the data between the assets; the node determining module 53 performs risk analysis on the log information, determines whether the log information has a risk or not, obtains asset information corresponding to the log information having the risk, and finds a node corresponding to the asset in the data link, thereby solving the problem that it is impossible to identify which link of the data in the circulation process has a security risk in the related art.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
There is also provided in this embodiment a computer device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the computer device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional implementations, and details are not described again in this embodiment.
In addition, in combination with the data link-based data security monitoring method provided in the foregoing embodiment, a storage medium may also be provided in this embodiment. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the above embodiments of the data link-based data security monitoring method.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A data security monitoring method based on a data link is characterized by comprising the following steps:
establishing a data transfer link by taking assets corresponding to different types of asset information in the collected log information as nodes;
and carrying out risk analysis on the log information, and determining the node of the asset corresponding to the log information in a data stream transfer link when the log information is determined to have risk.
2. The data security monitoring method of claim 1, wherein the step of constructing the data flow link by using assets corresponding to different types of asset information in the collected log information as nodes comprises the steps of:
and generating a circulation process of the service data among the asset nodes based on the service flow by taking the assets as the nodes, and constructing a data circulation link.
3. The data security monitoring method of claim 2, wherein the risk analyzing the log information comprises:
matching the log information with a preset risk strategy;
when the log information is matched with the log information, determining that the log information has risks; when not matched, determining that the log information has no risk.
4. The data security monitoring method of claim 3, wherein the matching the log information with a preset risk policy comprises:
extracting specific fields in the business data contained in the log information based on an extraction rule;
and carrying out statistical analysis on the specific field based on statistical and judgment rules to obtain a statistical result, and comparing the statistical result with a specific threshold value to determine a matching result.
5. The data security monitoring method according to claim 1, wherein the determining the node of the asset corresponding to the log information in the data stream forwarding link includes:
and when the log information is determined to have risks, acquiring asset information corresponding to the log information, marking the assets corresponding to the asset information, and acquiring nodes corresponding to the asset information in a data transfer link.
6. The data security monitoring method according to claim 1, wherein the determining the node of the asset corresponding to the log information in the data stream forwarding link further comprises:
and when the log information is determined to have risks, acquiring asset information corresponding to the log information, and listing assets corresponding to the asset information into a blacklist.
7. The data security monitoring method according to any one of claims 1 to 6, further comprising:
and displaying the nodes corresponding to the asset information with risks in the data circulation link.
8. A data safety monitoring device based on data link is characterized by comprising:
the link construction module is used for constructing a data transfer link by taking assets corresponding to different types of asset information in the collected log information as nodes;
and the node determining module is used for carrying out risk analysis on the log information and determining the node of the asset corresponding to the log information in the data stream transfer link when the log information is determined to have risk.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111421645.9A CN114139178A (en) | 2021-11-26 | 2021-11-26 | Data link-based data security monitoring method and device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111421645.9A CN114139178A (en) | 2021-11-26 | 2021-11-26 | Data link-based data security monitoring method and device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114139178A true CN114139178A (en) | 2022-03-04 |
Family
ID=80387956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111421645.9A Pending CN114139178A (en) | 2021-11-26 | 2021-11-26 | Data link-based data security monitoring method and device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114139178A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114860847A (en) * | 2022-06-29 | 2022-08-05 | 深圳红途科技有限公司 | Data link processing method, system and medium applied to big data platform |
| CN116128517A (en) * | 2023-02-17 | 2023-05-16 | 连云港海通市民一卡通有限公司 | Method and system for managing security of operation data of all-purpose card |
| CN117407118A (en) * | 2022-07-08 | 2024-01-16 | 北京火山引擎科技有限公司 | Container operation control method, device, electronic equipment and readable storage medium |
-
2021
- 2021-11-26 CN CN202111421645.9A patent/CN114139178A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114860847A (en) * | 2022-06-29 | 2022-08-05 | 深圳红途科技有限公司 | Data link processing method, system and medium applied to big data platform |
| CN117407118A (en) * | 2022-07-08 | 2024-01-16 | 北京火山引擎科技有限公司 | Container operation control method, device, electronic equipment and readable storage medium |
| CN116128517A (en) * | 2023-02-17 | 2023-05-16 | 连云港海通市民一卡通有限公司 | Method and system for managing security of operation data of all-purpose card |
| CN116128517B (en) * | 2023-02-17 | 2023-09-22 | 连云港海通市民一卡通有限公司 | Method and system for managing security of operation data of all-purpose card |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11089045B2 (en) | User and entity behavioral analysis with network topology enhancements | |
| US10594714B2 (en) | User and entity behavioral analysis using an advanced cyber decision platform | |
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| US9369476B2 (en) | System for detection of mobile applications network behavior-netwise | |
| CN114139178A (en) | Data link-based data security monitoring method and device and computer equipment | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| WO2013142573A1 (en) | System and method for crowdsourcing of mobile application reputations | |
| Wazid et al. | Hacktivism trends, digital forensic tools and challenges: A survey | |
| JP7204247B2 (en) | Threat Response Automation Methods | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| KR102462128B1 (en) | Systems and methods for reporting computer security incidents | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| CN113542227A (en) | Account security protection method and device, electronic device and storage medium | |
| CN111464525A (en) | Session identification method, session identification device, session identification control equipment and storage medium | |
| JP2023550974A (en) | Image-based malicious code detection method and device and artificial intelligence-based endpoint threat detection and response system using the same | |
| Chen et al. | Detection, traceability, and propagation of mobile malware threats | |
| CN113098852B (en) | Log processing method and device | |
| RU2481633C2 (en) | System and method for automatic investigation of safety incidents | |
| CN109740328B (en) | Authority identification method and device, computer equipment and storage medium | |
| CN112581129A (en) | Block chain transaction data management method and device, computer equipment and storage medium | |
| CN110460558B (en) | Method and system for discovering attack model based on visualization | |
| US20090222876A1 (en) | Positive multi-subsystems security monitoring (pms-sm) | |
| CN113922977A (en) | Anti-cheating method and system based on mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |