CN114553535A - Method and device for alarming user behavior abnormity - Google Patents
Method and device for alarming user behavior abnormity Download PDFInfo
- Publication number
- CN114553535A CN114553535A CN202210163431.4A CN202210163431A CN114553535A CN 114553535 A CN114553535 A CN 114553535A CN 202210163431 A CN202210163431 A CN 202210163431A CN 114553535 A CN114553535 A CN 114553535A
- Authority
- CN
- China
- Prior art keywords
- access
- user
- behavior
- access user
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 85
- 230000006399 behavior Effects 0.000 claims abstract description 189
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 40
- 238000001514 detection method Methods 0.000 claims abstract description 9
- 230000005856 abnormality Effects 0.000 claims description 30
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000003542 behavioural effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 31
- 238000010586 diagram Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000012550 audit Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000013480 data collection Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Abstract
The invention provides a method and a device for alarming user behavior abnormity, wherein the method comprises the following steps: responding to the behavior detection instruction, and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users; determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information; and outputting alarm information corresponding to the abnormal behaviors under the condition that the target access user has the abnormal behaviors. By applying the method provided by the embodiment of the invention, the alarm can be given in time under the condition that the target access user has abnormal behaviors.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a method and a device for alarming user behavior abnormity.
Background
At present, the security management and control of some host platforms are mainly realized based on a security management and control tool RACF, and the RACF controls access rights of data sets, commands and various resources, so that destructive operations on important data can be prevented. At the same time, audit fields are added when defining the protection attributes for the data set and resources.
Currently, the RACF can audit users and passwords identified according to experience, privileged users, access to sensitive resources and the like, and check all operation records which fail to be controlled by authority by printing an audit report, but is limited by the working principle of products, can only provide reports on every other day, and cannot meet the requirement of real-time monitoring and alarming.
Disclosure of Invention
The technical problem to be solved by the invention is to provide an alarming method for user behavior abnormity, which can alarm in time when abnormal behavior exists in a user.
The invention also provides an alarm device for the user behavior abnormity, which is used for ensuring the realization and the application of the method in practice.
A method for alarming user behavior abnormity comprises the following steps:
responding to the behavior detection instruction, and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users;
determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information;
and outputting alarm information corresponding to the abnormal behavior under the condition that the target access user has the abnormal behavior.
Optionally, in the method, the determining, according to the behavior data, the access quantity information, and the resource access user information, whether the target access user has a behavior abnormality includes:
if the number of times of executing access operation on the host resource by the target access user in the current period is greater than the access operation number threshold value, and/or the resource access user information does not contain the user identifier of the target access user, determining that the behavior of the user access user is abnormal; the frequency of the target access user for executing access operation on the host resource in the current time period is determined according to the behavior data; and the threshold value of the access operation times is determined according to the access number information.
Optionally, the method, after acquiring the behavior data generated by the target access user accessing the host resource in the current time period, further includes:
determining the continuous failure times of the user accessing the host resources in the current time period according to the behavior data;
and determining that the target access user has abnormal behaviors when the continuous failure times are larger than a preset failure time threshold value.
The above method, optionally, further includes:
under the condition that the target access user has abnormal behaviors, judging whether the operation type of the access operation of the target access user is a dangerous operation type or not, and obtaining a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
generating a disposal result of the target access user according to the first judgment result and the second judgment result;
and treating the target access user according to the treatment result.
In the foregoing method, optionally, after generating the treatment result of the target access user according to the first determination result and the second determination result, the method further includes:
generating disposal alarm information corresponding to the disposal result;
outputting the treatment alarm information.
Optionally, the method, after acquiring behavior data generated by the target access user accessing the host resource in the current time period, further includes:
and transmitting the behavior data to a preset open-end analysis server through a preset transmission queue so as to generate new behavior trend data according to the behavior data by the open-end analysis server.
An apparatus for alerting of user behavior abnormality, comprising:
the acquisition unit is used for responding to the behavior detection instruction and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current time period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users;
the determining unit is used for determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information;
and the alarm unit is used for outputting alarm information corresponding to the abnormal behavior under the condition that the target access user has the abnormal behavior.
The above apparatus, optionally, the determining unit includes:
the determining subunit is configured to determine that the user access user has a behavior exception if the number of times that the target access user performs the access operation on the host resource in the current time period is greater than an access operation number threshold and/or the resource access user information does not include a user identifier of the target access user; the frequency of the target access user for executing access operation on the host resource in the current time period is determined according to the behavior data; and the threshold value of the access operation times is determined according to the access number information.
The above apparatus, optionally, further comprises:
the first execution unit is used for determining the continuous failure times of the user for accessing the host resources in the current time period according to the behavior data;
and the second execution unit is used for determining that the target access user has behavior abnormity under the condition that the continuous failure times are greater than a preset failure time threshold value.
The above apparatus, optionally, further comprises:
the judging unit is used for judging whether the operation type of the access operation of the target access user is a dangerous operation type or not under the condition that the target access user has abnormal behaviors to obtain a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
a generating unit, configured to generate a disposal result of the target access user according to the first determination result and the second determination result;
a handling unit for handling the target access user by the handling result.
Based on the above-mentioned warning method and apparatus of user's behavioral abnormality that the implementation of this invention provides, this method includes: responding to the behavior detection instruction, and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users; determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information; and outputting alarm information corresponding to the abnormal behaviors under the condition that the target access user has the abnormal behaviors. By applying the method provided by the embodiment of the invention, the alarm information can be output in time for alarming under the condition that the behavior of the target access user is abnormal.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flowchart of a method for alarming user behavior abnormality according to the present invention;
FIG. 2 is a schematic flow chart of a method for alarming user behavior abnormality according to the present invention;
FIG. 3 is a graph illustrating a time trend curve of a read operation according to the present invention;
FIG. 4 is an exemplary graph of a time trend curve of an update operation according to the present invention;
FIG. 5 is an exemplary graph of a time trend curve of a modification operation provided by the present invention;
FIG. 6 is a flow chart of a process for user behavior determination provided by the present invention;
FIG. 7 is a flow chart of a process for user behavior disposition provided by the present invention;
FIG. 8 is a schematic structural diagram of an alarm device for user behavior abnormality according to the present invention;
fig. 9 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiment of the invention provides an alarm method for user behavior abnormity, which can be applied to electronic equipment which can be a host, and the flow chart of the method is shown in fig. 1, and specifically comprises the following steps:
s101: responding to the behavior detection instruction, and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users.
In this embodiment, the target access user may be a user currently accessing the host resource, and the behavior data may include access time, a user identifier, a job name, an access operation, an accessed host resource, and an access result, where the access operation includes at least one of a read operation, a modify operation, and an update operation; the behavior data of the user may be acquired by a System Management Facilities (SMF).
Optionally, the behavior trend data is generated in advance according to historical behavior data of each user, and specifically, access behaviors and access time in the historical behavior data may be analyzed to obtain behavior trend information of various access operations in each historical time period, and specifically, access quantity information of various types of access operations performed on the host resource by each user in each historical time period may be obtained; determining the average access amount of each access user accessing the host resource to the host resource in the total historical period according to the historical behavior data, wherein the average access amount can be daily average access amount, monthly average access amount and the like, forming the user identification of each access user with the average access amount larger than a preset access amount threshold value into resource access user information, and forming the behavior trend of each access behavior in each historical period and the resource access user information into user behavior trend data.
In some embodiments, the behavior trend data may also be generated by other devices, for example, the behavior trend data may be generated by an open segment parsing server, the host may send the acquired historical behavior data to a first preset transmission queue, where the transmission queue may be a kafka queue, the open end parsing server acquires the historical behavior data corresponding to the host resource subscribed to the open end parsing server from the transmission queue, and then generates behavior trend data according to the acquired historical behavior data, and the host may acquire the behavior trend data from the open end parsing server.
Alternatively, the access condition may be that the average access amount of the user is greater than a preset access amount threshold.
S102: and determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information.
In this embodiment, the number of times that the user performs the access operation on the host resource in the current period may be determined according to the behavior data, and further, whether the target access user has the behavior abnormality may be determined according to the number of times of the access operation and the access number information corresponding to the access operation, and the target access user may also be determined to have the behavior abnormality in the case that the user identifier of the target user does not exist in the resource access user information.
S103: and outputting alarm information of the abnormal behavior of the target access user under the condition that the target access user has the abnormal behavior.
In this embodiment, the alarm information corresponding to the behavior abnormality of the target access user may be output through a System Automation component (SA), and the alarm information of different behavior abnormalities may be different.
By applying the method provided by the embodiment of the invention, the alarm information can be output in time for alarming under the condition that the behavior of the target access user is abnormal.
In an embodiment provided by the present invention, based on the foregoing implementation process, optionally, the determining, according to the behavior data, the access number information, and the resource access user information, whether the target access user has a behavior exception includes:
if the number of times of executing access operation on the host resource by the target access user in the current period is greater than the access operation number threshold value, and/or the resource access user information does not contain the user identifier of the target access user, determining that the behavior of the user access user is abnormal; the frequency of the target access user for executing access operation on the host resource in the current time period is determined according to the behavior data; and the threshold value of the access operation times is determined according to the access number information.
In this embodiment, the identifier of the target access user may be matched with each user identifier in the resource access user information to determine whether the resource access user information has a user identifier with a consistent identifier of the target access user, and if so, it is determined that the resource access user information includes the user identifier of the target access user.
Optionally, the number of times that the target access user performs the access operation on the host resource in the current time period may be determined according to the number of the behavior data of the access operation of the target access user in the current time period, and one behavior data may be generated when the user performs one access operation on each pair of the host resources.
Optionally, the access number information may be added to a preset deviation value to obtain an access number threshold corresponding to the access operation.
In some embodiments, different types of access operations may have different access frequency thresholds, the access frequency thresholds of the different types of access operations may be determined according to the access number information of each type of access operation, and specifically, the access number information of a certain type of access operation may be added to a preset deviation value, so that the access frequency threshold corresponding to the type of access operation may be obtained.
For example, if the access number information of the read operation is 10 and the deviation value is 5, the access number threshold corresponding to the read operation may be 15, and if the number of times that the target access user currently performs the read operation on the host resource is greater than 15, it is determined that the behavior of the target access user is abnormal.
In some embodiments, if the number of times that the target access user performs any type of access operation in the current time period is greater than the threshold number of times of the type of access operation, and/or the resource access user information does not include the user identifier of the target access user, it is determined that the user access user has a behavior abnormality.
In some embodiments, it may be determined whether the resource access user information includes a user identifier of the target access user; under the condition that the resource access user information contains the user identification of the target access user, determining the times of the target access user performing access operation on the host resource in the current time period according to the behavior data, and determining the access time threshold of the target access user in the current time period according to the access number information; and determining that the target access user has abnormal behavior under the condition that the resource access user information does not contain the user identifier of the target access user or the times are greater than the access times threshold.
In an embodiment provided by the present invention, based on the foregoing implementation process, optionally, after the acquiring the behavior data generated by the target access user accessing the host resource in the current time period, the method further includes:
determining the continuous failure times of the target access user to access the host resources in the current period according to the behavior data;
and determining that the target access user has abnormal behaviors when the continuous failure times are larger than a preset failure time threshold value.
In this embodiment, the number of consecutive failures of the target access user to access the host resource in the current period may be determined according to the number of the behavior data in the current period and the access result in the behavior data, and in a case that it is determined that the target access user has the behavior abnormality, warning information that the target access user has the behavior abnormality may be output.
In an embodiment provided by the present invention, based on the foregoing implementation process, optionally, the implementation process further includes:
under the condition that the target access user has abnormal behaviors, judging whether the operation type of the access operation of the user is a dangerous operation type or not, and obtaining a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
generating a disposal result of the target access user according to the first judgment result and the second judgment result;
and treating the target access user according to the treatment result.
In this embodiment, it may be determined whether an operation type of an access operation of a user is a dangerous operation type such as update or modification to obtain a first determination result, and whether a host resource is a predefined sensitive resource such as customer information or financial information to obtain a second determination result; and calling a preset disposal script according to the first judgment result and the second judgment result to determine a disposal result of the target access user, and disposing the target access user according to the processing result.
Optionally, the treatment result may include one of deleting the access right of the target access user, revoking the target access user, deleting the access right of the target access user, revoking the target access user from the system, and the like.
In an embodiment of the invention, based on the foregoing implementation process, optionally, after generating the treatment result of the target access user according to the first determination result and the second determination result, the method further includes:
generating disposal alarm information corresponding to the disposal result;
outputting the treatment alarm information.
In this embodiment, the treatment result warning information includes a message identifier, a user identifier of the target access user, a resource identifier of the accessed host resource, and a treatment result code.
Optionally, the treatment result code is used to represent a treatment result for the target access user.
In an embodiment provided by the present invention, based on the foregoing implementation process, optionally, after acquiring behavior data generated when the target access user accesses the host resource in the current time period, the method further includes:
and transmitting the behavior data to a preset open-end analysis server through a preset transmission queue so as to generate new behavior trend data according to the behavior data by the open-end analysis server.
In this embodiment, the transmission queue may be a kafka queue, and the open-end parsing server may parse and count the behavior data to generate new behavior trend data.
The method for alarming user behavior abnormality provided by the embodiment of the invention can be applied to various fields, and can be particularly used for protecting host resources in a host, and in the specific application process, as shown in fig. 2, for a method flow chart of another method for alarming user behavior abnormality provided by the embodiment of the invention, a data acquisition tool can be deployed at the end of the host to collect access data of a host user to the host resources in real time, then the analysis of the data is completed at the host, and a part of the analyzed data can be transmitted to an open-end Kafka queue in real time. After the data are transmitted to the open end, the intelligent analysis engine performs machine learning through the data in the kafka queue, learns the access characteristics of the user to the host resources, and the access characteristic data are transmitted back to the host at regular time. The behavior assessment engine at the host end compares the current resource behavior of the user with the resource access behavior learned by the machine, if the current resource behavior is not met, the automatic SA policy of the host is triggered to alarm, whether a host security component RACF is called to prevent access is determined according to a list in the SA, and the specific process is as follows:
step one, collecting user behavior data.
The invention needs to collect behavior data of a user firstly, when the user accesses z series operating system zOS host resources of the host, a piece of behavior data is recorded in a system management program SMF, and the behavior data records the contained information including: time, user, job name, access operation, accessed resource, and access result. The behavior data collection process is as follows:
1. to obtain the data, at the zOS host side, data of SMF types 80, 81, and 83 are placed into a memory area ifasmf of an SMF by setting SMFPRMxx, which is as follows:
“RECORDING(LOGSTREAM)
INMEM(IFASMF.RACF,RESSIZMAX(1024M),TYPE(80:81,83))”。
2. and then starting a data collection process at the zOS host end, reading the data from the IFASMF.
3. After the process in the analysis server acquires this information, the process performs analysis in a format specified by the SMF types 80, 81, and 83, and acquires behavior data from the analyzed data.
4. To facilitate further analysis of the big data, the data needs to be pushed into kafka.
And step two, analyzing the big data of the user resource access behavior.
In this embodiment, after the user behavior data is stored in Kafka, time trend analysis may be performed on Read, Update, and enter behaviors of a certain type of resource from Kafka subscription data, and the user name accessing the resource is counted.
Time trend analysis is performed on Read, Update and Alter behaviors of resource access, the time trends of the number of the access behaviors occurring in a certain time period (such as 1 minute, 5 minutes and the like) are counted, and the time trend curve is continuously perfected through machine learning, for example, the time trend curve of Read operation of a certain type of host resource is shown in fig. 3, the time trend curve of Update operation is shown in fig. 4, and the time trend curve of modify Alter operation is shown in fig. 5.
Optionally, the user statistics is mainly used for counting which users generally access the resource, and counting an average daily access number of the users, and when the average daily access number is greater than a certain value, it may be determined as an effective access, for example, 0.5, and the value means that the user should access the resource at least once every two days, and if only one access record exists within 3 days, the average daily access number is 0.33 and is less than 0.5, the user rejects to obtain resource access user information, which may be in a form of a list, specifically shown in table 1:
| user' s | Average number of visits per day |
| BMCPLXC | 3889 |
| |
50 |
| XCOM | 48 |
| PRDDB2A | 3 |
| TMPUER1 | 0.5 |
TABLE 1
And step three, judging the user behavior.
In this embodiment, the process of determining the user behavior is shown in fig. 6, after the resource access behavior trend of the user is generated, it is necessary to transmit the trend data (or trend data of a part of sensitive resources selected by the user) back to the host, when a new user access behavior occurs, the behavior determination engine compares the access behavior of the user with the historical access characteristic trend, and if a certain threshold deviation occurs, it may be defined as abnormal access.
Specifically, the condition that the deviation interpretation is an access exception includes the following conditions:
condition 1: for the access of the users Read, Update and enter, firstly, the occurrence number of the access behaviors in the current time period is determined, then the number is compared with the number of corresponding time in the historical trend graph, and if the occurrence number exceeds a threshold value of a preset number of times (for example, 5 times), the access is judged to be abnormal.
Condition 2: for the access of users Read, Update and enter, firstly, the occurrence number of the access behaviors in the current time period is determined, then the number is compared with the number of corresponding time in the historical trend graph, and if the occurrence number exceeds a threshold value (for example, 20%) of a set percentage, the access is judged to be abnormal.
Condition 3: and when the access users except the user recorded in the resource access user information access the resources, determining that the access is abnormal.
Condition 4: and when the result that the user accesses a certain resource for a plurality of times (for example, 3 times) continuously is failed, the access is determined to be abnormal.
And when at least one condition is met, judging that the user access is abnormal.
And step four, accessing abnormal alarms and behavior handling.
In this embodiment, as shown in fig. 7, when the behavior determination engine determines that the access is abnormal, an alarm is first issued through the SA, and then whether to perform behavior determination is comprehensively determined according to the sensitivity of the resource and the user access behavior (Read, Update, Alter).
When the user behavior judgment engine judges that the access is abnormal, a message is sent out in the system SYSLOG, and the message content comprises: "SEC 001E + time + user + job + Access behavior + accessed resource + Access result + Exception Code: xx".
The SEC001E is a Message ID of an access Exception Message, the Exception Code is an access Exception Code, xx is 01, 02, 03, and 04, and these 4 values respectively correspond to four Exception judgment conditions of the judgment engine.
After the SA acquires the message, the SA alarms the message at the first time, meanwhile, the SA carries out treatment judgment, and whether treatment is carried out is judged by combining the following judgment:
judgment 1: and judging whether the accessed host resource is a sensitive resource defined in the SA by the user in advance, such as customer information, accounting information and the like.
And (3) judging: the SA judges whether the user is performing high-risk operation such as Update and Alter.
In this embodiment, if the result of the disposition judgment is yes, the SA may call the RACF disposition script to perform the behavior disposition, such as temporarily deleting the access right of the user to the resource and CANCEL the user in the CANCEL in the system.
After the treatment is completed, sending a treatment result message to the SYSLOG, and alarming the treatment result, where the message content may be: "SEC 002E + user + accessed resource + Process code: xx", wherein SEC002E is Message ID of Message identification of the handling result Message, the Process code handles the result code, xx takes values of 00, 01, 02, wherein 00 represents that the access authority of the user is deleted, and CANCEL the CANCEL of the user; 01 denotes the access right of the deletion user; 02 indicates that the user is known from CANCEL in the system.
By applying the method provided by the embodiment of the invention, the access control behavior can change along with time, and the method is more flexible; the alarm can be given in time when the user has abnormal behavior; the user with abnormal behaviors can be timely treated.
Corresponding to the method described in fig. 1, an embodiment of the present invention further provides an apparatus for warning user behavior abnormality, which is used to implement the method in fig. 1 specifically, and the apparatus for warning user behavior abnormality provided in the embodiment of the present invention may be applied to an electronic device, and a schematic structural diagram of the apparatus is shown in fig. 8, and specifically includes:
an obtaining unit 801, configured to, in response to a behavior detection instruction, obtain behavior data and behavior trend data generated when a target access user accesses a host resource in a current time period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users;
a determining unit 802, configured to determine whether the target access user has a behavior anomaly according to the behavior data, the access quantity information, and the resource access user information;
an alarm unit 803, configured to output alarm information corresponding to the behavior abnormality when the target access user has the behavior abnormality.
In an embodiment provided by the present invention, based on the implementation process described above, optionally, the determining unit 802 includes:
the determining subunit is configured to determine that the user access user has a behavior exception if the number of times that the target access user performs the access operation on the host resource in the current time period is greater than an access operation number threshold and/or the resource access user information does not include a user identifier of the target access user; the frequency of the target access user for executing access operation on the host resource in the current time period is determined according to the behavior data; and the threshold value of the access operation times is determined according to the access number information.
In an embodiment provided by the present invention, based on the foregoing implementation process, optionally, the apparatus for warning of user behavior abnormality further includes:
the first execution unit is used for determining the continuous failure times of the user for accessing the host resources in the current time period according to the behavior data;
and the second execution unit is used for determining that the target access user has behavior abnormity under the condition that the continuous failure times are greater than a preset failure time threshold value.
In an embodiment provided by the present invention, based on the implementation process, optionally, the apparatus for warning of user behavior abnormality further includes:
the judging unit is used for judging whether the operation type of the access operation of the target access user is a dangerous operation type or not under the condition that the target access user has abnormal behaviors to obtain a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
a generating unit, configured to generate a disposal result of the target access user according to the first determination result and the second determination result;
a handling unit for handling the target access user by the handling result.
In an embodiment provided by the present invention, based on the implementation process, optionally, the apparatus for warning of user behavior abnormality further includes:
the third execution unit is used for judging whether the operation type of the access operation of the target access user is a dangerous operation type or not under the condition that the target access user has abnormal behaviors, and obtaining a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
a fourth execution unit, configured to generate a disposal result of the target access user according to the first determination result and the second determination result;
a handling unit for handling the target access user by the handling result.
In an embodiment provided by the present invention, based on the implementation process, optionally, the apparatus for warning of user behavior abnormality further includes:
a fifth execution unit, configured to generate disposal alarm information corresponding to the disposal result;
a sixth execution unit to output the treatment warning information.
In an embodiment provided by the present invention, based on the implementation process, optionally, the apparatus for warning of user behavior abnormality further includes:
the judging unit is used for judging whether the operation type of the access operation of the target access user is a dangerous operation type or not under the condition that the target access user has abnormal behaviors to obtain a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
a generating unit, configured to generate a disposal result of the target access user according to the first determination result and the second determination result;
a handling unit for handling the target access user by the handling result.
In an embodiment provided by the present invention, based on the implementation process, optionally, the apparatus for warning of user behavior abnormality further includes:
and the transmission unit is used for transmitting the behavior data to a preset open-end analysis server through a preset transmission queue so as to generate new behavior trend data according to the behavior data by the open-end analysis server.
The specific principle and the execution process of each unit and each module in the warning device of the user behavior abnormality disclosed in the embodiment of the present invention are the same as those of the warning method of the user behavior abnormality disclosed in the embodiment of the present invention, and reference may be made to corresponding parts in the warning method of the user behavior abnormality provided in the embodiment of the present invention, which are not described herein again.
The embodiment of the invention also provides a storage medium, which comprises a stored instruction, wherein when the instruction runs, the equipment where the storage medium is located is controlled to execute the alarm method for the user behavior abnormity.
An embodiment of the present invention further provides an electronic device, a schematic structural diagram of which is shown in fig. 9, specifically including a memory 901 and one or more instructions 902, where the one or more instructions 902 are stored in the memory 901, and are configured to be executed by one or more processors 903 to perform the following operations according to the one or more instructions 902:
responding to the behavior detection instruction, and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users;
determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information;
and outputting alarm information corresponding to the abnormal behavior under the condition that the target access user has the abnormal behavior.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in a plurality of software and/or hardware when implementing the invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The above detailed description is provided for the method for alarming user behavior abnormality, and the principle and the implementation of the present invention are explained by applying specific examples, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for alarming user behavior abnormity is characterized by comprising the following steps:
responding to the behavior detection instruction, and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users;
determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information;
and outputting alarm information corresponding to the abnormal behavior under the condition that the target access user has the abnormal behavior.
2. The method of claim 1, wherein the determining whether the target visitor has a behavioral anomaly based on the behavior data, the visit number information, and the resource visitor information comprises:
if the number of times of executing access operation on the host resource by the target access user in the current period is greater than the access operation number threshold value, and/or the resource access user information does not contain the user identifier of the target access user, determining that the behavior of the user access user is abnormal; the frequency of the target access user performing access operation on the host resource in the current time period is determined according to the behavior data; and the threshold value of the access operation times is determined according to the access number information.
3. The method of claim 1, wherein after obtaining the behavior data generated by the target visitor accessing the host resource during the current time period, the method further comprises:
determining the continuous failure times of the user accessing the host resources in the current time period according to the behavior data;
and determining that the target access user has abnormal behaviors when the continuous failure times are larger than a preset failure time threshold value.
4. The method of claim 1, further comprising:
under the condition that the target access user has abnormal behaviors, judging whether the operation type of the access operation of the target access user is a dangerous operation type or not, and obtaining a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
generating a disposal result of the target access user according to the first judgment result and the second judgment result;
and treating the target access user according to the treatment result.
5. The method according to claim 4, wherein after generating the treatment result of the target access user according to the first and second determination results, further comprising:
generating disposal alarm information corresponding to the disposal result;
outputting the treatment alarm information.
6. The method of claim 1, wherein after obtaining behavior data generated by the target visitor accessing the host resource during the current time period, further comprising:
and transmitting the behavior data to a preset open-end analysis server through a preset transmission queue so as to generate new behavior trend data according to the behavior data by the open-end analysis server.
7. An apparatus for alerting of user behavior abnormality, comprising:
the acquisition unit is used for responding to the behavior detection instruction and acquiring behavior data and behavior trend data generated when the target access user accesses the host resources in the current time period; the behavior trend data comprises resource access user information and access quantity information of each access user executing access operation on the host resource in a target historical period corresponding to the current period; the resource access user information comprises user identifications of users meeting preset access conditions in the access users;
the determining unit is used for determining whether the target access user has abnormal behaviors according to the behavior data, the access quantity information and the resource access user information;
and the alarm unit is used for outputting alarm information corresponding to the abnormal behavior under the condition that the target access user has the abnormal behavior.
8. The apparatus of claim 7, wherein the determining unit comprises:
the determining subunit is configured to determine that the user access user has a behavior exception if the number of times that the target access user performs the access operation on the host resource in the current time period is greater than an access operation number threshold and/or the resource access user information does not include a user identifier of the target access user; the frequency of the target access user for executing access operation on the host resource in the current time period is determined according to the behavior data; and the threshold value of the access operation times is determined according to the access number information.
9. The apparatus of claim 7, further comprising:
the first execution unit is used for determining the continuous failure times of the user for accessing the host resources in the current time period according to the behavior data;
and the second execution unit is used for determining that the target access user has behavior abnormity under the condition that the continuous failure times are greater than a preset failure time threshold value.
10. The apparatus of claim 7, further comprising:
the judging unit is used for judging whether the operation type of the access operation of the target access user is a dangerous operation type or not under the condition that the target access user has abnormal behaviors to obtain a first judgment result; judging whether the host resources are sensitive resources or not, and obtaining a second judgment result;
a generating unit, configured to generate a disposal result of the target access user according to the first determination result and the second determination result;
a handling unit for handling the target access user by the handling result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210163431.4A CN114553535A (en) | 2022-02-22 | 2022-02-22 | Method and device for alarming user behavior abnormity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210163431.4A CN114553535A (en) | 2022-02-22 | 2022-02-22 | Method and device for alarming user behavior abnormity |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114553535A true CN114553535A (en) | 2022-05-27 |
Family
ID=81676958
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210163431.4A Pending CN114553535A (en) | 2022-02-22 | 2022-02-22 | Method and device for alarming user behavior abnormity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553535A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
| CN105844142A (en) * | 2016-03-16 | 2016-08-10 | 上海新炬网络信息技术有限公司 | Safe centralized management and control method of database account |
| CN110287694A (en) * | 2019-06-26 | 2019-09-27 | 维沃移动通信有限公司 | Application management method, mobile terminal and storage medium |
| CN113507462A (en) * | 2021-07-05 | 2021-10-15 | 中国联合网络通信集团有限公司 | Zero-trust data monitoring and early warning method, device, system and storage medium |
-
2022
- 2022-02-22 CN CN202210163431.4A patent/CN114553535A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
| CN105844142A (en) * | 2016-03-16 | 2016-08-10 | 上海新炬网络信息技术有限公司 | Safe centralized management and control method of database account |
| CN110287694A (en) * | 2019-06-26 | 2019-09-27 | 维沃移动通信有限公司 | Application management method, mobile terminal and storage medium |
| CN113507462A (en) * | 2021-07-05 | 2021-10-15 | 中国联合网络通信集团有限公司 | Zero-trust data monitoring and early warning method, device, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107291911B (en) | Anomaly detection method and device | |
| CN102932323B (en) | To the automatic analysis of related accidents safe in computer network | |
| Puketza et al. | A methodology for testing intrusion detection systems | |
| US7801703B2 (en) | Self-learning integrity management system and related methods | |
| CN105354126B (en) | Monitor method and apparatus abnormal in page script file | |
| JP2005259140A (en) | Method for monitoring database, computer-readable medium for keeping one or more sequences of instruction, and device | |
| Tang et al. | An integrated framework for optimizing automatic monitoring systems in large IT infrastructures | |
| Shah et al. | A methodology to measure and monitor level of operational effectiveness of a CSOC | |
| CN108874618B (en) | Cognos process monitoring method and device, computer equipment and storage medium | |
| CN113392426A (en) | Method and system for enhancing data privacy of an industrial or electrical power system | |
| CN117056172B (en) | Data integration method and system for system integration middle station | |
| CN114553535A (en) | Method and device for alarming user behavior abnormity | |
| US11897527B2 (en) | Automated positive train control event data extraction and analysis engine and method therefor | |
| CN113377559A (en) | Big data based exception handling method, device, equipment and storage medium | |
| CN108289077B (en) | Method and device for carrying out fuzzy detection analysis on WEB server security | |
| CN112699048B (en) | Program fault processing method, device, equipment and storage medium based on artificial intelligence | |
| CN115098326A (en) | System anomaly detection method and device, storage medium and electronic equipment | |
| CN115374088A (en) | Database health degree analysis method, device and equipment and readable storage medium | |
| CN115083030A (en) | Service inspection method and device and electronic equipment | |
| CN115706669A (en) | Network security situation prediction method and system | |
| CN115577369B (en) | Source code leakage behavior detection method and device, electronic equipment and storage medium | |
| CN214704625U (en) | Network security analysis management system | |
| CN115794479B (en) | Log data processing method and device, electronic equipment and storage medium | |
| CN117524454B (en) | Medical data safety monitoring system and method based on Internet | |
| CN117376030B (en) | Flow anomaly detection method, device, computer equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |