CN114666093A - System safety control method and device, storage medium and electronic equipment - Google Patents
System safety control method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN114666093A CN114666093A CN202210143064.1A CN202210143064A CN114666093A CN 114666093 A CN114666093 A CN 114666093A CN 202210143064 A CN202210143064 A CN 202210143064A CN 114666093 A CN114666093 A CN 114666093A
- Authority
- CN
- China
- Prior art keywords
- account
- abnormal
- monitoring
- systems
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000002159 abnormal effect Effects 0.000 claims abstract description 192
- 238000012544 monitoring process Methods 0.000 claims abstract description 66
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 39
- 238000007726 management method Methods 0.000 claims description 34
- 238000012545 processing Methods 0.000 claims description 27
- 230000015654 memory Effects 0.000 claims description 21
- 238000012550 audit Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 13
- 238000004458 analytical method Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000012423 maintenance Methods 0.000 abstract description 6
- 230000006399 behavior Effects 0.000 description 27
- 238000010586 diagram Methods 0.000 description 7
- 230000001788 irregular Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000002372 labelling Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a system safety control method and device, a storage medium and electronic equipment. Wherein the method comprises the following steps: monitoring state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems; classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data; and limiting each account in the abnormal account set in the plurality of association systems. The invention solves the technical problems of lower system safety and system operation and maintenance efficiency in the related technology.
Description
Technical Field
The invention relates to the technical field of information processing, in particular to a system security management and control method and device, a storage medium and electronic equipment.
Background
In recent years, data security events are in endless, the event scale and the influence range are larger and larger, huge economic loss is brought to enterprises, and the normal life of citizens is seriously influenced. With the continuous emergence of various information security laws and regulations in countries and regulatory departments at all levels, information security has become one of the most concerned topics at present.
In the related technology, data security monitoring treatment is limited to the condition of monitoring a single system, and a single account and the single system are processed; for a plurality of associated systems, for example, a plurality of application systems under one platform, the operation conditions of accounts with the same account information in the plurality of application systems cannot be monitored in real time, and when an account has an abnormal behavior, the abnormal account cannot be managed and controlled in the plurality of associated systems, which may result in lower system security and system operation and maintenance efficiency.
Disclosure of Invention
The embodiment of the invention provides a system safety control method and device, a storage medium and electronic equipment, which are used for at least solving the technical problems of low system safety and low system operation and maintenance efficiency in the related technology.
According to an aspect of an embodiment of the present invention, there is provided a system security management and control method, including: monitoring state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems; classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data; and limiting operation is carried out on each account in the abnormal account set in the plurality of correlation systems.
According to another aspect of the embodiments of the present invention, there is also provided a system security management and control apparatus, including: the system comprises a monitoring unit, a processing unit and a processing unit, wherein the monitoring unit is used for monitoring the state information of at least one account in a plurality of association systems, and each account has the same account information in the plurality of association systems; the classification unit is used for classifying the account numbers in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account number set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data; and the processing unit is used for limiting operation of each account in the abnormal account set in the plurality of correlation systems.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the system security management method through the computer program.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to execute the above system security control method when running.
In the embodiment of the invention, the method comprises the steps of monitoring the state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems; classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data; in the method, because the state information of at least one account in the multiple associated systems is monitored and the method for limiting the operation of the abnormal account in the multiple associated systems is used, not only can the system safety be improved, but also the permission of a user in the multiple associated systems can be limited, and the technical problems of low system safety and low system operation and maintenance efficiency in the related technology are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an application environment of an alternative system security management method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an application environment of an alternative system security management method according to an embodiment of the invention;
FIG. 3 is a flow chart illustrating an alternative related art system security management method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a platform architecture of an alternative system security management method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a global handling module of an alternative system security management method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an alternative system security management and control apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of the embodiment of the present invention, a system security management method is provided, and optionally, as an optional implementation manner, the system security management method may be applied, but is not limited to, in an application environment as shown in fig. 1. The application environment comprises: the terminal equipment 102, the network 104 and the server 106 are used for human-computer interaction with the user. The user 108 and the terminal device 102 can perform human-computer interaction, and a system security management and control application program runs in the terminal device 102. The terminal 102 includes a human interaction screen 1022, a processor 1024, and a memory 1026. The human-computer interaction screen 1022 is used for displaying the status information of the abnormal account; the processor 1024 is configured to obtain status information of at least one account in the plurality of associated systems. The memory 1026 is used for storing the above abnormal account number set.
In addition, the server 106 includes a database 1062 and a processing engine 1064, and the database 1062 is used for storing the abnormal account number set. The processing engine 1064 is configured to monitor status information of at least one account in multiple association systems, where each account has the same account information in the multiple association systems; classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data; limiting operation is carried out on each account in the abnormal account set in the multiple association systems; and sending the limitation result of the abnormal account to the client of the terminal device 102.
In one or more embodiments, the system security management method described above in the present application may be applied to the application environment shown in fig. 2. As shown in fig. 2, a user 202 may interact with a user device 204. The user equipment 204 includes a memory 206 and a processor 208. In this embodiment, the user device 204 may, but is not limited to, perform a limiting operation on each account in the abnormal account set in the multiple association systems by referring to an operation performed by the terminal device 102.
Optionally, the terminal device 102 and the user device 204 include, but are not limited to, a mobile phone, a tablet computer, a notebook computer, a PC, a vehicle-mounted electronic device, a wearable device, and the like, and the network 104 may include, but is not limited to, a wireless network or a wired network. Wherein, this wireless network includes: WIFI and other networks that enable wireless communication. Such wired networks may include, but are not limited to: wide area networks, metropolitan area networks, and local area networks. The server 106 may include, but is not limited to, any hardware device capable of performing calculations. The server may be a single server, a server cluster composed of a plurality of servers, or a cloud server. The above is merely an example, and this is not limited in this embodiment.
As an alternative implementation manner, as shown in fig. 3, an embodiment of the present invention provides a system safety control method, including the following steps:
s302, monitoring the state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems.
In the embodiment of the present invention, the same user can have the usage rights in multiple associated systems, including but not limited to multiple application systems in one platform, usually through one account. Here, the account management and control system may monitor status information of one or more accounts in the plurality of association systems; in other words, the embodiments of the present invention may monitor accounts of some specific users.
S304, classifying the account numbers in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account number set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data.
Specifically, based on traffic monitoring, log monitoring, audit monitoring and other modes, the operation behavior and the state of the account of the user in the system are monitored and classified. For example, the login system time is an unspecified time, the login IP address is an illegal IP address, the account operation behavior is an abnormal behavior (e.g., an irregular operation such as deleting resources or deleting logs many times), and the like, which is not limited herein.
And S306, performing limiting operation on each account in the abnormal account set in the multiple association systems.
Specifically, the limiting operation includes, but is not limited to, disabling the abnormal account, performing forced resignation on a user corresponding to the abnormal account, invalidating a current session of the abnormal account, limiting one or all application permissions of the abnormal account, invalidating a login token of the abnormal account, limiting an IP address or a MAC address of the abnormal account, and the like.
In the embodiment of the invention, the method comprises the steps of monitoring the state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems; classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data; in the method, because the state information of at least one account in the multiple association systems is monitored and the method for limiting the operation of the abnormal account in the multiple association systems is used, not only can the system safety be improved, but also the permission of a user in the multiple association systems can be limited, and the technical problems of low system safety and low system operation and maintenance efficiency in the related technology are solved.
In one or more embodiments, the monitoring of the status information of at least one account in the plurality of associated systems includes at least one of:
status information of at least one account in the plurality of associated systems is monitored based on the system log.
Specifically, log-based logging behavior includes the following three types: the normal user normally logs in, the abnormal user normally logs in, and the normal user abnormally logs in. Here, the abnormal users and the abnormal users include but are not limited to normal operation users that do not belong to a corresponding system, for example, although a certain user establishes a corresponding account in a certain application system, the user cannot operate in the system in terms of business; the account in the disabled, locked, deleted state, etc. can also be regarded as an abnormal or abnormal user. Abnormal login: and logging in at irregular working time and irregular places, such as logging in at midnight, logging in at places outside the working place suddenly, and the like.
Log-based authentication behavior includes the following three: the method comprises the steps of normal user authentication, abnormal user authentication and abnormal user authentication. Here, the abnormal user is a user as in the above-described explanation; the abnormal authentication includes, but is not limited to, replacing the authentication mode with the user name and the mobile phone number for mailbox authentication.
The calling behavior based on the interface log comprises the following three actions: the method comprises the steps of normal user normal calling, abnormal user normal calling and normal user abnormal calling. Here, a large number of interface call behaviors occur for a certain period of time (e.g., more than the normal number of interface calls), or an interface call behavior occurs during a processing time other than the traffic (e.g., at night).
The log behavior based on the application system comprises operation or log recorded by the application system.
Log-based exit behavior includes normal exit and abnormal exit; here, the abnormal exit includes click-exit/direct closing of an application (program/page) in the application system, and the like.
Status information of at least one account in the plurality of associated systems is monitored based on the traffic.
Specifically, the flow-based access behavior of the account of the user includes the following three modes: the method comprises the steps of firstly, normal user normal flow, secondly, abnormal user normal flow and thirdly, normal user abnormal flow. Here, the account in the disabled, locked, deleted, or other states is an abnormal user, and the abnormal traffic is a large amount of traffic (exceeding a normal traffic range) occurring in a certain period of time, or traffic occurring in a non-processing time (for example, at night time) of the service, or the like.
Status information of at least one account in the plurality of associated systems is monitored based on the audit analysis data.
Specifically, the audit-based operation behavior includes whether the operation behavior of the audit account is normal operation or abnormal operation. The abnormal operation includes, but is not limited to, deleting resources, deleting logs, and other abnormal operations.
In one or more embodiments, the classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain the abnormal account set includes:
and acquiring category labels of account abnormal behaviors of different categories.
And matching the account numbers in the abnormal state in the monitoring result and marking the category labels to obtain an abnormal account number set.
In the embodiment of the present invention, the category tags include, but are not limited to, a normal login tag for an abnormal user, a third abnormal login tag for a normal user, and the like. By means of classifying and labeling the abnormal account numbers in the abnormal account number set, the state information of the abnormal account numbers can be conveniently displayed in real time, and corresponding limitation processing can be conveniently carried out on the abnormal account numbers.
In one or more embodiments, the limiting operation performed on each account in the abnormal account set in the multiple association systems includes:
when the account in the abnormal account set is in a session state in a target service system, configuring the session state into a failure state; wherein, the service system is one of the plurality of associated systems;
for example, when it is monitored that an abnormal account handles a chat state, a chat session in which the abnormal account is located is invalidated, or the abnormal account is kicked out of a chat group.
When the IP address of the account in the abnormal account set is in an abnormal state, synchronizing the IP address to a network group service system and blocking the network connection of the IP address; wherein the network group service system is one of the plurality of association systems.
In one or more embodiments, the limiting operation performed on each account in the abnormal account set in the multiple association systems further includes:
and when the account in the abnormal account set is in a binding state with the MAC address of the terminal equipment, limiting the terminal equipment with the MAC address.
In the embodiment of the present invention, for example, if the MAC address of the terminal device bound by the abnormal account a is 00-94-02-E2-50-F0, the MAC address may be limited to 00-94-02-E2-50-F0 for network connection and system operation.
In one or more embodiments, before performing the limiting operation on each account in the abnormal account set in the multiple association systems, the method further includes: and displaying abnormal account numbers of different abnormal behavior category labels.
Specifically, by arranging the display module in the embodiment of the invention, the state information of the abnormal account subjected to flow monitoring, log monitoring and audit analysis is displayed, and the conversation conditions of each application system of the abnormal account, such as the authority of the corresponding account, the job leaving and the effective failure condition of the account, can be associated, so that the data can be visually compared, and the data change can be conveniently analyzed.
In one or more embodiments, the system security management and control further includes: and receiving a limiting result of limiting operation on each account in the abnormal account set, and displaying the limiting result.
Specifically, global one-key handling is performed in a button mode, when abnormal account conditions are found in situations, a system, a session state and an account state where the account is located at present are displayed, and the button is handled through one key. The account management and control system is used as an intermediate program and is responsible for monitoring and receiving abnormal data of the account, sending the abnormal account to each application system, carrying out session processing and self account management and control on the abnormal account by each application system, managing and controlling an IP (Internet protocol) and an MAC (media access control) address of the abnormal account, receiving a limit result of the abnormal account returned by each application system, and displaying the limit result in the display module. Through the technical means, the technical problems that manual treatment is not strong in timeliness, and misoperation and operation leakage are prone to occurring are solved.
Optionally, in an application embodiment, the system security management and control method further includes: the monitoring module is used for carrying out classified display on the global log monitoring result data of the plurality of associated systems; then, labeling the abnormal behavior labels for the abnormal data through a display module according to the abnormal behavior classification standard, and uniformly displaying the associated account number conversation condition of the abnormal account number; finally, the one-key processing module is used for realizing the unified processing of the abnormal account numbers in each service system, the account number authority is controlled by one key, the abnormal account numbers are ensured to be processed timely and effectively, and the current real-time states of the account numbers in each application system can be displayed clearly, so that the working efficiency is greatly improved, and the safety of the system is improved.
The monitoring module monitors and displays whether the user operation is in compliance or not based on modes of flow monitoring, log monitoring, audit monitoring and the like. The method specifically comprises the following scenes:
1) log-based logging behavior: the normal user normally logs in, the abnormal user normally logs in, and the normal user abnormally logs in.
2) Log-based authentication behavior: the method comprises the steps of normal user authentication, abnormal user authentication and abnormal user authentication.
3) Traffic-based access behavior: the method comprises the steps of firstly, normal user normal flow, secondly, abnormal user normal flow and thirdly, normal user abnormal flow.
4) Interface log based invocation: the method comprises the steps of normal user normal calling, abnormal user normal calling and normal user abnormal calling.
5) Based on the application's own log behavior: the operation/log recorded by the application itself.
6) Audit-based operational behavior: the first is normal operation, and the second is abnormal operation.
7) Log-based exit behavior: the first is normal exit, and the second is abnormal exit.
Specifically, log-based logging behavior includes the following three types: the normal user normally logs in, the abnormal user normally logs in, and the normal user abnormally logs in. Here, the abnormal user and the abnormal user include, but are not limited to, a normal operation user not belonging to the corresponding system, for example, although a certain user establishes a corresponding account in a certain application system, the user cannot operate in the system in terms of business; the account in the disabled, locked, deleted state, etc. can also be regarded as an abnormal or abnormal user. Abnormal login: and logging in at irregular working time and irregular places, such as logging in at midnight, logging in at places outside the working place suddenly, and the like.
Log-based authentication behavior includes the following three: the method comprises the steps of normal user authentication, abnormal user authentication and abnormal user authentication. Here, the abnormal user is a user as in the above-described explanation; the abnormal authentication includes, but is not limited to, replacing the mode of authentication by using a user name and a mobile phone number with mailbox authentication.
The calling behavior based on the interface log comprises the following three actions: the method comprises the steps of normal user normal calling, abnormal user normal calling and normal user abnormal calling. Here, a large number of interface call behaviors occur for a certain period of time (e.g., more than the normal number of interface calls), or an interface call behavior occurs during a processing time other than the traffic (e.g., at night).
Log-based exit behavior includes normal exit and abnormal exit; here, the abnormal exit includes click-exit/direct close of an application (program/page) in the application system, and the like.
The access behavior of the account of the user based on the flow comprises the following three modes: the method comprises the steps of firstly, normal user normal flow, secondly, abnormal user normal flow and thirdly, normal user abnormal flow. Here, the account in the disabled, locked, deleted, or other states is an abnormal user, and the abnormal traffic is a large amount of traffic (exceeding a normal traffic range) occurring in a certain period of time, or traffic occurring in a non-processing time of the service (e.g., at night time).
Status information of at least one account in the plurality of associated systems is monitored based on the audit analysis data.
Specifically, the audit-based operation behavior includes whether the operation behavior of the audit account is normal operation or abnormal operation. The abnormal operation includes, but is not limited to, deleting resources, deleting logs, and other abnormal operations.
As shown in fig. 4, the display module includes a situation awareness one-key global disposition platform architecture, and can display situations of flow monitoring, log monitoring and audit analysis, associate corresponding account permissions, in-service and out-of-service situations and account invalidation situations, and compare data visually according to session conditions of each application system, so that data change is analyzed conveniently, security problems can be found in real time, and one-key disposition can be performed on a global system (multiple associated application systems) through one-key disposition buttons.
As shown in fig. 5, when a situation awareness one-key global handling platform finds an abnormal account condition, an abnormal system, a session state, and an account state where the abnormal account is currently located are displayed, by setting a one-key handling button, an account management and control system (4A account management and control in fig. 5) is used as an intermediate program, and is responsible for monitoring and receiving abnormal data of the account, and sending the abnormal account to each application system, each application system performs session processing and own account management and control on the abnormal account, manages and controls an IP and a MAC address of the abnormal account, and finally receives a limitation result of the abnormal account returned by each application system, and displays the limitation result in the display module. Through the technical means, the technical problems that manual treatment is not strong in timeliness and misoperation and operation leakage are prone to occurring are solved.
The embodiment of the invention also has the following beneficial effects:
various sessions and/or permissions of each account in the associated multiple systems are displayed and disposed in real time, global one-key disposal operation on the account with the abnormal behavior is automatically realized, and the visualization degree is high; not only reduces the labor cost, but also improves the data security management and control efficiency and the system security.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiment of the present invention, a system security management and control apparatus for implementing the above system security management and control method is further provided. As shown in fig. 6, the apparatus includes:
a monitoring unit 602, configured to monitor state information of at least one account in multiple association systems, where each account has the same account information in the multiple association systems;
a classifying unit 604, configured to classify the account in the abnormal state in the monitoring result according to the abnormal behavior, so as to obtain an abnormal account set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data;
the processing unit 606 is configured to perform a limiting operation on each account in the abnormal account set in the multiple association systems.
In the embodiment of the invention, the method comprises the steps of monitoring the state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems; classifying the account numbers in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account number set; the abnormal account set comprises a category label of an abnormal behavior and abnormal data; in the method, because the state information of at least one account in the multiple association systems is monitored and the method for limiting the operation of the abnormal account in the multiple association systems is used, not only can the system safety be improved, but also the permission of a user in the multiple association systems can be limited, and the technical problems of low system safety and low system operation and maintenance efficiency in the related technology are solved.
In one or more embodiments, the monitoring unit 602 includes at least one of:
the system comprises a first monitoring module, a second monitoring module and a third monitoring module, wherein the first monitoring module is used for monitoring the state information of at least one account in a plurality of correlation systems based on flow;
the second monitoring module is used for monitoring the state information of at least one account in the plurality of associated systems based on the system log;
and the third monitoring module is used for monitoring the state information of at least one account in the plurality of associated systems based on the audit analysis data.
In one or more embodiments, the classifying unit 604 specifically includes:
the acquisition module is used for acquiring the category labels of the abnormal behaviors of the account numbers of different categories;
and the matching and labeling module is used for matching the account numbers in the abnormal state in the monitoring result and labeling the category labels to obtain an abnormal account number set.
In one or more embodiments, the processing unit 606 specifically includes:
a first processing module, configured to configure a session state as a failure state when an account in the abnormal account set is in the session state in a target service system; wherein, the business system is one of the plurality of correlation systems;
a second processing module, configured to synchronize an IP address of an account in the abnormal account set to a network group service system when the IP address is in an abnormal state, and block network connection of the IP address; wherein the network group service system is one of the plurality of association systems.
In one or more embodiments, the processing unit 606 further includes:
and the third processing module is used for limiting the terminal equipment with the MAC address when the account in the abnormal account set and the MAC address of the terminal equipment are in a binding state.
In one or more embodiments, the system security management and control apparatus further includes:
and the display unit is used for displaying the abnormal account numbers of the category labels of different abnormal behaviors.
In one or more embodiments, the system security management and control apparatus further includes:
a receiving unit, configured to receive a limitation result of limiting operation performed on each account in the abnormal account set,
and the display unit is used for displaying the limiting result.
According to another aspect of the embodiment of the present invention, there is also provided an electronic device for implementing the system security management method, where the electronic device may be a terminal device or a server shown in fig. 7. The present embodiment takes the electronic device as an example for explanation. As shown in fig. 7, the electronic device comprises a memory 702 and a processor 704, the memory 702 having stored therein a computer program, the processor 704 being arranged to perform the steps of any of the above-described method embodiments by means of the computer program.
Optionally, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, monitoring the state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems;
s2, classifying the account numbers in abnormal states in the monitoring result according to abnormal behaviors to obtain an abnormal account number set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data;
and S3, performing restriction operation on each account in the abnormal account set in the plurality of related systems.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 7 is a diagram illustrating a structure of the electronic device. For example, the electronics may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 7, or have a different configuration than shown in FIG. 7.
The memory 702 may be used to store software programs and modules, such as program instructions/modules corresponding to the system security management method and apparatus in the embodiments of the present invention, and the processor 704 executes various functional applications and data processing by running the software programs and modules stored in the memory 702, so as to implement the system security management method described above. The memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 702 can further include memory located remotely from the processor 704, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 702 may be, but is not limited to, specifically configured to store information such as an account form subtask. As an example, as shown in fig. 7, the memory 702 may include, but is not limited to, the monitoring unit 602, the classifying unit 604, and the processing unit 606 in the system safety management and control apparatus. In addition, other module units in the system security management and control apparatus may also be included, but are not limited to this, and are not described in detail in this example.
Optionally, the transmitting device 706 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 706 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 706 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
In addition, the electronic device further includes: a display 708 for displaying the processing results of the billing subtasks; and a connection bus 710 for connecting the respective module parts in the above-described electronic apparatus.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. Nodes can form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, can become a node in the blockchain system by joining the Peer-To-Peer network.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. A processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to execute the system security management method, wherein the computer program is configured to execute the steps in any of the method embodiments described above.
Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:
s1, monitoring the state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems;
s2, classifying the account numbers in abnormal states in the monitoring result according to abnormal behaviors to obtain an abnormal account number set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data;
and S3, performing restriction operation on each account in the abnormal account set in the plurality of correlation systems.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be substantially or partially implemented in the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, or network devices) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The above is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, a plurality of modifications and embellishments can be made without departing from the principle of the present invention, and these modifications and embellishments should also be regarded as the protection scope of the present invention.
Claims (10)
1. A system safety control method is characterized by comprising the following steps:
monitoring state information of at least one account in a plurality of association systems, wherein each account has the same account information in the plurality of association systems;
classifying the account numbers in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account number set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data;
and limiting each account in the abnormal account set in the plurality of association systems.
2. The method of claim 1, wherein the monitoring status information of at least one account in a plurality of associated systems comprises at least one of:
monitoring status information of at least one account in a plurality of associated systems based on traffic;
monitoring state information of at least one account in a plurality of associated systems based on the system log;
status information of at least one account in the plurality of associated systems is monitored based on the audit analysis data.
3. The method according to claim 1, wherein the classifying the account in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set comprises:
acquiring category labels of account abnormal behaviors of different categories;
and matching the account numbers in the abnormal state in the monitoring result and marking the category labels to obtain an abnormal account number set.
4. The method of claim 1, wherein restricting each account in the set of abnormal accounts in the plurality of associated systems comprises:
when the account number in the abnormal account number set is in a session state in a target service system, configuring the session state into a failure state; wherein the business system is one of the plurality of association systems;
when the IP address of the account in the abnormal account set is in an abnormal state, synchronizing the IP address to a network group service system and blocking the network connection of the IP address; wherein the network group service system is one of the plurality of association systems.
5. The method of claim 4, wherein restricting each account in the set of abnormal accounts in the plurality of associated systems further comprises:
and when the account in the abnormal account set is in a binding state with the MAC address of the terminal equipment, limiting the terminal equipment with the MAC address.
6. The method of claim 3, wherein before performing the restricting operation on each account in the abnormal account set in the plurality of association systems, further comprising:
and displaying abnormal account numbers of the category labels of different abnormal behaviors.
7. The method of claim 1, further comprising:
receiving a limiting result of limiting operation on each account in the abnormal account set,
and displaying the limiting result.
8. A system security management and control device, comprising:
the system comprises a monitoring unit, a processing unit and a processing unit, wherein the monitoring unit is used for monitoring the state information of at least one account in a plurality of association systems, and each account has the same account information in the plurality of association systems;
the classification unit is used for classifying the account numbers in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account number set; the abnormal account number set comprises a category label of an abnormal behavior and abnormal data;
and the processing unit is used for limiting operation of each account in the abnormal account set in the plurality of association systems.
9. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 7 by means of the computer program.
10. A computer-readable storage medium, comprising a stored program, wherein the program when executed performs the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210143064.1A CN114666093B (en) | 2022-02-16 | System security management and control method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210143064.1A CN114666093B (en) | 2022-02-16 | System security management and control method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114666093A true CN114666093A (en) | 2022-06-24 |
| CN114666093B CN114666093B (en) | 2024-07-02 |
Family
ID=
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519032A (en) * | 2013-09-30 | 2015-04-15 | 深圳市腾讯计算机系统有限公司 | Internet account safety policy and system |
| CN106878250A (en) * | 2016-08-19 | 2017-06-20 | 阿里巴巴集团控股有限公司 | Across the singlet login method and device of application |
| CN109740352A (en) * | 2018-12-28 | 2019-05-10 | 微梦创科网络科技(中国)有限公司 | A kind of account processing method, device and electronic equipment |
| CN110611635A (en) * | 2018-06-14 | 2019-12-24 | 蓝盾信息安全技术股份有限公司 | Detection method based on multi-dimensional lost account |
| CN111506895A (en) * | 2020-04-17 | 2020-08-07 | 支付宝(杭州)信息技术有限公司 | Construction method and device of application login graph |
| CN112988503A (en) * | 2021-02-05 | 2021-06-18 | 深圳市锐尔觅移动通信有限公司 | Analysis method, analysis device, electronic device, and storage medium |
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104519032A (en) * | 2013-09-30 | 2015-04-15 | 深圳市腾讯计算机系统有限公司 | Internet account safety policy and system |
| CN106878250A (en) * | 2016-08-19 | 2017-06-20 | 阿里巴巴集团控股有限公司 | Across the singlet login method and device of application |
| CN110611635A (en) * | 2018-06-14 | 2019-12-24 | 蓝盾信息安全技术股份有限公司 | Detection method based on multi-dimensional lost account |
| CN109740352A (en) * | 2018-12-28 | 2019-05-10 | 微梦创科网络科技(中国)有限公司 | A kind of account processing method, device and electronic equipment |
| CN111506895A (en) * | 2020-04-17 | 2020-08-07 | 支付宝(杭州)信息技术有限公司 | Construction method and device of application login graph |
| CN112988503A (en) * | 2021-02-05 | 2021-06-18 | 深圳市锐尔觅移动通信有限公司 | Analysis method, analysis device, electronic device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105139139B (en) | Data processing method and device and system for O&M audit | |
| CN104063473B (en) | A kind of database audit monitoring system and its method | |
| CN109660526A (en) | A kind of big data analysis method applied to information security field | |
| CN109766696A (en) | The setting method and device of software permission, storage medium, electronic device | |
| CN106844137A (en) | The monitoring method and device of server | |
| US20200184847A1 (en) | A system and method for on-premise cyber training | |
| Lindqvist et al. | eXpert-BSM: A host-based intrusion detection solution for Sun Solaris | |
| CN108270716A (en) | A kind of audit of information security method based on cloud computing | |
| CN103441864A (en) | Method for monitoring illegal external connection of terminal equipment | |
| CN104702603A (en) | Multi-view-angle security auditing system for mobile internet | |
| CN111600863A (en) | Network intrusion detection method, device, system and storage medium | |
| CN104700024A (en) | Method and system for auditing operational order of Unix-type host user | |
| CN117527412A (en) | Data security monitoring method and device | |
| CN112141832A (en) | Visual operation platform of elevator thing networking | |
| CN115941317A (en) | Network security comprehensive analysis and situation awareness platform | |
| CN111813627A (en) | Application auditing method, device, terminal, system and readable storage medium | |
| CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
| CN105245336B (en) | A kind of file encryption management system | |
| CN110708340A (en) | Enterprise private network security supervision system | |
| CN111049853A (en) | Security authentication system based on computer network | |
| CN114666093A (en) | System safety control method and device, storage medium and electronic equipment | |
| Cheng et al. | Integrated situational awareness for cyber attack detection, analysis, and mitigation | |
| CN114666093B (en) | System security management and control method and device, storage medium and electronic equipment | |
| CN114205169B (en) | Network security defense method, device and system | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |