CN114666093B

CN114666093B - System security management and control method and device, storage medium and electronic equipment

Info

Publication number: CN114666093B
Application number: CN202210143064.1A
Authority: CN
Inventors: 李震宇; 王振众
Original assignee: Hangxiao Steel Structure Co Ltd
Current assignee: Hangxiao Steel Structure Co Ltd
Filing date: 2022-02-16
Publication date: 2024-07-02
Anticipated expiration: 2042-02-16

Abstract

The invention discloses a system security management and control method and device, a storage medium and electronic equipment. Wherein the method comprises the following steps: monitoring state information of at least one account in a plurality of associated systems, wherein each account has the same account information in the plurality of associated systems; classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data; and limiting each account in the abnormal account set in the plurality of associated systems. The invention solves the technical problems of lower system safety and lower system operation and maintenance efficiency in the related technology.

Description

System security management and control method and device, storage medium and electronic equipment

Technical Field

The present invention relates to the field of information processing technologies, and in particular, to a system security management and control method and apparatus, a storage medium, and an electronic device.

Background

In recent years, data security events are layered endlessly, the event scale and the influence range are larger and larger, huge economic losses are brought to enterprises, and the normal life of citizens is seriously influenced. With the successive release of various information security laws and regulations by the national and various levels of supervision departments, information security has become one of the most focused topics at present.

In the related art, the data security monitoring and treatment is only limited to the condition of monitoring a single system, and is used for processing a single account number and a single system; for a plurality of associated systems, for example, a plurality of application systems under one platform, the running condition of accounts with the same account information in the plurality of application systems cannot be monitored in real time, and when an abnormal behavior occurs in an account, the abnormal account cannot be managed and controlled in the plurality of associated systems, which results in lower system security and lower system operation and maintenance efficiency.

Disclosure of Invention

The embodiment of the invention provides a system security management and control method and device, a storage medium and electronic equipment, which at least solve the technical problems of low system security and low system operation and maintenance efficiency in the related technology.

According to an aspect of an embodiment of the present invention, there is provided a system security management and control method, including: monitoring state information of at least one account in a plurality of associated systems, wherein each account has the same account information in the plurality of associated systems; classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data; and limiting each account in the abnormal account set in the plurality of associated systems.

According to another aspect of the embodiment of the present invention, there is also provided a system security management and control apparatus, including: the monitoring unit is used for monitoring state information of at least one account in a plurality of associated systems, and each account has the same account information in the plurality of associated systems; the classification unit is used for classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data; and the processing unit is used for limiting each account in the abnormal account set in the plurality of associated systems.

According to yet another aspect of the embodiments of the present invention, there is also provided an electronic device including a memory, in which a computer program is stored, and a processor configured to execute the system security management method described above by the computer program.

According to a further aspect of embodiments of the present invention, there is also provided a computer readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described system security management and control method when run.

In the embodiment of the invention, the state information of at least one account in a plurality of associated systems is monitored, and each account has the same account information in the plurality of associated systems; classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data; in the method, the state information of at least one account in the plurality of associated systems is monitored, and the method for limiting the abnormal account in the plurality of associated systems is used, so that the system safety can be improved, the authority of a user in the plurality of associated systems can be limited, and the technical problems of low system safety and low system operation and maintenance efficiency in the related art are solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:

FIG. 1 is a schematic illustration of an application environment of an alternative system security management method according to an embodiment of the invention;

FIG. 2 is a schematic illustration of an application environment of another alternative system security management method in accordance with an embodiment of the invention;

FIG. 3 is a flow chart of an alternative related art system security management and control method according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of a platform architecture of another alternative system security management and control method according to an embodiment of the present invention;

FIG. 5 is a global handling module schematic of an alternative system security management method according to an embodiment of the invention;

FIG. 6 is a schematic diagram of an alternative system security management and control apparatus in accordance with an embodiment of the present invention;

fig. 7 is a schematic structural diagram of an alternative electronic device according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

According to an aspect of the embodiment of the present invention, a system security management method is provided, optionally, as an alternative implementation manner, the system security management method may be, but is not limited to, applied to an application environment as shown in fig. 1. The application environment comprises the following steps: a terminal device 102, a network 104 and a server 106 which interact with a user in a man-machine manner. Human-machine interaction can be performed between the user 108 and the terminal device 102, and a system security management and control application program runs in the terminal device 102. The terminal device 102 includes a man-machine interaction screen 1022, a processor 1024 and a memory 1026. The man-machine interaction screen 1022 is used for displaying state information of the abnormal account; the processor 1024 is configured to obtain status information for at least one account in the plurality of associated systems. The memory 1026 is used to store the above-described abnormal account number set.

The server 106 includes a database 1062 and a processing engine 1064, and the database 1062 is used to store the abnormal account set. The processing engine 1064 is configured to monitor status information of at least one account in a plurality of associated systems, where each account has the same account information; classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data; limiting operation is carried out on each account in the abnormal account set in the plurality of associated systems; and sending the limiting result of the abnormal account to the client of the terminal equipment 102.

In one or more embodiments, the system security management method of the present application may be applied to the application environment shown in fig. 2. As shown in fig. 2, a human-machine interaction may be performed between a user 202 and a user device 204. The user device 204 includes a memory 206 and a processor 208. In this embodiment, the user device 204 may, but is not limited to, perform the limiting operation on each account in the abnormal account set in the multiple associated systems with reference to performing the operation performed by the terminal device 102.

Optionally, the terminal device 102 and the user device 204 include, but are not limited to, a mobile phone, a tablet computer, a notebook computer, a PC, a vehicle-mounted electronic device, a wearable device, and the like, and the network 104 may include, but is not limited to, a wireless network or a wired network. Wherein the wireless network comprises: WIFI and other networks that enable wireless communications. The wired network may include, but is not limited to: wide area network, metropolitan area network, local area network. The server 106 may include, but is not limited to, any hardware device that may perform calculations. The server may be a single server, a server cluster composed of a plurality of servers, or a cloud server. The above is merely an example, and is not limited in any way in the present embodiment.

As an alternative implementation manner, as shown in fig. 3, an embodiment of the present invention provides a system security management and control method, which includes the following steps:

s302, monitoring state information of at least one account in a plurality of associated systems, wherein each account has the same account information in the plurality of associated systems.

In the embodiment of the invention, the same user can generally have the use rights in a plurality of associated systems through one account, wherein the plurality of associated systems comprise, but are not limited to, a plurality of application systems in one platform. Here, the status information of one or more accounts in the plurality of associated systems may be monitored by the account management and control system; in other words, the embodiment of the invention can monitor the account numbers of certain specific users.

S304, classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set contains class labels of abnormal behaviors and abnormal data.

Specifically, based on the modes of flow monitoring, log monitoring, audit monitoring and the like, the operation behaviors and states of the account numbers of the users in the system are monitored and classified. For example, the login system time is a non-predetermined time, the login IP address is an illegal IP address, the account operation behavior is an abnormal behavior (such as deleting a resource or deleting a log a plurality of times, or other abnormal operations), and the like, and is not limited in any way.

S306, limiting operation is carried out on each account in the abnormal account set in the plurality of associated systems.

Specifically, the limiting operation includes, but is not limited to, disabling the abnormal account, performing forced departure on the user corresponding to the abnormal account, performing invalidation processing on the current session of the abnormal account, limiting one or all application rights of the abnormal account, performing invalidation processing on the login token of the abnormal account, limiting the IP address or MAC address of the abnormal account, and the like.

In one or more embodiments, the monitoring status information of at least one account in the plurality of associated systems includes at least one of:

status information of at least one account in the plurality of associated systems is monitored based on the system log.

Specifically, log-based login behavior includes the following three types: the method comprises the steps of firstly, normal user normal login, secondly, abnormal user normal login, and thirdly, normal user abnormal login. Here, the abnormal user and the abnormal user include, but are not limited to, a normal operation user not belonging to the corresponding system, for example, a certain user can not operate in the system in terms of business although the certain user establishes a corresponding account in a certain application system; an account number in a disabled, locked, deleted, etc. state may also be considered an abnormal or abnormal user. Abnormal login: logging in during unusual working hours and at unusual places, such as late night logging in, logging in suddenly outside the working place, etc.

The log-based authentication behavior includes three types: the method comprises the steps of normal user normal authentication, abnormal user normal authentication and normal user abnormal authentication. Here, an abnormal user is a user as in the above description; abnormal authentication includes, but is not limited to, changing to mailbox authentication in which authentication is performed using a user name and a cell phone number.

The call behavior based on the interface log includes three kinds as follows: firstly, normal users call normally, secondly, abnormal users call normally, and thirdly, normal users call normally. Here, a large number of interface call actions occur for a certain period of time (e.g., exceeding a normal number of interface calls), or interface call actions occur at processing times other than the service (e.g., at night).

The application self-log-based behavior comprises operations or log-in logs recorded by the application system, and the like.

Log-based exit behaviors include normal exits and abnormal exits; here, abnormal exit includes clicking exit/direct closing of an application (program/page) in the application system, and the like.

Status information of at least one account in the plurality of associated systems is monitored based on the traffic.

Specifically, the flow-based access behavior of the user account includes the following three modes: the normal flow of the normal user, the normal flow of the abnormal user and the abnormal flow of the normal user are firstly performed. Here, the account number in the disabled, locked, deleted, etc. state is an abnormal user, and the abnormal traffic is a traffic (out of the normal traffic range) occurring in a large amount in a certain period of time, or a traffic occurring in a processing time other than the service (such as at night time), etc.

Status information of at least one account in the plurality of associated systems is monitored based on the audit analysis data.

Specifically, the audit-based operational behavior includes whether the operational behavior of the audit account is normal or abnormal operation. The abnormal operation herein includes, but is not limited to, abnormal operations such as deleting a resource a plurality of times, deleting a log, and the like.

In one or more embodiments, the classifying the accounts in the abnormal state in the monitoring result according to the abnormal behavior to obtain an abnormal account set includes:

and obtaining class labels of account abnormal behaviors of different classes.

And matching the account number in the abnormal state in the monitoring result and labeling the class label to obtain an abnormal account number set.

In the embodiment of the present invention, the category labels include, but are not limited to, normal login labels of abnormal users, third abnormal login labels of normal users, and the like. By means of classifying and labeling the abnormal accounts in the abnormal account set, state information of the abnormal accounts can be displayed conveniently and quickly in real time, and corresponding limiting processing is facilitated on the abnormal accounts.

In one or more embodiments, the limiting operation on each account in the abnormal account set in the plurality of association systems includes:

When the account number in the abnormal account number set is in a session state in the target service system, configuring the session state as a failure state; wherein the service system is one of the plurality of association systems;

for example, when the abnormal account number is monitored to process the chat state, the chat session where the abnormal account number is located is processed in a failure mode, or the abnormal account number is kicked out of the chat group.

When the IP address of the account in the abnormal account set is in an abnormal state, synchronizing the IP address to a network group service system and blocking the network connection of the IP address; wherein the network group service system is one of the plurality of association systems.

In one or more embodiments, the limiting operation on each account in the abnormal account set in the plurality of association systems further includes:

And when the account number in the abnormal account number set and the MAC address of the terminal equipment are in a binding state, limiting the terminal equipment with the MAC address.

In the embodiment of the invention, for example, the MAC address of the terminal equipment bound by the abnormal account number A is 00-94-02-E2-50-F0, and then network connection and system operation can be limited by the MAC address of 00-94-02-E2-50-F0.

In one or more embodiments, before the limiting operation is performed on each account in the abnormal account set in the plurality of association systems, the method further includes: and displaying the abnormal account numbers of the class labels of different abnormal behaviors.

Specifically, by setting the display module in the embodiment of the invention, the state information of the abnormal account number which is subjected to flow monitoring, log monitoring and audit analysis is displayed, and the corresponding account number authority, job-off-duty and account number effective failure conditions are associated, so that the session conditions of each application system of the abnormal account number can be visually compared, and the change of the data can be conveniently analyzed.

In one or more embodiments, the system security management further includes: and receiving a limiting result of limiting operation on each account in the abnormal account set, and displaying the limiting result.

Specifically, global one-key treatment is performed in a button mode, when abnormal account conditions are found in the situation, the system, the session state and the account state of the account are displayed, and the button is disposed through one key. The account management and control system is used as an intermediate program and is responsible for monitoring and receiving abnormal data of the account, the abnormal account is sent to each application system, each application system carries out session processing and self account management and control on the abnormal account, IP and MAC addresses of the abnormal account are managed and controlled, and finally a limiting result of the abnormal account returned by each application system is received and displayed on the display module. The technical means solves the technical problems that the timeliness is low and misoperation and missing operation are easy to occur through manual treatment.

Optionally, in an application embodiment, the system security management and control method further includes: the method comprises the steps that the global log monitoring result data of a plurality of related systems are displayed in a classified mode through a monitoring module; then labeling the labels of the abnormal behaviors for the abnormal data according to the abnormal behavior classification standard by a display module, and uniformly displaying the session conditions of the associated accounts of the abnormal accounts; and finally, the unified processing of the abnormal accounts in each service system is realized through the one-key processing module, the account authority is controlled by one key, the abnormal accounts are ensured to be processed timely and effectively, the current real-time state of each account in each application system can be clearly shown, the working efficiency is greatly improved, and the safety of the system is improved.

The monitoring module is used for monitoring and displaying whether the user operates compliance or not based on the modes of flow monitoring, log monitoring, audit monitoring and the like. The method specifically comprises the following steps:

1) Log-based login behavior: the method comprises the steps of firstly, normal user normal login, secondly, abnormal user normal login, and thirdly, normal user abnormal login.

2) Log-based authentication behavior: the method comprises the steps of normal user normal authentication, abnormal user normal authentication and normal user abnormal authentication.

3) Traffic-based access behavior: the normal flow of the normal user, the normal flow of the abnormal user and the abnormal flow of the normal user are firstly performed.

4) Calling based on an interface log: firstly, normal users call normally, secondly, abnormal users call normally, and thirdly, normal users call normally.

5) Based on application self log behavior: the operation/login log recorded by the application itself.

6) Audit-based operational behavior: and firstly, normal operation and secondly, abnormal operation.

7) Log-based exit behavior: the first is normal exit, and the second is abnormal exit.

The flow-based access behavior of the user account includes the following three modes: the normal flow of the normal user, the normal flow of the abnormal user and the abnormal flow of the normal user are firstly performed. Here, the account number in the disabled, locked, deleted, etc. state is an abnormal user, and the abnormal traffic is a traffic (out of the normal traffic range) occurring in a large amount in a certain period of time, or a traffic occurring in a processing time other than the service (such as at night time), etc.

As shown in fig. 4, the display module includes a situation awareness one-key global handling platform architecture, which can display situations of flow monitoring, log monitoring and audit analysis, correlate corresponding account rights, job-on-job-off-job and effective failure conditions of accounts, visually compare data, facilitate analysis of data changes, not only find security problems in real time, but also perform one-key handling on a global system (a plurality of associated application systems) through one-key handling buttons.

The above-mentioned one-key global handling internal flow is shown in fig. 5, when the situation perceives that the one-key global handling platform finds an abnormal account situation, the abnormal system, the session state and the account state where the abnormal account is located are displayed, by setting a one-key handling button, the account management and control system (4A account management and control in fig. 5) is used as an intermediate program, and is responsible for monitoring and receiving abnormal data of the account, and sending the abnormal account to each application system, each application system performs session processing and self account management and control on the abnormal account, and manages and controls the IP and MAC addresses of the abnormal account, and finally receives the limiting result of the abnormal account returned by each application system, and displays the limiting result on the display module. The technical means solves the technical problems that the timeliness of the manual treatment is not strong, and misoperation and missing operation are easy to occur.

The embodiment of the invention also has the following beneficial effects:

each account in the associated multiple systems is subjected to various conversations and/or authorities to be displayed and treated in real time, global one-key treatment operation on the account with abnormal behavior is automatically realized, and the visualization degree is high; not only reduces the labor cost, but also improves the data security management and control efficiency and the system security.

It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.

According to another aspect of the embodiment of the invention, a system security control device for implementing the system security control method is also provided. As shown in fig. 6, the apparatus includes:

a monitoring unit 602, configured to monitor status information of at least one account in a plurality of association systems, where each account has the same account information in the plurality of association systems;

the classification unit 604 is configured to classify the account number in the abnormal state in the monitoring result according to the abnormal behavior, so as to obtain an abnormal account number set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data;

The processing unit 606 is configured to perform a limiting operation on each account in the abnormal account set in the plurality of association systems.

In one or more embodiments, the monitoring unit 602 includes at least one of:

the first monitoring module is used for monitoring state information of at least one account number in the plurality of associated systems based on the flow;

The second monitoring module is used for monitoring state information of at least one account number in the plurality of associated systems based on the system log;

And the third monitoring module is used for monitoring state information of at least one account number in the plurality of associated systems based on the audit analysis data.

In one or more embodiments, the classification unit 604 specifically includes:

The acquisition module is used for acquiring class labels of account abnormal behaviors of different classes;

And the matching labeling module is used for matching the accounts in the abnormal state in the monitoring result and labeling the class labels to obtain an abnormal account set.

In one or more embodiments, the processing unit 606 specifically includes:

The first processing module is used for configuring the session state as a failure state when the account in the abnormal account set is in the session state in the target service system; wherein the service system is one of the plurality of association systems;

The second processing module is used for synchronizing the IP address to the network group service system and blocking the network connection of the IP address when the IP address of the account in the abnormal account set is in an abnormal state; wherein the network group service system is one of the plurality of association systems.

In one or more embodiments, the processing unit 606 further includes:

And the third processing module is used for limiting the terminal equipment with the MAC address when the account in the abnormal account set and the MAC address of the terminal equipment are in a binding state.

In one or more embodiments, the system security management apparatus further includes:

and the display unit is used for displaying the abnormal account numbers of the class labels of different abnormal behaviors.

A receiving unit for receiving a limiting result of limiting each account in the abnormal account set,

And the display unit is used for displaying the limiting result.

According to still another aspect of the embodiment of the present invention, there is further provided an electronic device for implementing the system security management method described above, where the electronic device may be a terminal device or a server as shown in fig. 7. The present embodiment is described taking the electronic device as an example. As shown in fig. 7, the electronic device comprises a memory 702 and a processor 704, the memory 702 storing a computer program, the processor 704 being arranged to perform the steps of any of the method embodiments described above by means of the computer program.

Alternatively, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of the computer network.

Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:

S1, monitoring state information of at least one account in a plurality of associated systems, wherein each account has the same account information in the plurality of associated systems;

S2, classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data;

s3, limiting operation is carried out on each account in the abnormal account set in the plurality of associated systems.

Alternatively, it will be understood by those skilled in the art that the structure shown in fig. 7 is only schematic, and the electronic device may also be a smart phone (such as an Android Mobile phone, an iOS Mobile phone, etc.), a tablet computer, a palm computer, a Mobile internet device (Mobile INTERNET DEVICES, MID), a PAD, etc. Fig. 7 is not limited to the structure of the electronic device and the electronic apparatus described above. For example, the electronics may also include more or fewer components (e.g., network interfaces, etc.) than shown in fig. 7, or have a different configuration than shown in fig. 7.

The memory 702 may be used to store software programs and modules, such as program instructions/modules corresponding to the system security management method and apparatus in the embodiments of the present invention, and the processor 704 executes the software programs and modules stored in the memory 702, thereby performing various functional applications and data processing, that is, implementing the system security management method described above. The memory 702 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory 702 may further include memory remotely located relative to the processor 704, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The memory 702 may be used for storing information such as, but not limited to, billing subtasks. As an example, as shown in fig. 7, the memory 702 may include, but is not limited to, the monitoring unit 602, the classifying unit 604, and the processing unit 606 in the system security management apparatus. In addition, other module units in the system security management and control apparatus may be included, but are not limited to, and are not described in detail in this example.

Optionally, the transmission device 706 is used to receive or transmit data via a network. Specific examples of the network described above may include wired networks and wireless networks. In one example, the transmission device 706 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, the transmission device 706 is a Radio Frequency (RF) module that is configured to communicate wirelessly with the internet.

In addition, the electronic device further includes: a display 708 for displaying the processing result of the billing sub-task; and a connection bus 710 for connecting the respective module parts in the above-described electronic device.

In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting the plurality of nodes through a network communication. Among them, the nodes may form a Peer-To-Peer (P2P) network, and any type of computing device, such as a server, a terminal, etc., may become a node in the blockchain system by joining the Peer-To-Peer network.

According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from a computer readable storage medium by a processor of a computer device, which executes the computer instructions, causing the computer device to perform the system security management method described above, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.

Alternatively, in the present embodiment, the above-described computer-readable storage medium may be configured to store a computer program for executing the steps of:

Alternatively, in this embodiment, it will be understood by those skilled in the art that all or part of the steps in the methods of the above embodiments may be performed by a program for instructing a terminal device to execute the steps, where the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the method of the various embodiments of the present invention.

In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In several embodiments provided by the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and are merely a logical functional division, and there may be other manners of dividing the apparatus in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims

1. A system security control method, comprising:

Monitoring state information of at least one account in a plurality of associated systems, wherein each account has the same account information in the plurality of associated systems;

Classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set, wherein the method comprises the following steps:

obtaining class labels of account abnormal behaviors of different classes;

Matching the account numbers in the abnormal state in the monitoring result and labeling the class labels to obtain an abnormal account number set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data;

Limiting each account in the abnormal account set in the plurality of associated systems comprises the following steps: when the account number in the abnormal account number set is in a session state in a target service system, configuring the session state as a failure state; wherein the business system is one of the plurality of association systems;

2. The method of claim 1, wherein the monitoring status information of at least one account in the plurality of associated systems comprises at least one of:

Monitoring state information of at least one account in a plurality of associated systems based on the traffic;

Monitoring status information of at least one account in the plurality of associated systems based on the system log;

3. The method of claim 1, wherein the restricting each account in the set of abnormal accounts in the plurality of associated systems further comprises:

4. The method of claim 1, wherein the limiting each account in the set of abnormal accounts prior to the limiting in the plurality of associated systems further comprises:

And displaying the abnormal account numbers of the class labels of different abnormal behaviors.

5. The method according to claim 1, wherein the method further comprises:

Receiving a limiting result of limiting operation on each account in the abnormal account set,

The limiting result is shown.

6. A system security management and control apparatus, comprising:

the monitoring unit is used for monitoring state information of at least one account in a plurality of associated systems, and each account has the same account information in the plurality of associated systems;

the classification unit is used for classifying the accounts in the abnormal state in the monitoring result according to the abnormal behaviors to obtain an abnormal account set; the abnormal account number set comprises class labels of abnormal behaviors and abnormal data;

The classification unit comprises:

The matching labeling module is used for matching the accounts in the abnormal state in the monitoring result and labeling the class labels to obtain an abnormal account set;

The processing unit is configured to perform a limiting operation on each account in the abnormal account set in the multiple association systems, and includes: when the account number in the abnormal account number set is in a session state in a target service system, configuring the session state as a failure state; wherein the business system is one of the plurality of association systems;

7. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method according to any of the claims 1 to 5 by means of the computer program.

8. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program when run performs the method of any one of claims 1 to 5.