CN114936230A - Data supervision method and device, storage medium and electronic equipment - Google Patents

Data supervision method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN114936230A
CN114936230A CN202210661653.9A CN202210661653A CN114936230A CN 114936230 A CN114936230 A CN 114936230A CN 202210661653 A CN202210661653 A CN 202210661653A CN 114936230 A CN114936230 A CN 114936230A
Authority
CN
China
Prior art keywords
detection result
account
information
alarm
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210661653.9A
Other languages
Chinese (zh)
Inventor
霍纪中
惠红刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210661653.9A priority Critical patent/CN114936230A/en
Publication of CN114936230A publication Critical patent/CN114936230A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2453Query optimisation
    • G06F16/24534Query rewriting; Transformation
    • G06F16/24539Query rewriting; Transformation using cached or materialised query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the disclosure discloses a method, a device, a storage medium and an electronic device for monitoring data, wherein the method comprises the following steps: responding to the query operation, and acquiring a keyword to be queried; detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not to obtain a first detection result; detecting whether sensitive information matched with the query result corresponding to the keyword exists in a preset sensitive word bank or not to obtain a second detection result; determining the level of the alarm behavior of the account based on the first detection result and the second detection result; and executing a corresponding blocking strategy according to the grade of the alarm behavior. According to the method and the device, accurate detection of the sensitive information in the real-time query process is guaranteed through the mode that the keywords are matched with the query result twice, the blocking strategy is obtained through execution according to the alarm behavior grade corresponding to the detection result, the whole process is real-time query, real-time alarm and blocking are detected in real time before log data are written into system logs, and the safety performance of the system is improved.

Description

Data supervision method and device, storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of internet, and in particular, to a method and an apparatus for monitoring data, a storage medium, and an electronic device.
Background
In the existing supervision aiming at big data, the big data collision analysis is carried out by collecting mass log data and combining data such as assets, threat intelligence and vulnerabilities, a user behavior base line is constructed, and analysis and judgment of abnormal behaviors of an account are realized.
However, log data are written into a system log after a period of time after a user query action is finished and a query result is obtained, and in an existing analysis mode for acquiring massive log data, an alarm is given according to an analysis result, a handling measure is taken after manual confirmation, the existing analysis mode aims at supervision handling after the alarm occurs, only after-the-fact analysis is carried out, and abnormal behavior analysis of historical data is carried out, and abnormal behavior of an account cannot be handled in real time (before log data are written).
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a method, an apparatus, a storage medium, and an electronic device for monitoring data, so as to solve the following problems in the prior art: the existing analysis mode for acquiring mass log data is to give an alarm according to an analysis result, take a disposal measure after manual confirmation, and only analyze afterwards and cannot dispose abnormal behaviors of an account in real time aiming at supervision and disposal after the alarm occurs.
In one aspect, an embodiment of the present disclosure provides a method for monitoring data, including: responding to the query operation, and acquiring a keyword to be queried; detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not to obtain a first detection result; detecting whether sensitive information matched with the query result corresponding to the keyword exists in the preset sensitive word stock or not to obtain a second detection result; determining the level of the alarm behavior of the account based on the first detection result and the second detection result; and executing a corresponding blocking strategy according to the grade of the alarm behavior.
In some embodiments, before executing the corresponding blocking policy according to the level of the alarm behavior, the method further includes: acquiring attribute information of the account, wherein the association information at least comprises one of the following items: inquiring time, IP address and MAC address; determining current behavior data of the account according to the attribute information; matching the current behavior data with the historical behavior data of the account to obtain a third detection result; and re-determining the grade of the alarm behavior according to the third detection result.
In some embodiments, before obtaining the keyword to be queried, the method further includes: the method comprises the steps of obtaining information to be inquired input by a user, and conducting preset analysis on the information to be inquired to determine keywords corresponding to the information to be inquired.
In some embodiments, executing a corresponding blocking policy according to the level of the alarm behavior includes: and when the level of the alarm behavior exceeds a preset level, logging out the logged account, and determining the address information of the user of the account according to the attribute information of the account.
On the other hand, the embodiment of the present disclosure provides a data monitoring apparatus, including: the first acquisition module is used for responding to query operation and acquiring keywords to be queried; the first detection module is used for detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not so as to obtain a first detection result; the second detection module is used for detecting whether sensitive information matched with the query result corresponding to the keyword exists in the preset sensitive word bank or not so as to obtain a second detection result; the first determination module is used for determining the level of the alarm behavior of the account based on the first detection result and the second detection result; and the execution module is used for executing a corresponding blocking strategy according to the grade of the alarm behavior.
In some embodiments, further comprising: a second obtaining module, configured to obtain attribute information of the account, where the attribute information at least includes one of: inquiring time, IP address and MAC address; the second determining module is used for determining the current behavior data of the account according to the attribute information; the third detection module is used for detecting whether the current behavior data is matched with the historical behavior data of the account number or not to obtain a third detection result; and the third determining module is used for re-determining the grade of the alarm behavior according to the third detection result.
In some embodiments, further comprising: the analysis module is used for acquiring information to be queried input by a user and carrying out predetermined analysis on the information to be queried so as to determine keywords corresponding to the information to be queried.
In some embodiments, the execution module is specifically configured to: and when the level of the alarm behavior exceeds a preset level, logging out the logged account, and determining the user address information of the account according to the attribute information of the account.
In another aspect, an embodiment of the present disclosure provides a storage medium storing a computer program, where the computer program is executed by a processor to implement the steps of the method according to any embodiment of the present disclosure.
In another aspect, the disclosed embodiments provide a computer device, which at least includes a memory and a processor, where the memory stores a computer program thereon, and the processor implements the steps of the method according to any embodiment of the present disclosure when executing the computer program on the memory.
The method and the device for real-time query operation analysis and alarm aim at real-time query operation, keywords to be queried and query results in the real-time query operation process are respectively matched with sensitive information in a preset sensitive word bank, accurate detection of the sensitive information in the real-time query process is guaranteed through twice matching of the keywords and the query results, a blocking strategy is obtained according to the alarm behavior grade corresponding to the detection results, real-time query is conducted in the whole process, real-time alarm and blocking are detected in real time before log data are written into system logs, timeliness is strong, and safety performance of the system is improved.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for supervising data provided by a first embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a data monitoring apparatus according to a second embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an electronic device according to a fourth embodiment of the disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described below clearly and completely with reference to the accompanying drawings of the embodiments of the present disclosure. It is to be understood that the described embodiments are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the disclosure without any inventive step, are within the scope of protection of the disclosure.
Unless defined otherwise, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and the like in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item preceding the word comprises the element or item listed after the word and its equivalent, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
To maintain the following description of the embodiments of the present disclosure clear and concise, a detailed description of known functions and known components is omitted from the present disclosure.
The first embodiment of the present disclosure provides a method for supervising data, where the flow of the method is shown in fig. 1, and the method includes steps S101 to S105:
s101, responding to the query operation, and acquiring keywords to be queried.
When a user wants to query some information in the system, a keyword is usually input, and certainly, other information including the keyword may also be input.
S102, detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not to obtain a first detection result.
When the keyword is determined, the first sensitive information detection can be performed. The preset sensitive word bank in the embodiment of the present disclosure may include a key IP address, a specific user name, a specific person identification number, a specific person mobile phone number, a specific unit name, a specific person name, and the like, and the keyword is matched with the preset sensitive word bank, at this time, a first detection result is obtained, and the detection result indicates a matching degree of the keyword and a sensitive word in the preset sensitive word bank, where the matching degree may be embodied by a score, for example, when the keyword to be queried is "zhang san" and "zhang san" is a specific person name stored in the preset sensitive word bank, the keyword and the preset sensitive word bank are matched, for example, the first detection result corresponding to the matching may be 80 scores, and certainly, 80 scores are only an example, and may also be 100 scores.
In the embodiment of the present disclosure, when there is only one matching sensitive word in the keyword and the preset sensitive word library, the score corresponding to the first detection result may be lower, for example, the score is 80 (or may be 60), however, if a plurality of keywords appear in one query, and the plurality of keywords are all matched with the sensitive words in the preset sensitive word bank, the score corresponding to the first detection result may be set higher, for example, the user relates to 3 keywords in the query, namely a specific unit name, a specific personnel name and a specific identity card number, a relatively targeted query result is obtained, at the moment, the score corresponding to the first detection result can be set to be higher, for example, when the number of the keywords in one query exceeds three and the matching rate of the three keywords and the sensitive words in the preset sensitive word bank reaches one hundred percent, the first detection result is 100 points. The three sum matching rates up to one hundred percent are only an example, the three keywords may be four keywords, the matching rate up to one hundred percent or eighty percent, and the like, and the technical personnel in the field can perform corresponding setting according to actual requirements.
S103, detecting whether sensitive information matched with the query result corresponding to the keyword exists in the preset sensitive word bank or not to obtain a second detection result.
When the keyword is used for query, a query result is obtained, and for the query result, similar detection is carried out on the query result and the keyword, namely whether sensitive information matched with the query result exists or not is detected in a preset sensitive word bank.
For the query result, the query result usually does not exist in a keyword form, so that predetermined analysis can be performed on the query result to determine the keyword corresponding to the information to be queried, and then the sensitive information is matched according to the keyword.
For the second detection result, similar to the first detection result, it can also be presented in a form of a score, and those skilled in the art can refer to the determination method of the first detection result, which is not described herein again.
The first detection result and the second detection result can be stored in a temporary data table for later use when the alarm behavior is determined.
And S104, determining the level of the alarm behavior of the account based on the first detection result and the second detection result.
Because the first detection result and the second detection result exist, when the level of the alarm behavior of the account is determined, the first detection result and the second detection result may account for fifty percent respectively, and certainly, a corresponding weight may also be set for each of the first detection result and the second detection result according to actual requirements.
For the ranking of the alarm behavior, it may be possible to set different levels for different scores, e.g. normal below a total score of 60, orange alarm between 60 and 80, yellow alarm between 80 and 90, red alarm above a total score of 90.
And S105, executing a corresponding blocking strategy according to the level of the alarm behavior.
The alarm behaviors at different levels are necessarily corresponding to different blocking strategies, and in the specific implementation, the alarm behaviors can be set according to the number of the alarm behavior levels, for example, if the total score is below 60, the normal alarm is normal, no blocking operation is performed, an orange alarm is performed between 60 and 80, the behavior of the account is marked, but no blocking operation is performed, a yellow alarm is performed between 80 and 90, the behavior of the account is marked, any operation of the account is blocked, and a red alarm is performed when the total score is above 90, the account is forcibly logged out, and the account is locked.
Of course, the different blocking policies corresponding to the different branches are only an example, and the alarm behavior may be divided into two levels, that is, two processing policies of blocking operation are recorded and blocked if there is no abnormal behavior or low abnormal behavior, and correspondingly, when the level of the alarm behavior exceeds a predetermined level (for example, exceeds 80 minutes or 90 minutes), the logged-in account is logged out, the user address information of the account is determined according to the attribute information of the account, and otherwise, the blocking policy that the user does not feel is executed.
The method and the device for real-time query operation analysis and alarm aim at real-time query operation, keywords to be queried and query results in the real-time query operation process are respectively matched with sensitive information in a preset sensitive word bank, accurate detection of the sensitive information in the real-time query process is guaranteed through twice matching of the keywords and the query results, a blocking strategy is obtained according to the alarm behavior grade corresponding to the detection results, real-time query is conducted in the whole process, real-time alarm and blocking are detected in real time before log data are written into system logs, timeliness is strong, and safety performance of the system is improved.
In order to further guarantee the accuracy of the determination of the alarm behavior, before executing the corresponding blocking policy according to the level of the alarm behavior, the level of the alarm behavior may be readjusted according to the condition of the account, that is, the attribute information of the account is obtained first, the attribute information may at least include query time, an IP address, an MAC address, and the like, the current behavior data of the account is determined according to the attribute information, then the current behavior data is matched with the historical behavior data of the account to obtain a third detection result, and finally the level of the alarm behavior is determined again according to the third detection result. The process can avoid the condition of allopatric or abnormal login of the account, and can adopt the highest alarm behavior level to directly and forcibly log out the account and lock the account aiming at the allopatric or abnormal login condition.
The locked account can be confirmed manually subsequently, and the use of the account can be recovered for the non-abnormal account through an application process; and manually confirming the locked account, and entering an emergency disposal state if the account with abnormal conditions, such as account embezzlement, brute force cracking and the like, exists.
According to the embodiment of the invention, real-time online big data calculation capacity is adopted, and the measures of establishing a sensitive word bank, constructing an abnormal behavior alarm threshold value, setting an alarm strategy model and the like are adopted, so that the abnormal data leakage behavior in the real-time calculation process can be monitored in real time, the user behavior is advanced from post supervision to in-process supervision, the real-time online big data supervision is realized, and the system performance is improved.
A second embodiment of the present disclosure provides a data monitoring apparatus, a structural schematic of the apparatus is shown in fig. 2, and the apparatus includes:
a first obtaining module 10, configured to obtain a keyword to be queried in response to a query operation; the first detection module 20 is coupled with the first acquisition module 10, and is configured to detect whether sensitive information matching the keyword exists in a preset sensitive word bank, so as to obtain a first detection result; the second detection module 30 is coupled to the first detection module 20, and is configured to detect whether sensitive information matching the query result corresponding to the keyword exists in a preset sensitive word bank, so as to obtain a second detection result; the first determination module 40 is coupled with the second detection module 30 and configured to determine a level of an alarm behavior of the account based on the first detection result and the second detection result; and an executing module 50, coupled to the first determining module 40, for executing a corresponding blocking policy according to the level of the alarm behavior.
When a user wants to query some information in the system, a keyword is usually input, and certainly, other information including the keyword may also be input.
When the keyword is determined, the first sensitive information detection can be performed. The preset sensitive word bank in the embodiment of the present disclosure may include a key IP address, a specific user name, a specific person identification number, a specific person mobile phone number, a specific unit name, a specific person name, and the like, and the keyword is matched with the preset sensitive word bank, at this time, a first detection result is obtained, where the detection result indicates a matching degree between the keyword and a sensitive word in the preset sensitive word bank, and the matching degree may be embodied by a score, for example, when the keyword to be queried is "zhang san" and "zhang" is a specific person name stored in the preset sensitive word bank, the keyword is matched with the preset sensitive word bank, for example, the first detection result corresponding to the matching may be 80 scores, and of course, 80 scores are only one example, and may also be 100 scores.
In the embodiment of the present disclosure, when there is only one matching sensitive word in the keyword and the preset sensitive word bank, the score corresponding to the first detection result may be lower, for example, the score is 80 (or may be 60), however, if a plurality of keywords appear in one query, and the plurality of keywords are all matched with the sensitive words in the preset sensitive word bank, the score corresponding to the first detection result may be set higher, for example, the user refers to 3 keywords in the query, namely a specific unit name, a specific personnel name and a specific identification number, a relatively targeted query result is obtained, at the moment, the score corresponding to the first detection result can be set higher, for example, when the number of the keywords in one query exceeds three and the matching rate of the three keywords and the sensitive words in the preset sensitive word bank reaches one hundred percent, the first detection result is 100 points. The three sums with the matching rate reaching one hundred percent is only an example, the three keywords may also be four keywords, the matching rate reaching one hundred percent or eighty percent, and the like, and the technical personnel in the field can perform corresponding setting according to actual requirements.
When the keyword is used for query, a query result is obtained, and for the query result, similar detection is carried out on the query result and the keyword, namely whether sensitive information matched with the query result exists or not is detected in a preset sensitive word bank.
For the query result, the query result usually does not exist in a keyword form, so that predetermined analysis can be performed on the query result to determine the keyword corresponding to the information to be queried, and then the sensitive information is matched according to the keyword.
For the second detection result, similar to the first detection result, it can also be presented in a form of a score, and those skilled in the art can refer to the determination method of the first detection result, and details are not repeated here.
The first detection result and the second detection result can be stored in a temporary data table for later use when the alarm behavior is determined.
Because the first detection result and the second detection result exist, when the level of the alarm behavior of the account is determined, the first detection result and the second detection result may respectively account for fifty percent, and of course, a corresponding weight may also be set for the first detection result and the second detection result respectively according to actual requirements.
For the ranking of the alarm behavior it may set different levels for different scores, e.g. normal below a total score of 60, orange alarm between 60 and 80, yellow alarm between 80 and 90, red alarm above a total score of 90.
The alarm behaviors at different levels are necessarily corresponding to different blocking strategies, and in the specific implementation, the alarm behaviors can be set according to the number of the alarm behavior levels, for example, if the total score is below 60, the normal alarm is normal, no blocking operation is performed, an orange alarm is performed between 60 and 80, the behavior of the account is marked, but no blocking operation is performed, a yellow alarm is performed between 80 and 90, the behavior of the account is marked, any operation of the account is blocked, and a red alarm is performed when the total score is above 90, the account is forcibly logged out, and the account is locked.
Of course, the different blocking policies corresponding to the different branches are only an example, and the alarm behavior may be divided into two levels, that is, two processing policies, namely no abnormal behavior or low abnormal behavior does not alarm but recording and blocking operation if there is an abnormal behavior, and correspondingly, the execution module may be specifically configured to log out the logged-in account when the level of the alarm behavior exceeds a predetermined level (for example, exceeds 80 minutes or 90 minutes), and determine the address information of the user of the account according to the attribute information of the account; otherwise, a blocking strategy which is not felt by the user is implemented.
In order to further ensure the accuracy of the alarm behavior determination, the monitoring device for the data further comprises: the second obtaining module is configured to obtain attribute information of the account, where the attribute information at least includes one of the following: inquiring time, IP address and MAC address; the second determining module is used for determining the current behavior data of the account according to the attribute information; the third detection module is used for detecting whether the current behavior data is matched with the historical behavior data of the account to obtain a third detection result; and the third determining module is used for re-determining the grade of the alarm behavior according to the third detection result. The method can avoid the condition of remote or abnormal login of the account, and can adopt the highest alarm behavior level to directly and forcibly log out the account and lock the account aiming at the condition of remote or abnormal login.
The locked account can be confirmed manually subsequently, and the use of the account can be recovered for the non-abnormal account through an application process; and manually confirming the locked account, and entering an emergency disposal state if the account with abnormal conditions, such as account embezzlement, brute force cracking and the like, exists.
When the monitoring device for the data builds a system, when the system is started, the logs are collected, analyzed and standardized through the task approval sheet, and the query system is used for collecting, analyzing and standardizing the data flow. Inputting query information into kafka, storing and establishing a database, wherein the database comprises a task list repository, a task target repository and an audit log repository, and the query information is synchronized through establishing the database; a real-time online analysis engine is constructed, online analysis is carried out on data input by a user through keyword comparison, behavior verification, real-time calculation and the like, real-time comparison of keywords is formed, a blocking strategy is initiated on abnormal behaviors triggering alarm thresholds, and two modes of automatic disposal and manual disposal can be achieved. And issuing the processing result to the account number of the operator on duty in a task list mode, so as to realize the management and retrieval of the task list and the processing data. The system supports the expansion management of online supervision behaviors and the expansion and association of abnormal data.
The method and the device for real-time query operation analysis and alarm aim at real-time query operation, keywords to be queried and query results in the real-time query operation process are respectively matched with sensitive information in a preset sensitive word bank, accurate detection of the sensitive information in the real-time query process is guaranteed through twice matching of the keywords and the query results, a blocking strategy is obtained according to the alarm behavior grade corresponding to the detection results, real-time query is conducted in the whole process, real-time alarm and blocking are detected in real time before log data are written into system logs, timeliness is strong, and safety performance of the system is improved.
A third embodiment of the present disclosure provides a storage medium, which is a computer-readable medium storing a computer program, which when executed by a processor implements the method provided in any embodiment of the present disclosure, including the following steps S11 to S15:
s11, responding to the query operation, and acquiring the keywords to be queried;
s12, detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not to obtain a first detection result;
s13, detecting whether sensitive information matched with the query result corresponding to the keyword exists in a preset sensitive word bank or not to obtain a second detection result;
s14, determining the level of the alarm behavior of the account based on the first detection result and the second detection result;
and S15, executing a corresponding blocking strategy according to the level of the alarm behavior.
Before the step of executing the corresponding blocking strategy according to the grade of the alarm behavior by the processor, the computer program is also executed by the processor as follows: acquiring attribute information of an account, wherein the associated information at least comprises one of the following information: inquiring time, IP address and MAC address; determining current behavior data of the account according to the attribute information; matching the current behavior data with the historical behavior data of the account to obtain a third detection result; and re-determining the level of the alarm behavior according to the third detection result.
Before the step of obtaining the keywords to be queried is executed by the processor, the computer program further executes the following steps by the processor: the method comprises the steps of obtaining information to be queried input by a user, and conducting preset analysis on the information to be queried so as to determine keywords corresponding to the information to be queried.
When the computer program is executed by the processor to execute the step of executing the corresponding blocking policy according to the level of the alarm behavior, the processor specifically executes the following steps: when the level of the alarm behavior exceeds the preset level, logging out the logged account, and determining the address information of the user of the account according to the attribute information of the account.
The method and the device for real-time query operation analysis and alarm aim at real-time query operation, keywords to be queried and query results in the real-time query operation process are respectively matched with sensitive information in a preset sensitive word bank, accurate detection of the sensitive information in the real-time query process is guaranteed through twice matching of the keywords and the query results, a blocking strategy is obtained according to the alarm behavior grade corresponding to the detection results, real-time query is conducted in the whole process, real-time alarm and blocking are detected in real time before log data are written into system logs, timeliness is strong, and safety performance of the system is improved.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes. Optionally, in this embodiment, the processor executes the method steps described in the above embodiments according to the program code stored in the storage medium. Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again. It will be apparent to those skilled in the art that the modules or steps of the present disclosure described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a memory device and executed by a computing device, and in some cases, the steps shown or described may be executed out of order, or separately as individual integrated circuit modules, or multiple modules or steps thereof may be implemented as a single integrated circuit module. As such, the present disclosure is not limited to any specific combination of hardware and software.
A fourth embodiment of the present disclosure provides an electronic device, a schematic structural diagram of the electronic device may be as shown in fig. 3, where the electronic device includes at least a memory 901 and a processor 902, the memory 901 stores a computer program, and the processor 902, when executing the computer program on the memory 901, implements the method provided in any embodiment of the present disclosure. Illustratively, the electronic device computer program steps are as follows S21-S25:
s21, responding to the query operation, and acquiring the keywords to be queried;
s22, detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not to obtain a first detection result;
s23, detecting whether sensitive information matched with the query result corresponding to the keyword exists in the preset sensitive word stock or not to obtain a second detection result;
s24, determining the level of the alarm behavior of the account based on the first detection result and the second detection result;
and S25, executing a corresponding blocking strategy according to the level of the alarm behavior.
The processor, before executing the computer program stored on the memory for executing the corresponding blocking policy according to the level of the alarm behavior, further executes the following computer program: acquiring attribute information of an account, wherein the associated information at least comprises one of the following information: inquiring time, IP address and MAC address; determining current behavior data of the account according to the attribute information; matching the current behavior data with the historical behavior data of the account to obtain a third detection result; and re-determining the level of the alarm behavior according to the third detection result.
The processor, before executing the computer program stored on the memory for obtaining the keyword to be queried, further executes the following computer program: the method comprises the steps of obtaining information to be queried input by a user, and conducting preset analysis on the information to be queried so as to determine key words corresponding to the information to be queried.
When the processor executes the computer program which is stored in the memory and executes the corresponding blocking policy according to the level of the alarm behavior, the following computer program is specifically executed: when the level of the alarm behavior exceeds the preset level, the logged account is logged out, and the address information of the user of the account is determined according to the attribute information of the account.
The embodiment of the disclosure analyzes and alarms aiming at real-time query operation, keywords to be queried and query results in the real-time query operation process are respectively matched with sensitive information in a preset sensitive word bank, accurate detection of the sensitive information in the real-time query process is guaranteed in a mode of matching the keywords and the query results twice, a blocking strategy is further obtained according to the alarm behavior grade corresponding to the detection results, the whole process is real-time query, real-time alarm and blocking are detected in real time before log data are written into a system log, timeliness is strong, and safety performance of the system is improved.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the disclosure with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the foregoing detailed description, various features may be grouped together to streamline the disclosure. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, the subject matter of the present disclosure may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that the embodiments can be combined with each other in various combinations or permutations. The scope of the disclosure should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
While the present disclosure has been described in detail with reference to the embodiments, the present disclosure is not limited to the specific embodiments, and those skilled in the art can make various modifications and alterations based on the concept of the present disclosure, and the modifications and alterations should fall within the scope of the present disclosure as claimed.

Claims (10)

1. A method of policing data, comprising:
responding to the query operation, and acquiring a keyword to be queried;
detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not to obtain a first detection result;
detecting whether sensitive information matched with the query result corresponding to the keyword exists in the preset sensitive word bank or not to obtain a second detection result;
determining the level of the alarm behavior of the account based on the first detection result and the second detection result;
and executing a corresponding blocking strategy according to the grade of the alarm behavior.
2. The method of claim 1, wherein prior to executing the corresponding blocking policy according to the level of the alarm behavior, further comprising:
acquiring attribute information of the account, wherein the association information at least comprises one of the following items: inquiring time, IP address and MAC address;
determining current behavior data of the account according to the attribute information;
matching the current behavior data with the historical behavior data of the account to obtain a third detection result;
and re-determining the grade of the alarm behavior according to the third detection result.
3. The method of claim 1, wherein before obtaining the keyword to be queried, further comprising:
the method comprises the steps of obtaining information to be inquired input by a user, and conducting preset analysis on the information to be inquired to determine keywords corresponding to the information to be inquired.
4. The method of any of claims 1 to 3, wherein implementing a corresponding blocking policy according to the level of the alarm behavior comprises:
and when the level of the alarm behavior exceeds a preset level, logging out the logged account, and determining the address information of the user of the account according to the attribute information of the account.
5. An apparatus for supervising data, comprising:
the first acquisition module is used for responding to the query operation and acquiring the keywords to be queried;
the first detection module is used for detecting whether sensitive information matched with the keywords exists in a preset sensitive word bank or not so as to obtain a first detection result;
the second detection module is used for detecting whether sensitive information matched with the query result corresponding to the keyword exists in the preset sensitive word stock or not so as to obtain a second detection result;
the first determination module is used for determining the level of the alarm behavior of the account based on the first detection result and the second detection result;
and the execution module is used for executing a corresponding blocking strategy according to the level of the alarm behavior.
6. The apparatus of claim 5, further comprising:
a second obtaining module, configured to obtain attribute information of the account, where the attribute information at least includes one of the following: inquiring time, IP address and MAC address;
the second determining module is used for determining the current behavior data of the account according to the attribute information;
the third detection module is used for detecting whether the current behavior data is matched with the historical behavior data of the account number or not to obtain a third detection result;
and the third determining module is used for re-determining the grade of the alarm behavior according to the third detection result.
7. The apparatus of claim 5, further comprising:
the analysis module is used for acquiring information to be queried input by a user and carrying out predetermined analysis on the information to be queried so as to determine keywords corresponding to the information to be queried.
8. The apparatus according to any one of claims 5 to 7, wherein the execution module is specifically configured to:
and when the level of the alarm behavior exceeds a preset level, logging out the logged account, and determining the user address information of the account according to the attribute information of the account.
9. A storage medium storing a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 4 when executed by a processor.
10. A computer device comprising at least a memory, a processor, the memory having a computer program stored thereon, characterized in that the processor realizes the steps of the method of any of claims 1 to 4 when executing the computer program on the memory.
CN202210661653.9A 2022-06-13 2022-06-13 Data supervision method and device, storage medium and electronic equipment Pending CN114936230A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210661653.9A CN114936230A (en) 2022-06-13 2022-06-13 Data supervision method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210661653.9A CN114936230A (en) 2022-06-13 2022-06-13 Data supervision method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN114936230A true CN114936230A (en) 2022-08-23

Family

ID=82866229

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210661653.9A Pending CN114936230A (en) 2022-06-13 2022-06-13 Data supervision method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114936230A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787992A (en) * 2020-12-17 2021-05-11 福建新大陆软件工程有限公司 Method, device, equipment and medium for detecting and protecting sensitive data
CN113434901A (en) * 2021-06-30 2021-09-24 平安普惠企业管理有限公司 Intelligent data query method and device, electronic equipment and storage medium
CN113516337A (en) * 2021-03-25 2021-10-19 中国雄安集团数字城市科技有限公司 Method and device for monitoring data security operation
CN113627174A (en) * 2021-08-17 2021-11-09 深圳供电局有限公司 Sensitive information monitoring method and system based on enterprise historical digitization
CN113961609A (en) * 2021-10-27 2022-01-21 平安国际智慧城市科技股份有限公司 Data query method, device, server and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112787992A (en) * 2020-12-17 2021-05-11 福建新大陆软件工程有限公司 Method, device, equipment and medium for detecting and protecting sensitive data
CN113516337A (en) * 2021-03-25 2021-10-19 中国雄安集团数字城市科技有限公司 Method and device for monitoring data security operation
CN113434901A (en) * 2021-06-30 2021-09-24 平安普惠企业管理有限公司 Intelligent data query method and device, electronic equipment and storage medium
CN113627174A (en) * 2021-08-17 2021-11-09 深圳供电局有限公司 Sensitive information monitoring method and system based on enterprise historical digitization
CN113961609A (en) * 2021-10-27 2022-01-21 平安国际智慧城市科技股份有限公司 Data query method, device, server and storage medium

Similar Documents

Publication Publication Date Title
CN114915479B (en) Web attack stage analysis method and system based on Web log
CN107846389B (en) Internal threat detection method and system based on user subjective and objective data fusion
Singh et al. Sql injection detection and correction using machine learning techniques
CN112925805B (en) Big data intelligent analysis application method based on network security
CN108234426B (en) APT attack warning method and APT attack warning device
KR101444250B1 (en) System for monitoring access to personal information and method therefor
CN113132311A (en) Abnormal access detection method, device and equipment
CN112272176A (en) Network security protection method and system based on big data platform
CN118101250A (en) Network security detection method and system
CN117827813A (en) Computer information security monitoring system
CN118118249A (en) Enterprise information security operation and maintenance management system based on big data
CN117220961B (en) Intrusion detection method, device and storage medium based on association rule patterns
CN105825130A (en) Information security early-warning method and device
Macak et al. Scenarios for process-aware insider attack detection in manufacturing
CN115706669A (en) Network security situation prediction method and system
CN117370548A (en) User behavior risk identification method, device, electronic equipment and medium
CN111970272A (en) APT attack operation identification method
CN114936230A (en) Data supervision method and device, storage medium and electronic equipment
CN115640581A (en) Data security risk assessment method, device, medium and electronic equipment
CN111914255B (en) Semi-automatic anti-climbing system based on behavior characteristics
CN111641862A (en) Live broadcast supervision method and system based on block chain
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
CN118487872B (en) Nuclear power industry-oriented network abnormal behavior detection and analysis method
CN114584342B (en) Network vulnerability recognition and detection system based on data analysis
CN117540372B (en) Database intrusion detection and response system for intelligent learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination