CN116956125A - Operation and maintenance operation auditing method, equipment, storage medium and device - Google Patents
Operation and maintenance operation auditing method, equipment, storage medium and device Download PDFInfo
- Publication number
- CN116956125A CN116956125A CN202310878602.6A CN202310878602A CN116956125A CN 116956125 A CN116956125 A CN 116956125A CN 202310878602 A CN202310878602 A CN 202310878602A CN 116956125 A CN116956125 A CN 116956125A
- Authority
- CN
- China
- Prior art keywords
- maintenance
- cluster
- data
- data set
- maintenance personnel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012423 maintenance Methods 0.000 title claims abstract description 299
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000003860 storage Methods 0.000 title claims abstract description 12
- 238000007621 cluster analysis Methods 0.000 claims abstract description 68
- 239000011159 matrix material Substances 0.000 claims description 20
- 238000012550 audit Methods 0.000 claims description 12
- 230000002159 abnormal effect Effects 0.000 claims description 11
- 230000006399 behavior Effects 0.000 claims description 11
- 238000013507 mapping Methods 0.000 claims description 8
- 238000000605 extraction Methods 0.000 claims description 7
- 238000004140 cleaning Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 238000012216 screening Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 238000003064 k means clustering Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000013501 data transformation Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/103—Workflow collaboration or project management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/20—Administration of product repair or maintenance
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S10/00—Systems supporting electrical power generation, transmission or distribution
- Y04S10/50—Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Strategic Management (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Entrepreneurship & Innovation (AREA)
- Operations Research (AREA)
- Software Systems (AREA)
- Economics (AREA)
- Marketing (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Probability & Statistics with Applications (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of computers, and discloses an operation auditing method, equipment, a storage medium and a device, wherein the method comprises the following steps: classifying historical operation data of operation and maintenance personnel to obtain classified historical operation and maintenance operation data, carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm to obtain clusters of the operation and maintenance personnel, obtaining a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of roles of the operation and maintenance personnel based on the clusters of the operation and maintenance personnel, respectively comparing current operation and maintenance operation data of the operation and maintenance personnel with the personal characteristic data set and the collective characteristic data set, and auditing the current operation and maintenance operation according to comparison results; according to the invention, the current operation and maintenance operation data of the operation and maintenance personnel are automatically checked through the cluster analysis algorithm, so that the operation and maintenance operation can be checked efficiently and accurately, and further the risk of illegal operation can be reduced.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an operation auditing method, an apparatus, a storage medium, and a device.
Background
At present, a telecommunication operation business support system stores a large amount of sensitive information, on-site operation and maintenance personnel can directly access the data or operate host equipment through a remote fort machine, once improper operation and maintenance operations are extremely easy to cause fluctuation of production environment or leakage of sensitive data, irrecoverable results are caused to a company, and the conventional operation and maintenance operation auditing mode is realized by combining manual comparison based on configuration rules. However, the above-described manual auditing method is prone to missed detection and false detection.
Disclosure of Invention
The invention mainly aims to provide an operation and maintenance operation auditing method, equipment, a storage medium and a device, and aims to solve the technical problem that the existing operation and maintenance operation auditing mode depends on manual work and is at risk of missed detection and false detection.
In order to achieve the above object, the present invention provides an operation and maintenance operation auditing method, which includes the following steps:
classifying the historical operation and maintenance operation data of the operation and maintenance personnel to obtain classified historical operation and maintenance operation data;
performing cluster analysis on the classified historical operation data through a cluster analysis algorithm to obtain clusters to which the operation staff belong;
acquiring a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of a role of the operation and maintenance personnel based on a cluster of the operation and maintenance personnel;
and respectively comparing the current operation and maintenance operation data of the operation and maintenance personnel with the personal characteristic data set and the collective characteristic data set, and auditing the current operation and maintenance operation according to the comparison result.
Optionally, performing cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm to obtain a cluster to which the operation and maintenance personnel belongs, including:
dividing the operation and maintenance personnel into a plurality of roles from a plurality of dimensions, and determining the cluster number of a cluster analysis algorithm according to the number of the roles;
and carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm according to the cluster number to obtain clusters to which the operation and maintenance personnel belong.
Optionally, performing cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm according to the cluster number to obtain a cluster to which the operation and maintenance personnel belongs, including:
constructing a historical operation matrix according to the classified historical operation and maintenance operation data, and calculating the numerical range of the user behavior characteristic in each dimension according to the historical operation matrix;
determining initial cluster centers of all clusters according to the cluster number and the numerical range;
calculating the distance between each vector in the history operation matrix and a clustering center, and dividing each vector into each cluster according to the distance;
and calculating new cluster centers of each cluster after repartitioning, returning to the step of calculating the distance between each vector in the history operation matrix and the cluster centers, dividing each vector into each cluster according to the distance, and directly converging the cluster centers to obtain the cluster to which the operation and maintenance personnel belong.
Optionally, after comparing the current operation data of the operation and maintenance personnel with the personal feature data set and the collective feature data set, and auditing the current operation and maintenance according to the comparison result, the method further includes:
screening abnormal data from the current operation and maintenance operation according to the auditing result;
based on the abnormal data, to the and optimizing by a cluster analysis algorithm.
Optionally, the acquiring the personal characteristic data set of the operation and maintenance personnel and the collective characteristic data set of the role of the operation and maintenance personnel based on the cluster of the operation and maintenance personnel comprises:
and extracting a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of the role of the operation and maintenance personnel through a nonlinear mapping mode based on the cluster of the operation and maintenance personnel.
Optionally, the comparing the current operation and maintenance data of the operation and maintenance personnel with the personal feature data set and the collective feature data set respectively, and auditing the current operation and maintenance according to the comparison result includes:
comparing the current operation data of the operation staff with the personal characteristic data set and the collective characteristic data set respectively;
when the current operation data is not matched with the personal characteristic data set, marking the current operation data as operation data of a first risk level, and auditing the current operation according to the first risk level;
when the current operation and maintenance operation data are not matched with the personal characteristic data set and are not matched with the collective characteristic data set, marking the current operation and maintenance operation data as operation and maintenance operation data with a second risk level, and auditing the current operation and maintenance operation according to the second risk level, wherein the second risk level is higher than the first risk level.
Optionally, the operation checking method further includes:
acquiring a history operation and maintenance log of operation and maintenance personnel, and cleaning and preprocessing the history operation and maintenance log;
analyzing the processed historical operation and maintenance log to obtain the historical operation and maintenance operation data of the operation and maintenance personnel.
In addition, in order to achieve the above object, the present invention also proposes an operation and maintenance operation auditing apparatus, which includes a memory, a processor, and an operation and maintenance operation auditing program stored on the memory and executable on the processor, the operation and maintenance operation auditing program being configured to implement the operation and maintenance operation auditing method as described above.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having an operation auditing program stored thereon, which when executed by a processor, implements the operation auditing method as described above.
In addition, in order to achieve the above object, the present invention also provides an operation checking device, including: the device comprises an operation classification module, a cluster analysis module, a feature extraction module and an operation auditing module;
the operation classification module is used for classifying the historical operation and maintenance operation data of operation and maintenance personnel to obtain the classified historical operation and maintenance operation data;
the cluster analysis module is used for carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm to obtain clusters to which the operation and maintenance personnel belong;
the feature extraction module is used for acquiring a personal feature data set of the operation and maintenance personnel and a collective feature data set of a role of the operation and maintenance personnel based on a cluster of the operation and maintenance personnel;
and the operation auditing module is used for respectively comparing the current operation and maintenance operation data of the operation and maintenance personnel with the personal characteristic data set and the collective characteristic data set, and auditing the current operation and maintenance operation according to the comparison result.
The invention discloses classifying historical operation data of operation staff, obtaining classified historical operation data, carrying out cluster analysis on the classified historical operation data through a cluster analysis algorithm, obtaining clusters to which the operation staff belongs, obtaining a personal characteristic data set of the operation staff and a collective characteristic data set of roles to which the operation staff belong based on the clusters to which the operation staff belongs, respectively comparing current operation data of the operation staff with the personal characteristic data set and the collective characteristic data set, and auditing the current operation according to comparison results; according to the invention, the current operation and maintenance operation data of the operation and maintenance personnel are automatically checked through the cluster analysis algorithm, so that the operation and maintenance operation can be checked efficiently and accurately, and further the risk of illegal operation can be reduced.
Drawings
FIG. 1 is a schematic diagram of a configuration of an operation auditing device of a hardware running environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of an operation auditing method according to the present invention;
FIG. 3 is a flowchart of a second embodiment of the operation auditing method of the present invention;
FIG. 4 is a flowchart of a third embodiment of an operation auditing method according to the present invention;
fig. 5 is a block diagram of a first embodiment of an operation checking device according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an operation auditing device of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the operation and maintenance operation auditing apparatus may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), and the optional user interface 1003 may also include a standard wired interface, a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (Wi-Fi) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 does not constitute a limitation of the operation auditing device, and may include more or fewer components than shown, or may combine certain components, or may have a different arrangement of components.
As shown in FIG. 1, a memory 1005, which is considered to be a computer storage medium, may include an operating system, a network communication module, a user interface module, and an operation auditing program.
In the operation and maintenance operation auditing device shown in fig. 1, the network interface 1004 is mainly used for connecting a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting user equipment; the operation checking device invokes an operation checking program stored in the memory 1005 through the processor 1001, and executes the operation checking method provided by the embodiment of the present invention.
Based on the hardware structure, the embodiment of the operation and maintenance operation auditing method is provided.
Referring to fig. 2, fig. 2 is a flowchart of a first embodiment of an operation checking method according to the present invention, and the first embodiment of the operation checking method according to the present invention is provided.
In a first embodiment, the operation and maintenance operation auditing method includes the steps of:
at present, a telecommunication operation business support system stores a large amount of sensitive information, on-site operation and maintenance personnel can directly access the data or operate host equipment through a remote fort machine, once improper operation and maintenance operations are extremely easy to cause fluctuation of production environment or leakage of sensitive data, irrecoverable results are caused to a company, and the conventional operation and maintenance operation auditing mode is realized by combining manual comparison based on configuration rules. However, the above-described manual auditing method is prone to missed detection and false detection.
Aiming at the safety of operation and maintenance operation, at present, based on manual combing judgment, a basic audit strategy is preset by a system, and an auditor configures the safety strategy, so that the operation and maintenance are difficult and the detection omission or false detection is easy to cause, and the operation and maintenance method is mainly characterized by comprising the following steps of:
1. once the auditor does not reasonably configure the security policy, such as the altering operation of the operation sensitive data. Auditors depend on the existing security policy completely, and sensitive data can be leaked;
2. at present, most audit works are based on manual audit, but the existing manual audit mode is long in time consumption, has certain hysteresis, cannot be blocked in time when high-risk operation behaviors occur, and is extremely easy to cause safety accidents.
Therefore, in order to overcome the above-mentioned drawbacks, in this embodiment, the current operation and maintenance operation data of the operation and maintenance personnel is automatically checked by the cluster analysis algorithm, so that the operation and maintenance operation can be checked efficiently and accurately, and further the risk of illegal operation can be reduced.
Step S10: and classifying the historical operation and maintenance operation data of the operation and maintenance personnel to obtain the classified historical operation and maintenance operation data.
It should be understood that the execution body of the method of this embodiment may be an operation checking device with data processing, network communication and program running functions, for example, a terminal device such as a computer, or other electronic devices capable of implementing the same or similar functions, which is not limited in this embodiment.
The historical operation data may include data such as an operator, operation content, and operation time. The historical operation data may be directly obtained, or may be obtained from a historical operation log of an operation staff first, and then obtained from the historical operation log.
It can be understood that, in order to facilitate subsequent cluster analysis of the data, in this embodiment, the historical operation and maintenance operation data of the operation and maintenance personnel is classified first, and then the cluster analysis is performed on the classified historical operation and maintenance operation data through a cluster analysis algorithm. The historical operation data of the operation staff can be classified according to the operation and maintenance service scene, and particularly, the historical operation data can be classified into operation types of host operation, database operation, service system operation and the like, which is not limited in this embodiment.
The following is illustrative for ease of understanding, but is not limiting of the present solution. The results of classifying the historical operation data of the operation staff according to the operation and maintenance service scene are shown in table 1:
TABLE 1
Step S20: and carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm to obtain clusters to which the operation and maintenance personnel belong.
It should be appreciated that the clustering algorithm is an unsupervised learning method for dividing objects in a dataset into clusters, so that objects in the same cluster are more similar to each other, and the difference of objects between different clusters is large. In this embodiment, based on the assumption that the behavior patterns of similar users are similar, similar users are clustered, so that a user group with similar behavior patterns (i.e., a cluster to which the operation and maintenance personnel belong) can be obtained.
It should be noted that, the cluster analysis algorithm may be at least one of a K-means cluster algorithm, a hierarchical cluster algorithm, a density cluster algorithm, a graph-based cluster algorithm, and a fuzzy cluster algorithm, and in this embodiment and other embodiments, the K-means cluster algorithm is taken as an example to illustrate, but the present solution is not limited.
Step S30: and acquiring a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of the role of the operation and maintenance personnel based on the cluster of the operation and maintenance personnel.
It can be understood that, considering that the clusters of the operation and maintenance personnel belong to data in matrix form, the features cannot be directly obtained, so in order to overcome the above-mentioned drawbacks, in this embodiment, the clusters of the operation and maintenance personnel are mapped from the original space to the low-dimensional feature space by a nonlinear mapping manner, so as to extract the personal feature data set of the operation and maintenance personnel and the collective feature data set of the roles of the operation and maintenance personnel.
Step S40: and respectively comparing the current operation and maintenance operation data of the operation and maintenance personnel with the personal characteristic data set and the collective characteristic data set, and auditing the current operation and maintenance operation according to the comparison result.
It should be understood that, comparing the current operation data of the operation and maintenance personnel with the personal feature data set and the aggregate feature data set respectively, and checking the current operation and maintenance according to the comparison result may be that when the current operation and maintenance data is not matched with the personal feature data set, the current operation and maintenance operation data is marked as operation and maintenance operation data of a first risk level, and checking the current operation and maintenance operation according to the first risk level; when the current operation and maintenance operation data is not matched with the personal characteristic data set and is not matched with the collective characteristic data set, marking the current operation and maintenance operation data as operation and maintenance operation data with a second risk level, and auditing the current operation and maintenance operation according to the second risk level, wherein the second risk level is higher than the first risk level.
In the embodiment, the historical operation data of the operation and maintenance personnel are classified, the classified historical operation and maintenance operation data are obtained, the classified historical operation and maintenance operation data are subjected to cluster analysis through a cluster analysis algorithm, clusters of the operation and maintenance personnel are obtained, a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of roles of the operation and maintenance personnel are obtained based on the clusters of the operation and maintenance personnel, the current operation and maintenance operation data of the operation and maintenance personnel are respectively compared with the personal characteristic data set and the collective characteristic data set, and the current operation and maintenance operation is audited according to the comparison result; according to the embodiment, the current operation and maintenance operation data of the operation and maintenance personnel are automatically checked through the cluster analysis algorithm, so that the operation and maintenance operation can be checked efficiently and accurately, and further the illegal operation risk can be reduced.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the operation checking method according to the present invention, and the second embodiment of the operation checking method according to the present invention is proposed based on the first embodiment shown in fig. 2.
In a second embodiment, the step S20 includes:
step S201: dividing the operation staff into a plurality of roles from a plurality of dimensions, and determining the cluster number of a cluster analysis algorithm according to the number of the roles.
It should be understood that, in order to reduce the influence of noise data on clustering, in this embodiment, the number of clusters of the K-Means clustering algorithm is determined according to the number of divided roles.
It is understood that the division of the operation and maintenance personnel into multiple roles from multiple dimensions such as the main account type, the home organization, the item, the manufacturer and the post of the operation and maintenance personnel can be divided into multiple roles.
Step S202: and carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm according to the cluster number to obtain clusters to which the operation and maintenance personnel belong.
According to the embodiment, the clustering number of the K-Means clustering algorithm is determined according to the number of the divided roles, so that influence of noise data on clustering can be reduced.
Further, in order to improve the clustering effect, in this embodiment, the step S202 includes:
constructing a historical operation matrix according to the classified historical operation and maintenance operation data, and calculating the numerical range of the user behavior characteristic in each dimension according to the historical operation matrix;
determining initial cluster centers of all clusters according to the cluster number and the numerical range;
calculating the distance between each vector in the history operation matrix and a clustering center, and dividing each vector into each cluster according to the distance;
and calculating new cluster centers of each cluster after repartitioning, returning to the step of calculating the distance between each vector in the history operation matrix and the cluster centers, dividing each vector into each cluster according to the distance, and directly converging the cluster centers to obtain the cluster to which the operation and maintenance personnel belong.
The following is illustrative for ease of understanding, but is not limiting of the present solution. The method comprises the specific steps of carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm, and obtaining clusters to which operation and maintenance personnel belong, wherein the specific steps are as follows:
1. according to the main account number type, the attribution organization, the project, the manufacturer and the post of the operation and maintenance personnel, different weighted roles are divided, the K value of the K-Means clustering algorithm is determined according to the number of the divided roles, and the influence of noise data on clustering is reduced.
2. Constructing a historical operation matrix according to the classified historical operation dataAnd calculating the numerical range of the user behavior characteristic in each dimension according to the historical operation matrix.
3. According to the number k of clusters and the numerical range of the user behavior characteristics, calculating initial cluster centers L= { k of k clusters by using an average difference method 1 |k 2 |…|k i-1 |k i }。
4. Traversal history operation matrixThe distance between each vector in the historical operation matrix and the clustering center is calculated, and each vector is divided into clusters closest to the cluster.
5. And (3) recalculating the clustering center of each cluster according to the repartitioned result set to obtain a matrix C'.
6. And C, judging that the clustering center converges by comparing the C and the C', returning to the step 4 if the clustering center does not converge, and stopping clustering if the clustering center has converged.
7. And outputting a clustering result, and generating a cluster C' to which the operation and maintenance personnel belong to complete clustering.
Referring to fig. 4, fig. 4 is a flowchart of a third embodiment of the operation checking method of the present invention. Based on the above embodiments, a third embodiment of the operation and maintenance operation auditing method of the present invention is provided.
In a third embodiment, before the step S10, the method further includes:
step S01: and acquiring a historical operation and maintenance log of operation and maintenance personnel, and cleaning and preprocessing the historical operation and maintenance log.
It should be understood that, in order to improve the quality of the historical operation data, in this embodiment, the historical operation data of the operation staff is obtained by cleaning and preprocessing the historical operation log of the operation staff.
It should be noted that, the historical operation log may be an operation record of the operation staff in a preset time period, where the preset time period may be preset, for example, the operation record of the operation staff in 3 months is obtained.
It can be understood that the cleaning of the historical operation and maintenance log may be to remove repeated values, process missing values, process abnormal values, and the like, so as to ensure accuracy and integrity of data.
It should be understood that the preprocessing may include at least one of data integration, data transformation, and data reduction, which is not limited in this embodiment.
In a specific implementation, the historical operation and maintenance log is shown in table 2:
TABLE 2
Step S02: analyzing the processed historical operation and maintenance log to obtain the historical operation and maintenance operation data of the operation and maintenance personnel.
The historical operation data may include data such as an operator, operation content, and operation time. Therefore, the analysis is performed on the processed historical operation and maintenance log, and the historical operation and maintenance operation data of the operation and maintenance personnel can be obtained by extracting the data from the processed historical operation and maintenance log.
According to the method, the historical operation and maintenance operation data of the operation and maintenance personnel are obtained by cleaning and preprocessing the historical operation and maintenance log of the operation and maintenance personnel, so that the quality of the historical operation and maintenance operation data can be improved, and further the accuracy of the subsequent operation and maintenance operation audit can be improved.
In a third embodiment, the step S30 includes:
step S301: and extracting a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of the role of the operation and maintenance personnel through a nonlinear mapping mode based on the cluster of the operation and maintenance personnel.
It can be understood that, considering that the clusters of the operation and maintenance personnel belong to data in matrix form, the features cannot be directly obtained, so in order to overcome the above-mentioned drawbacks, in this embodiment, the clusters of the operation and maintenance personnel are mapped from the original space to the low-dimensional feature space by a nonlinear mapping manner, so as to extract the personal feature data set of the operation and maintenance personnel and the collective feature data set of the roles of the operation and maintenance personnel.
In a specific implementation, for example, the personal feature data set S of the operation staff is extracted by a nonlinear mapping manner based on the cluster C' to which the operation staff belongs 1 = { user feature 1 User feature 2 User feature … i Collective feature data set S of role of operation and maintenance personnel 2 = { character feature 1 Character feature 2 Character … character features i }。
According to the method and the device, the clusters of the operation and maintenance personnel are mapped from the original space to the low-dimensional feature space in a nonlinear mapping mode, so that the follow-up extraction of the personal feature data set of the operation and maintenance personnel and the collective feature data set of the roles of the operation and maintenance personnel can be facilitated.
In a third embodiment, the step S40 includes:
step S401: the current operation data of the operation staff and the individual are combined and respectively comparing the characteristic data set with the collective characteristic data set.
It should be understood that, in order to implement a hierarchical audit on the operation and maintenance operation, in this embodiment, according to a matching result of the current operation and maintenance operation data of the operation and maintenance personnel and the personal feature data set and the integrated feature data set, the current operation and maintenance operation data is divided into different risk levels, and the current operation and maintenance operation is audited based on the risk levels.
Step S402: and when the current operation data is not matched with the personal characteristic data set, marking the current operation data as operation data of a first risk level, and auditing the current operation according to the first risk level.
It will be appreciated that when the current operation data does not match the personal characteristic data set, it is interpreted that the current operation of the operation staff member is different from the historical operation of the operation staff member. Thus, there may be a risk of illegal operations, requiring the current operation data to be marked as operation data of a first risk level. Wherein the first risk level may be a risk level.
It should be appreciated that when the current operation data matches the set of personal characteristic data and does not match the set of collective characteristic data, it is interpreted that the current operation of the operation staff member is different from the operation of the character to which the operation staff member belongs. Thus, there may be a risk of illegal operations, requiring the current operation data to be marked as operation data of a first risk level.
Step S403: when the current operation and maintenance operation data are not matched with the personal characteristic data set and are not matched with the collective characteristic data set, marking the current operation and maintenance operation data as operation and maintenance operation data with a second risk level, and auditing the current operation and maintenance operation according to the second risk level, wherein the second risk level is higher than the first risk level.
It will be appreciated that when the current operation data does not match the personal feature data set and does not match the collective feature data set, the current operation of the operation and maintenance personnel is illustrated as being different from both the historical operation and maintenance operations of the operation and maintenance personnel and the operation and maintenance operations of the roles the operation and maintenance personnel belong to. Therefore, there is a high possibility that there is a risk of an illegal operation, and the current operation data needs to be marked as operation data of a second risk level. Wherein the second risk level is higher than the first risk level, the second risk level may be a high risk level.
It should be appreciated that when the current operational data matches the personal feature data set and matches the collective feature data set, the current operational data is marked as risk-free operational data.
It is to be appreciated that auditing the current operation and maintenance operations based on the risk levels may be auditing the current operation and maintenance operations that do not directly pass through the first risk level and the second risk level; or the current operation and maintenance operation of the first risk level and the second risk level may be sent to the management terminal for rechecking, and the current operation and maintenance operation is checked according to the rechecking result, which is not limited in this embodiment.
According to the method and the device for checking the operation and maintenance of the operation and maintenance personnel, the current operation and maintenance operation data are divided into different risk levels according to the matching result of the current operation and maintenance operation data of the operation and maintenance personnel and the personal characteristic data set and the integrated characteristic data set, and the current operation and maintenance operation is checked based on the risk levels, so that the hierarchical checking of the operation and maintenance operation can be realized.
In a third embodiment, after the step S40, the method further includes:
step S50: and screening abnormal data from the current operation and maintenance operation according to the auditing result.
It can be appreciated that, in order to improve the accuracy of the cluster analysis algorithm, in this embodiment, the cluster analysis algorithm may be optimized by using the abnormal data as the abnormal sample.
Step S60: and optimizing the cluster analysis algorithm based on the abnormal data.
It is understood that optimizing the cluster analysis algorithm based on the anomaly data may be to take the anomaly data as an anomaly sample and optimize the cluster analysis algorithm based on the anomaly sample.
In the embodiment, the abnormal data is used as an abnormal sample to optimize the cluster analysis algorithm, so that the accuracy of the cluster analysis algorithm can be improved.
In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium is stored with an operation checking program, and the operation checking program realizes the operation checking method when being executed by a processor.
In addition, referring to fig. 5, an embodiment of the present invention further provides an operation checking device, where the operation checking device includes: an operation classification module 10, a cluster analysis module 20, a feature extraction module 30, and an operation auditing module 40;
at present, a telecommunication operation business support system stores a large amount of sensitive information, on-site operation and maintenance personnel can directly access the data or operate host equipment through a remote fort machine, once improper operation and maintenance operations are extremely easy to cause fluctuation of production environment or leakage of sensitive data, irrecoverable results are caused to a company, and the conventional operation and maintenance operation auditing mode is realized by combining manual comparison based on configuration rules. However, the above-described manual auditing method is prone to missed detection and false detection.
Aiming at the safety of operation and maintenance operation, at present, based on manual combing judgment, a basic audit strategy is preset by a system, and an auditor configures the safety strategy, so that the operation and maintenance are difficult and the detection omission or false detection is easy to cause, and the operation and maintenance method is mainly characterized by comprising the following steps of:
1. once the auditor does not reasonably configure the security policy, such as the altering operation of the operation sensitive data. Auditors depend on the existing security policy completely, and sensitive data can be leaked;
2. at present, most audit works are based on manual audit, but the existing manual audit mode is long in time consumption, has certain hysteresis, cannot be blocked in time when high-risk operation behaviors occur, and is extremely easy to cause safety accidents.
Therefore, in order to overcome the above-mentioned drawbacks, in this embodiment, the current operation and maintenance operation data of the operation and maintenance personnel is automatically checked by the cluster analysis algorithm, so that the operation and maintenance operation can be checked efficiently and accurately, and further the risk of illegal operation can be reduced.
The operation classification module 10 is configured to classify historical operation and maintenance operation data of an operation and maintenance person, and obtain classified historical operation and maintenance operation data.
The historical operation data may include data such as an operator, operation content, and operation time. The historical operation data may be directly obtained, or may be obtained from a historical operation log of an operation staff first, and then obtained from the historical operation log.
It can be understood that, in order to facilitate subsequent cluster analysis of the data, in this embodiment, the historical operation and maintenance operation data of the operation and maintenance personnel is classified first, and then the cluster analysis is performed on the classified historical operation and maintenance operation data through a cluster analysis algorithm. The historical operation data of the operation staff can be classified according to the operation and maintenance service scene, and particularly, the historical operation data can be classified into operation types of host operation, database operation, service system operation and the like, which is not limited in this embodiment.
The following is illustrative for ease of understanding, but is not limiting of the present solution. The results of classifying the historical operation data of the operation staff according to the operation and maintenance service scene are shown in table 1:
TABLE 1
The cluster analysis module 20 is configured to perform cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm, so as to obtain a cluster to which the operation and maintenance personnel belong.
It should be appreciated that the clustering algorithm is an unsupervised learning method for dividing objects in a dataset into clusters, so that objects in the same cluster are more similar to each other, and the difference of objects between different clusters is large. In this embodiment, based on the assumption that the behavior patterns of similar users are similar, similar users are clustered, so that a user group with similar behavior patterns (i.e., a cluster to which the operation and maintenance personnel belong) can be obtained.
It should be noted that, the cluster analysis algorithm may be at least one of a K-means cluster algorithm, a hierarchical cluster algorithm, a density cluster algorithm, a graph-based cluster algorithm, and a fuzzy cluster algorithm, and in this embodiment and other embodiments, the K-means cluster algorithm is taken as an example to illustrate, but the present solution is not limited.
The feature extraction module 30 is configured to obtain, based on a cluster to which the operation and maintenance person belongs, a personal feature data set of the operation and maintenance person and a collective feature data set of a role to which the operation and maintenance person belongs.
It can be understood that, considering that the clusters of the operation and maintenance personnel belong to data in matrix form, the features cannot be directly obtained, so in order to overcome the above-mentioned drawbacks, in this embodiment, the clusters of the operation and maintenance personnel are mapped from the original space to the low-dimensional feature space by a nonlinear mapping manner, so as to extract the personal feature data set of the operation and maintenance personnel and the collective feature data set of the roles of the operation and maintenance personnel.
The operation auditing module 40 is configured to compare the current operation and maintenance operation data of the operation and maintenance personnel with the personal feature data set and the collective feature data set, and audit the current operation and maintenance operation according to the comparison result.
It should be understood that, comparing the current operation data of the operation and maintenance personnel with the personal feature data set and the aggregate feature data set respectively, and checking the current operation and maintenance according to the comparison result may be that when the current operation and maintenance data is not matched with the personal feature data set, the current operation and maintenance operation data is marked as operation and maintenance operation data of a first risk level, and checking the current operation and maintenance operation according to the first risk level; when the current operation and maintenance operation data is not matched with the personal characteristic data set and is not matched with the collective characteristic data set, marking the current operation and maintenance operation data as operation and maintenance operation data with a second risk level, and auditing the current operation and maintenance operation according to the second risk level, wherein the second risk level is higher than the first risk level.
In the embodiment, the historical operation data of the operation and maintenance personnel are classified, the classified historical operation and maintenance operation data are obtained, the classified historical operation and maintenance operation data are subjected to cluster analysis through a cluster analysis algorithm, clusters of the operation and maintenance personnel are obtained, a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of roles of the operation and maintenance personnel are obtained based on the clusters of the operation and maintenance personnel, the current operation and maintenance operation data of the operation and maintenance personnel are respectively compared with the personal characteristic data set and the collective characteristic data set, and the current operation and maintenance operation is audited according to the comparison result; according to the embodiment, the current operation and maintenance operation data of the operation and maintenance personnel are automatically checked through the cluster analysis algorithm, so that the operation and maintenance operation can be checked efficiently and accurately, and further the illegal operation risk can be reduced.
Other embodiments or specific implementation manners of the operation and maintenance operation auditing device of the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in the technical solution of the present specification, the operations on the related data all conform to relevant regulations, and the public welcome is not violated. For example, operations on data are performed on the premise of obtaining user authorization. In this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the related art in the form of a software product stored in a storage medium (e.g., read-only memory mirror (Read Only Memory image, ROM)/random access memory (Random Access Memory, RAM), magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. The operation and maintenance operation auditing method is characterized by comprising the following steps of:
classifying the historical operation and maintenance operation data of the operation and maintenance personnel to obtain classified historical operation and maintenance operation data;
performing cluster analysis on the classified historical operation data through a cluster analysis algorithm to obtain clusters to which the operation staff belong;
acquiring a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of a role of the operation and maintenance personnel based on a cluster of the operation and maintenance personnel;
and respectively comparing the current operation and maintenance operation data of the operation and maintenance personnel with the personal characteristic data set and the collective characteristic data set, and auditing the current operation and maintenance operation according to the comparison result.
2. The operation auditing method according to claim 1, wherein the performing cluster analysis on the classified historical operation data by using a cluster analysis algorithm to obtain a cluster to which the operation personnel belongs comprises:
dividing the operation and maintenance personnel into a plurality of roles from a plurality of dimensions, and determining the cluster number of a cluster analysis algorithm according to the number of the roles;
and carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm according to the cluster number to obtain clusters to which the operation and maintenance personnel belong.
3. The operation and maintenance operation auditing method according to claim 2, characterized in that the performing cluster analysis on the classified historical operation and maintenance operation data by a cluster analysis algorithm according to the cluster number to obtain a cluster to which the operation and maintenance personnel belongs, includes:
constructing a historical operation matrix according to the classified historical operation and maintenance operation data, and calculating the numerical range of the user behavior characteristic in each dimension according to the historical operation matrix;
determining initial cluster centers of all clusters according to the cluster number and the numerical range;
calculating the distance between each vector in the history operation matrix and a clustering center, and dividing each vector into each cluster according to the distance;
and calculating new cluster centers of each cluster after repartitioning, returning to the step of calculating the distance between each vector in the history operation matrix and the cluster centers, dividing each vector into each cluster according to the distance, and directly converging the cluster centers to obtain the cluster to which the operation and maintenance personnel belong.
4. The operation auditing method according to any one of claims 1 to 3, characterized in that after comparing the current operation data of the operation staff with the personal feature data set and the collective feature data set, and auditing the current operation according to the comparison result, it further comprises:
screening abnormal data from the current operation and maintenance operation according to the auditing result;
and optimizing the cluster analysis algorithm based on the abnormal data.
5. An operation auditing method according to any one of claims 1 to 3, wherein the acquiring the personal feature data set of the operation staff and the collective feature data set of the role to which the operation staff belongs based on the cluster to which the operation staff belongs comprises:
and extracting a personal characteristic data set of the operation and maintenance personnel and a collective characteristic data set of the role of the operation and maintenance personnel through a nonlinear mapping mode based on the cluster of the operation and maintenance personnel.
6. The operation auditing method according to any one of claims 1 to 3, characterized in that the comparing the current operation data of the operation staff with the personal feature data set and the collective feature data set, and auditing the current operation according to the comparison result, includes:
comparing the current operation data of the operation staff with the personal characteristic data set and the collective characteristic data set respectively;
when the current operation data is not matched with the personal characteristic data set, marking the current operation data as operation data of a first risk level, and auditing the current operation according to the first risk level;
when the current operation and maintenance operation data are not matched with the personal characteristic data set and are not matched with the collective characteristic data set, marking the current operation and maintenance operation data as operation and maintenance operation data with a second risk level, and auditing the current operation and maintenance operation according to the second risk level, wherein the second risk level is higher than the first risk level.
7. An operation auditing method according to any one of claims 1 to 3, characterised in that the operation auditing method further comprises:
acquiring a history operation and maintenance log of operation and maintenance personnel, and cleaning and preprocessing the history operation and maintenance log;
analyzing the processed historical operation and maintenance log to obtain the historical operation and maintenance operation data of the operation and maintenance personnel.
8. An operation auditing device, characterized in that the operation auditing device comprises: a memory, a processor, and an operation auditing program stored on the memory and executable on the processor, which when executed by the processor, implements the operation auditing method of any of claims 1-7.
9. A storage medium having stored thereon an operation audit program which when executed by a processor implements the operation audit method according to any one of claims 1 to 7.
10. An operation auditing device, characterized in that the operation auditing device comprises: the device comprises an operation classification module, a cluster analysis module, a feature extraction module and an operation auditing module;
the operation classification module is used for classifying the historical operation and maintenance operation data of operation and maintenance personnel to obtain the classified historical operation and maintenance operation data;
the cluster analysis module is used for carrying out cluster analysis on the classified historical operation and maintenance operation data through a cluster analysis algorithm to obtain clusters to which the operation and maintenance personnel belong;
the feature extraction module is used for acquiring a personal feature data set of the operation and maintenance personnel and a collective feature data set of a role of the operation and maintenance personnel based on a cluster of the operation and maintenance personnel;
and the operation auditing module is used for respectively comparing the current operation and maintenance operation data of the operation and maintenance personnel with the personal characteristic data set and the collective characteristic data set, and auditing the current operation and maintenance operation according to the comparison result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310878602.6A CN116956125A (en) | 2023-07-17 | 2023-07-17 | Operation and maintenance operation auditing method, equipment, storage medium and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310878602.6A CN116956125A (en) | 2023-07-17 | 2023-07-17 | Operation and maintenance operation auditing method, equipment, storage medium and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116956125A true CN116956125A (en) | 2023-10-27 |
Family
ID=88452297
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310878602.6A Pending CN116956125A (en) | 2023-07-17 | 2023-07-17 | Operation and maintenance operation auditing method, equipment, storage medium and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116956125A (en) |
-
2023
- 2023-07-17 CN CN202310878602.6A patent/CN116956125A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106973038B (en) | Network intrusion detection method based on genetic algorithm oversampling support vector machine | |
| CN112329811A (en) | Abnormal account identification method and device, computer equipment and storage medium | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN112491779B (en) | Abnormal behavior detection method and device and electronic equipment | |
| CN110493181B (en) | User behavior detection method and device, computer equipment and storage medium | |
| CN112989332A (en) | Abnormal user behavior detection method and device | |
| CN113132311B (en) | Abnormal access detection method, device and equipment | |
| CN110263566B (en) | Method for detecting and classifying authority-raising behaviors of massive logs | |
| CN111507385B (en) | Extensible network attack behavior classification method | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN115879017A (en) | Automatic classification and grading method and device for power sensitive data and storage medium | |
| CN109446768B (en) | Application access behavior abnormity detection method and system | |
| CN110990242A (en) | Method and device for determining fluctuation abnormity of user operation times | |
| CN114785710A (en) | Method and system for evaluating service capability of industrial internet identification analysis secondary node | |
| CN114448657A (en) | Power distribution communication network security situation perception and abnormal intrusion detection method | |
| CN115730320A (en) | Security level determination method, device, equipment and storage medium | |
| CN117235246A (en) | Sensitive data automatic grading method and device based on data elements | |
| CN110611655B (en) | Blacklist screening method and related product | |
| CN116956125A (en) | Operation and maintenance operation auditing method, equipment, storage medium and device | |
| CN114817518B (en) | License handling method, system and medium based on big data archive identification | |
| CN106156046B (en) | Information management method, device and system and analysis equipment | |
| CN116150632A (en) | Internet of things equipment identification method based on local sensitive hash in intelligent home | |
| CN111475380B (en) | Log analysis method and device | |
| CN115760320A (en) | Public rental house declaration supervision early warning method based on big data analysis and application thereof | |
| CN114285596A (en) | Transformer substation terminal account abnormity detection method based on machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |