CN117150459A - Zero-trust user identity security detection method and system - Google Patents
Zero-trust user identity security detection method and system Download PDFInfo
- Publication number
- CN117150459A CN117150459A CN202310890330.1A CN202310890330A CN117150459A CN 117150459 A CN117150459 A CN 117150459A CN 202310890330 A CN202310890330 A CN 202310890330A CN 117150459 A CN117150459 A CN 117150459A
- Authority
- CN
- China
- Prior art keywords
- user
- login
- behavior
- account
- zero
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 28
- 238000000034 method Methods 0.000 claims abstract description 56
- 230000002159 abnormal effect Effects 0.000 claims abstract description 35
- 238000005336 cracking Methods 0.000 claims abstract description 19
- 208000013738 Sleep Initiation and Maintenance disease Diseases 0.000 claims abstract description 16
- 206010022437 insomnia Diseases 0.000 claims abstract description 16
- 238000007619 statistical method Methods 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims abstract description 10
- 238000004458 analytical method Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 4
- 230000003542 behavioural effect Effects 0.000 claims 1
- 230000006399 behavior Effects 0.000 abstract description 88
- 238000010801 machine learning Methods 0.000 abstract description 3
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000012549 training Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013107 unsupervised machine learning method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Health & Medical Sciences (AREA)
- Social Psychology (AREA)
- Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a zero-trust user identity security detection method and system. The method comprises the steps of obtaining behavior log data generated by a user logging system; detecting whether the user login behavior is abnormal or not based on the behavior log data and preset conditions, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method; and sending out early warning information when abnormal login behavior of the user is detected. In the application, a machine learning method is adopted to establish a user baseline and form a user portrait according to characteristic dimensions of user terminals, places, time, online frequency and the like for user login behaviors; meanwhile, a statistical learning method is adopted to check whether the user account has risks such as violent cracking, frequent login and the like, and whether the user account is an insomnia account is judged according to the login habit of the user; therefore, the user identity security is ensured from multiple dimensions through layer-by-layer verification.
Description
Technical Field
The application relates to the technical field of zero-trust safety protection, in particular to a method and a device for detecting zero-trust user identity safety.
Background
In the information age today, the information assets of businesses are of paramount importance, especially for internet companies. It is therefore important to protect the information assets of the company. In a real network environment, malicious personnel may log in a network application system at other places by stealing account passwords of users to steal important information of enterprises. Or the identity of the imposter user is used for wantonly traversing the system, and the data security and benefits of enterprises are seriously jeopardized.
The core idea of the zero-trust network security architecture is to break the limitation of physical boundary protection, not to default trust any user, device or system, application inside the physical security boundary, but to use identity authentication as the core and authentication and authorization as the basis of access control. Based on the principle of zero trust security, any accessing agent (person/device/application, etc.) must undergo identity authentication and authorization before the access system is allowed, avoiding excessive trust.
CN201810660985.9 discloses a method, apparatus, electronic device and readable medium for managing user login security. The method comprises the following steps: acquiring an IP address of a user login; judging whether the IP address is a common IP address of the user; if the IP address is judged to be the common IP address of the user, the method comprises the following steps: acquiring the current effective session number of the IP address; and managing user login according to the current effective session number of the IP address. The method, the device, the electronic equipment and the computer readable medium for managing the user login security can effectively and safely manage the session state and the IP address of the user login. However, the method only considers the login IP address as the only basis for judgment on the login security of the user, and the security of the user account is difficult to ensure.
CN201410233796.5 discloses a user account login method and device, the method comprises: receiving login information; acquiring an MAC address to be logged in and an appointed login user account according to the login information; inquiring a login information table according to the appointed login user account; the login information table comprises a plurality of user accounts and logged-in MAC addresses corresponding to the logged-in user accounts; if the appointed login user account is a logged-in user account, matching the MAC address to be logged-in with the logged-in MAC address mapped by the appointed login user account; and if the matching is unsuccessful, preventing the login of the appointed login user account according to the login information. However, the method judges whether the user can log in normally or not by comparing with the MAC address of the stored account, has less characteristic dimension, and is difficult to ensure the credibility of the user.
CN202110835317.7 discloses a zero-trust access method, system, zero-trust security proxy, terminal and medium, the method uses virtual mapping technology, based on virtual security proxy, user token and object authority are respectively transferred, and access subject and access object are not directly connected by security proxy based on user token and object authority, so as to at least guarantee security of zero-trust security proxy. However, the method adopts a security proxy mode to ensure security, and potential safety hazards possibly exist from the viewpoint of users are not considered.
Based on this, a new solution is needed.
Disclosure of Invention
The application mainly aims to provide a zero-trust user identity security detection method and system.
In order to achieve the above purpose, the present application provides a method for detecting the identity security of a zero-trust user, comprising the following steps:
acquiring behavior log data generated by a user logging system;
detecting whether the user login behavior is abnormal or not based on the behavior log data and preset conditions, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method; and
and when abnormal login behavior of the user is detected, sending out early warning information.
In the zero-trust user identity security detection method provided by the application, analyzing the user login authentication behavior by the isolated forest method comprises the following steps:
acquiring a user ID, login time, login position, login terminal and IP address from the behavior log data;
judging whether the login behavior of a user is abnormal or not according to the login time, the login position, the login terminal and a preset user baseline, and judging that the login behavior is abnormal when the login behavior of the user deviates from the preset user baseline, wherein the preset user baseline is a user behavior baseline established by adopting an isolated forest method according to the login behavior of the user;
judging whether the login location of the user is a common login location according to the IP address, if not, judging whether the IP address is a user enterprise office location, and if not, judging that the login is abnormal.
The zero trust user identity security detection method provided by the application further comprises the following steps:
after the early warning information is received, corresponding verification measures are executed according to the user grade and the login mode of the user.
The zero trust user identity security detection method provided by the application further comprises the following steps:
and updating the preset conditions according to the collected behavior log data.
In the zero-trust user identity security detection method provided by the application, when the behavior log data comprises one of the following conditions, judging that a violent cracking behavior exists:
the user logs in the same host computer, and the failure times of continuous logging in the system in a preset time period exceed preset times;
when a user logs in the system, the time interval between two adjacent login failures in the login failure times is smaller than a first time threshold;
the same user logs in at multiple hosts at the same time.
In the method for detecting zero-trust user identity security provided by the application, according to the behavior log data, detecting whether the user account is an insomnia account comprises the following steps:
calculating the time interval of two adjacent logging systems of the user according to the time points of logging systems recorded in the behavior characteristic data;
and when the time interval of the user logging in the system twice is larger than a second time threshold, judging that the user account is a dormant account.
In the method for detecting the zero-trust user identity security, when the number of times of successful login of a user in one day exceeds the preset login number, the user is judged to be frequently logged in.
In addition, in order to achieve the above object, the present application further provides a zero-trust user identity security detection system, including:
the log collection module is used for obtaining behavior log data generated by a user login system;
the data processing module is used for extracting key fields required by user behavior analysis as user behavior characteristics, carrying out data preprocessing on key field information, converting text data into numerical data and normalizing the numerical data; and
the intelligent analysis module is used for detecting whether the user login behavior is abnormal or not based on the processed behavior log data and preset conditions, and sending out early warning information when the user login behavior is detected to be abnormal, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method.
The zero trust user identity security detection system provided by the application further comprises:
the model self-learning module is used for updating the preset conditions according to the collected behavior log data;
and the auditing module is used for executing corresponding verification measures according to the user grade and the login mode of the user after receiving the early warning information.
In addition, to achieve the above object, the present application also provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the zero trust user identity security detection method as described above.
In the application, a machine learning method is adopted to establish a user baseline and form a user portrait according to characteristic dimensions of user terminals, places, time, online frequency and the like for user login behaviors; meanwhile, a statistical learning method is adopted to check whether the user account has risks such as violent cracking, frequent login and the like, and whether the user account is an insomnia account is judged according to the login habit of the user; therefore, the user identity security is ensured from multiple dimensions through layer-by-layer verification.
Drawings
For a clearer description of an embodiment of the application or of a technical solution in the prior art, the drawings that are needed in the description of the embodiment or of the prior art will be briefly described, it being obvious that the drawings in the description below are only embodiments of the application, and that other drawings can be obtained, without inventive effort, by a person skilled in the art from the drawings provided:
FIG. 1 is a flow chart of a method for detecting identity security of a zero-trust user according to a first embodiment of the present application;
fig. 2 is a schematic diagram of a zero-trust user identity security detection system according to a second embodiment of the present application.
Detailed Description
In order that the application may be readily understood, a more complete description of the application will be rendered by reference to the appended drawings. Exemplary embodiments of the present application are illustrated in the accompanying drawings. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
The application has the following general ideas: aiming at the problems that the feature dimension is less and the user credibility is difficult to ensure when the user identity safety is detected in the prior art, the zero-trust user identity safety detection method and system are provided, and a machine learning method is adopted to establish a user baseline and form a user portrait for the user login behavior according to the feature dimension such as a user terminal/place/time/online frequency and the like; meanwhile, a statistical learning method is adopted to check whether the user account has risks such as violent cracking, frequent login and the like, and whether the user account is an insomnia account is judged according to the login habit of the user; therefore, the user identity security is ensured from multiple dimensions through layer-by-layer verification.
In order to better understand the above technical solutions, the following detailed description will be made with reference to the accompanying drawings and specific embodiments, and it should be understood that specific features in the embodiments and examples of the present application are detailed descriptions of the technical solutions of the present application, and not limit the technical solutions of the present application, and the technical features in the embodiments and examples of the present application may be combined with each other without conflict.
Example 1
Referring to fig. 1, fig. 1 is a flowchart illustrating an embodiment of a method for detecting zero-trust user identity security according to the present application. In one embodiment, the method for detecting the identity security of the zero-trust user comprises the following steps:
step S10, behavior log data generated by a user logging in a system are obtained.
Specifically, in an embodiment of the present application, a log of a user is obtained, key fields required for user behavior analysis are extracted as user behavior features, data preprocessing is performed on key field information, text data is converted into numerical data, and normalization processing is performed.
Further, in an embodiment of the present application, the user ID, login time, login location, login terminal, and IP address are obtained from the behavior log data generated by the user login system. Character conversion is carried out on login time: intercepting the hour in the login time, taking '00' as an initial value, taking 2 hours as a unit, and performing time conversion. For example, the time for a user to log on to the system is "2022-06-07:38:48", the hour is "07", whether the user is even or not is judged, the user is rounded down, the login time is changed to "06", and the login time is changed to "06". For the login position, mapping the IP address logged in by the user into the login position of the user, and particularly into the city level; and then, carrying out numerical conversion by using md5 to convert the character string data into numerical data. When the login position is "null", the calculation category is not included. For the login terminal, md5 is also used for digital conversion. Thereby forming a training data set. In addition, the office location is the IP address at the time of user login, and no numerical processing is performed.
And step S20, detecting whether the login behavior of the user is abnormal or not based on the behavior log data and preset conditions, and sending out early warning information when the login behavior of the user is abnormal.
Specifically, in an embodiment of the present application, according to the characteristics of the user login behavior, whether the user identity is abnormal is detected from the directions of login authentication, brute force cracking, insomnia account, frequent login, etc., wherein the user login authentication behavior is analyzed by adopting an isolated forest method, and whether the user brute force cracking, insomnia account, frequent login behavior is inconsistent with a threshold is analyzed by adopting a statistical method
Further, in an embodiment of the present application, first, according to behavior log data generated by a user login behavior, analysis and modeling are performed from dimensions such as login time, login terminal, login location, online frequency, office location, etc., a user behavior baseline is established by adopting an isolated forest method, and a group baseline is established according to office locations where all users are located. Since the login terminals of the users may relate to mobile phones and office computers, and there may be cases where some users go out and in many places for a long time, the set user may have a plurality of common login terminals and common login positions (the values may be adjusted by themselves according to the situation). The isolated forest method is an unsupervised machine learning method, has good capability and speed of processing big data, can perform parallelization processing, and can be deployed on a large-scale distributed system to accelerate operation. Therefore, the office location is obtained by adopting an isolated forest method to analyze from three dimensions of login time, login position and login terminal and adopting a statistical method for the office location. In this embodiment, an isolated forest algorithm is used to perform model training to obtain a user behavior baseline in a login authentication process, and the specific method includes:
1) Randomly selecting n sample points from the training set to form a subset Ω i, i.e. 1,2,. M, building a tree over m subsets, each sample point comprises a user ID, login time, login position and login terminal;
2) Randomly selecting a feature, and randomly selecting a threshold (between a maximum value and a minimum value) to perform binary division;
3) Recursively 2) building a tree until the tree reaches a certain height d or only one point exists in each leaf node;
4) m trees are built, and the probability of abnormality is defined according to the average depth of the m decision trees:
a) Counting BST path length definition of each tree:
c(n)=2H(n-1)-(2(n-1)/n)
b) Defining the probability of abnormality as follows:
where c (n) is the average of H (x) given n, where H (k) can be estimated by the formula H (k) =ln (k) +ζ, ζ being the euler constant, having a value of 0.5772156649, being the path length from the root node vane child node.
5) Calculating the anomaly probability:
when E (h (x))=c (n), s (x, n) =1/2, no anomaly exists
When E (h (x))→0, s (x, n) =1, isolated point
Normal data points when E (h (x))→n-1, s (x, n) =0
Finally, comparing the abnormal probability of the data with the magnitude of the threshold, when the abnormal probability is close to 1, the data point is easily isolated and is abnormal data. When the anomaly probability is less than 0.5, it is a normal data point. If all the data have an anomaly probability of around 0.5, then the whole sample has no anomalies.
And in the detection process, when the login behavior of the user deviates from the user base line, sending out early warning. When a user logs in with a very-used login terminal, giving an early warning about whether other people log in the system by the terminal; when a user logs in at a very useful login position, whether the user logs in at an enterprise office location or not can be judged, and the possibility of remote office of the user is eliminated. And verifying the user identity from multiple dimensions to ensure the credibility of the user identity.
Therefore, in the detection process, analyzing the user login authentication behavior by the isolated forest method includes:
acquiring a user ID, login time, login position, login terminal and IP address from the behavior log data;
judging whether the login behavior of a user is abnormal according to the login time, the login position, the login terminal and a preset user base line, and judging that the login behavior is abnormal when the login behavior of the user deviates from the preset user base line;
judging whether the login location of the user is a common login location according to the IP address, if not, judging whether the IP address is a user enterprise office location, and if not, judging that the login is abnormal.
Further, in an embodiment of the present application, when one of the following cases is included in the behavior log data, it is determined that there is a brute force cracking behavior: the user logs in the same host computer, and the failure times of continuous logging in the system in a preset time period exceed preset times; when a user logs in the system, the time interval between two adjacent login failures in the login failure times is smaller than a first time threshold; the same user logs in at multiple hosts at the same time. An attacker would crack sensitive information such as the user's account name, password, etc. by systematically combining all the possibilities, trying all the possibilities. The user account is stolen or falsified, which brings great harm to enterprises. According to the blasting characteristics, the embodiment formulates strategies for preventing the user account from being cracked by violence from multiple angles. When the login behavior of the user accords with the rule, the user can judge that the user is logged in violently and needs to inform an administrator to lock the account in time. In this embodiment, it is analyzed from both the user's and host's perspective whether the user's behavior is a violent login. And judging that the user login behavior has violent cracking through rules, informing an administrator of the result, and executing corresponding safety measures.
Further, in an embodiment of the present application, according to the log of user login, it is calculated whether the number n of times the user successfully logs in the system in one day exceeds a threshold; if the number of times that the user logs in the system exceeds the threshold value, the user logs in frequently, and the result is notified to an administrator to take corresponding security measures. Often users log into the system, often with business-related things that need to be handled, and each user has the habit and frequency of logging into the system itself. In order to avoid the loss of enterprise resources caused by frequent logging in the system, corresponding logging rule measures can be formulated, and once the users frequently logging in the system are found, an administrator is timely informed to audit.
Further, in an embodiment of the present application, according to the time points of logging in the system recorded in the behavior feature data, calculating the time interval between two adjacent logging in systems by the user; and when the time interval of the user logging in the system twice is larger than a second time threshold, judging that the user account is a dormant account. Due to the working reasons or job departure of staff, an administrator does not clear the account in time, so that malicious staff can access a company system by using the account, information leakage is caused, and enterprise safety is threatened. In order to avoid such a situation, according to the time point of logging in the system recorded in the log of the user, the application calculates whether the time interval between two adjacent logging in systems of the user exceeds a time length threshold; if the duration of the account number which is continuously not logged in exceeds a duration threshold, the account number is switched to a dormant state, and a result is sent to a system administrator, so that the administrator is prompted to take the account number as a dormant account number, and supervision is enhanced. If the account in the dormant state initiates a login request, an administrator is required to activate the account before login is allowed.
And step S30, after receiving the early warning information, executing corresponding verification measures according to the user grade and the login mode of the user.
Specifically, in an embodiment of the present application, in order to protect the identity security of a user and improve the user experience, different security measures are adopted for users having identity security risks in combination with the user level (common user/administrator user) and the login mode (biometric fingerprint type/password short message type) of the user. Generally, the login mode adopting the biological fingerprint type is higher in safety level and more credible than the login mode adopting the password short message type; for "superpipe/privileged" users, a higher level of security needs to be collected once the account is at risk. For example, when a common user initiates a login access request by using common equipment in a common network and in a common time, the common user is allowed to perform exemption measures for avoiding secondary authentication and one-key online; when an abnormal user accesses the important sensitive sensing use in abnormal network, abnormal time and new equipment, the abnormal user is forced to perform secondary authentication and enhanced authentication by application, so that the reliability of the user identity is ensured.
And step S40, updating the preset conditions according to the collected behavior log data.
Specifically, in an embodiment of the present application, according to the collected behavior log, an algorithm model is automatically updated periodically, and a baseline is established, so as to adapt to the behavior change of the user, and reduce the workload.
In the user login authentication process, the method analyzes and models the dimensions of time, a terminal, a login place, online frequency, office places and the like, and establishes a user baseline by adopting an isolated forest method; adopting a statistical learning method to check whether the user account has risks such as violent cracking, frequent login and the like, and judging whether the user account is an insomnia account according to the login habit of the user; through layer-by-layer verification, the user identity security is ensured from multiple dimensions. And dividing the user risk level by combining the user level (common user/super user) and the login mode (biological fingerprint type/password short message type) of the user, formulating a corresponding security policy, and taking corresponding security measures according to the risk level. In order to adapt to the behavior change of the user, the algorithm model is automatically updated regularly without manual intervention. Ensuring the user identity safety from multiple dimensions such as login authentication, violent cracking, frequent login and the like; the modeling analysis is carried out by adopting an isolated forest algorithm, so that a large amount of data can be effectively processed, and the performance is high; the algorithm model is automatically updated at regular intervals, a base line is established, the user behavior change can be self-adapted, and the workload is reduced.
Example two
The application also provides a system for detecting the identity security of the zero-trust user, as shown in fig. 2, the system for detecting the identity security of the zero-trust user comprises:
the log collection module 210 is configured to obtain behavior log data generated by a user logging on the system;
the data processing module 220 is configured to extract key fields required by user behavior analysis as user behavior features, perform data preprocessing on key field information, convert text data into numerical data, and normalize the numerical data;
the intelligent analysis module 230 is configured to detect whether a user login behavior is abnormal based on the processed behavior log data and a preset condition, and send out early warning information when the user login behavior is detected to be abnormal, wherein the user login authentication behavior is analyzed by an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed by a statistical method;
the model self-learning module 240 is configured to update the preset condition according to the collected behavior log data;
and the auditing module 250 is used for executing corresponding verification measures according to the user grade and the login mode of the user after receiving the early warning information.
It will be appreciated by those skilled in the art that the foregoing is an embodiment of the zero-trust user identity security detection system provided by the embodiments of the present application, and the system and apparatus belong to the same inventive concept as the foregoing zero-trust user identity security detection method, and details that are not described in detail in the embodiment of the zero-trust user identity security detection system may refer to the embodiment of the foregoing zero-trust user identity security detection method.
The embodiment of the application also provides zero-trust user identity security detection equipment, which can comprise:
a memory for storing a computer program;
the processor, when executing the computer program stored in the memory, can implement the following steps:
acquiring behavior log data generated by a user logging system; detecting whether the user login behavior is abnormal or not based on the behavior log data and preset conditions, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method; and sending out early warning information when abnormal login behavior of the user is detected.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program can realize the following steps when being executed by a processor;
acquiring behavior log data generated by a user logging system; detecting whether the user login behavior is abnormal or not based on the behavior log data and preset conditions, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method; and sending out early warning information when abnormal login behavior of the user is detected.
The computer readable storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the application, various features of the application are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed application requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this application.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification, and all processes or units of any method or apparatus so disclosed, may be employed, except that at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the application and form different embodiments. For example, any of the claimed embodiments can be used in any combination.
Various component embodiments of the application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in accordance with embodiments of the present application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the application, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. Several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Claims (10)
1. The zero-trust user identity security detection method is characterized by comprising the following steps of:
acquiring behavior log data generated by a user logging system;
detecting whether the user login behavior is abnormal or not based on the behavior log data and preset conditions, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method; and
and when abnormal login behavior of the user is detected, sending out early warning information.
2. The zero-trust user identity security detection method of claim 1, wherein analyzing user login authentication behavior by an orphan forest method comprises:
acquiring a user ID, login time, login position, login terminal and IP address from the behavior log data;
judging whether the login behavior of a user is abnormal or not according to the login time, the login position, the login terminal and a preset user baseline, and judging that the login behavior is abnormal when the login behavior of the user deviates from the preset user baseline, wherein the preset user baseline is a user behavior baseline established by adopting an isolated forest method according to the login behavior of the user;
judging whether the login location of the user is a common login location according to the IP address, if not, judging whether the IP address is a user enterprise office location, and if not, judging that the login is abnormal.
3. The zero-trust user identity security detection method of claim 1, further comprising:
after the early warning information is received, corresponding verification measures are executed according to the user grade and the login mode of the user.
4. The zero-trust user identity security detection method of claim 1, further comprising:
and updating the preset conditions according to the collected behavior log data.
5. The zero-trust user identity security detection method of claim 1, wherein a brute force cracking behavior is determined to exist when one of the following conditions is included in the behavior log data:
the user logs in the same host computer, and the failure times of continuous logging in the system in a preset time period exceed preset times;
when a user logs in the system, the time interval between two adjacent login failures in the login failure times is smaller than a first time threshold;
the same user logs in at multiple hosts at the same time.
6. The method of claim 1, wherein detecting whether the user account is an insomnia account based on the behavioral log data comprises:
calculating the time interval of two adjacent logging systems of the user according to the time points of logging systems recorded in the behavior characteristic data;
and when the time interval of the user logging in the system twice is larger than a second time threshold, judging that the user account is a dormant account.
7. The method of claim 1, wherein the frequent log-in behavior is determined when the number of successful log-in times of the user to the system in one day exceeds a preset number of log-in times.
8. A zero trust user identity security detection system comprising:
the log collection module is used for obtaining behavior log data generated by a user login system;
the data processing module is used for extracting key fields required by user behavior analysis as user behavior characteristics, carrying out data preprocessing on key field information, converting text data into numerical data and normalizing the numerical data; and
the intelligent analysis module is used for detecting whether the user login behavior is abnormal or not based on the processed behavior log data and preset conditions, and sending out early warning information when the user login behavior is detected to be abnormal, wherein the user login authentication behavior is analyzed through an isolated forest method, and whether the user has violent cracking, insomnia account or frequent login behavior is analyzed through a statistical method.
9. A zero-trust user identity security detection system as claimed in claim 8 and further comprising:
the model self-learning module is used for updating the preset conditions according to the collected behavior log data;
and the auditing module is used for executing corresponding verification measures according to the user grade and the login mode of the user after receiving the early warning information.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the steps of the zero trust user identity security detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310890330.1A CN117150459A (en) | 2023-07-19 | 2023-07-19 | Zero-trust user identity security detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310890330.1A CN117150459A (en) | 2023-07-19 | 2023-07-19 | Zero-trust user identity security detection method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117150459A true CN117150459A (en) | 2023-12-01 |
Family
ID=88885716
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310890330.1A Pending CN117150459A (en) | 2023-07-19 | 2023-07-19 | Zero-trust user identity security detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117150459A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118054967A (en) * | 2024-04-01 | 2024-05-17 | 雅安数字经济运营有限公司 | Anomaly detection method, medium and system based on network security |
| CN118074984A (en) * | 2024-02-27 | 2024-05-24 | 北京雪诺科技有限公司 | Zero trust dynamic behavior calculation method, system and device based on browser |
-
2023
- 2023-07-19 CN CN202310890330.1A patent/CN117150459A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118074984A (en) * | 2024-02-27 | 2024-05-24 | 北京雪诺科技有限公司 | Zero trust dynamic behavior calculation method, system and device based on browser |
| CN118054967A (en) * | 2024-04-01 | 2024-05-17 | 雅安数字经济运营有限公司 | Anomaly detection method, medium and system based on network security |
| CN118054967B (en) * | 2024-04-01 | 2024-09-06 | 雅安数字经济运营有限公司 | Anomaly detection method, medium and system based on network security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107276982B (en) | Abnormal login detection method and device | |
| KR101890272B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| EP2769508B1 (en) | System and method for detection of denial of service attacks | |
| US10165005B2 (en) | System and method providing data-driven user authentication misuse detection | |
| US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
| JP6290659B2 (en) | Access management method and access management system | |
| CN117150459A (en) | Zero-trust user identity security detection method and system | |
| US20190081968A1 (en) | Method and Apparatus for Network Fraud Detection and Remediation Through Analytics | |
| CN105763548A (en) | User login identification method based on behavior model and equipment and system thereof | |
| US12081569B2 (en) | Graph-based analysis of security incidents | |
| CN113542227A (en) | Account security protection method and device, electronic device and storage medium | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN105516211A (en) | Method, device and system for recognizing database accessing behaviors based on behavior model | |
| CN116611116B (en) | Data secure storage management method and system | |
| CN118228211B (en) | Software authorization authentication method | |
| CN112272176A (en) | Network security protection method and system based on big data platform | |
| CN116541815B (en) | Computer equipment operation and maintenance data safety management system | |
| Adeleke | Intrusion detection: issues, problems and solutions | |
| Ganji et al. | Provides a New Way to Enhance Security in the Linux Operating System | |
| CN115085956A (en) | Intrusion detection method and device, electronic equipment and storage medium | |
| Pandhurnekar et al. | Proposed Method for Threat Detection Using User Behavior Analysis | |
| Sun et al. | Wsad: An unsupervised web session anomaly detection method | |
| Gojali et al. | ANALYSIS OF THE EFFECTIVENESS OF THE COMBINATION OF FAIL2BAN AND MODSECURITY IN MITIGATION OF DDOS ATTACKS ON WEB SERVERS | |
| Lin et al. | VNGuarder: An Internal Threat Detection Approach for Virtual Network in Cloud Computing Environment | |
| RU2800739C1 (en) | System and method for determining the level of danger of information security events |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |