CN117640153A - Abnormal query detection method, device, equipment, medium and program product - Google Patents

Abnormal query detection method, device, equipment, medium and program product Download PDF

Info

Publication number
CN117640153A
CN117640153A CN202311476682.9A CN202311476682A CN117640153A CN 117640153 A CN117640153 A CN 117640153A CN 202311476682 A CN202311476682 A CN 202311476682A CN 117640153 A CN117640153 A CN 117640153A
Authority
CN
China
Prior art keywords
target
information
query
abnormal
target query
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311476682.9A
Other languages
Chinese (zh)
Inventor
柳寒
张园超
高嵩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang eCommerce Bank Co Ltd
Original Assignee
Zhejiang eCommerce Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang eCommerce Bank Co Ltd filed Critical Zhejiang eCommerce Bank Co Ltd
Priority to CN202311476682.9A priority Critical patent/CN117640153A/en
Publication of CN117640153A publication Critical patent/CN117640153A/en
Pending legal-status Critical Current

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Alarm Systems (AREA)

Abstract

The embodiment of the specification discloses an abnormal query detection method, device, equipment, medium and product. Wherein the method comprises the following steps: when target query operation aiming at a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are obtained, wherein the target query information comprises target request information and/or target response information corresponding to the target query operation; acquiring corresponding target association relation information based on the target inquiry user identification, wherein the target association relation information comprises target user identification associated with the target inquiry user identification, and the target association relation information is determined based on the WiFi network identification connected with the mobile terminal corresponding to the target inquiry user identification; and carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.

Description

Abnormal query detection method, device, equipment, medium and program product
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for detecting an abnormal query.
Background
When an enterprise employee, such as a customer service office, only queries and processes some external customer information under normal conditions, the data of people related to the enterprise employee cannot be touched, and the data of people related to the enterprise employee, such as relatives, friends, colleagues and the like, can be unexpectedly queried under abnormal conditions. At present, partial association relations are generally obtained by means of obtaining address books, so that abnormal inquiry detection under the scene is achieved.
Disclosure of Invention
The embodiment of the specification provides an abnormal query detection method, device, equipment, medium and program product, which can simply and efficiently determine a target user identifier (target association relationship information) associated with a target query user identifier directly through a WiFi network identifier connected with a mobile terminal corresponding to the target query user identifier, and can timely detect the abnormal query condition that the target query user identifier does not expect to query the information of the target user identifier associated with the target query user identifier by combining the target association relationship information of the target query user identifier and the target query information, thereby realizing the efficient detection of abnormal query operation, protecting the data information security of staff in an application system and improving the attack defense performance of the application system. The technical scheme is as follows:
In a first aspect, an embodiment of the present disclosure provides an abnormal query detection method, where the method includes:
when target query operation aiming at a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are obtained; the target query information comprises target request information and/or target response information corresponding to the target query operation;
acquiring corresponding target association relation information based on the target inquiry user identification; the target association relationship information comprises a target user identifier associated with the target query user identifier; the target association relation information is determined based on the WiFi network identifier connected with the mobile terminal corresponding to the target inquiry user identifier;
and carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
In a possible implementation manner, the obtaining the corresponding target association information based on the target query user identifier includes:
determining corresponding target association relation information from at least one association relation information based on the target inquiry user identification; the association relation information comprises user identifications corresponding to mobile terminals connected with the same WiFi network.
In one possible implementation manner, before determining the corresponding target association information from the at least one association information based on the target query user identifier, the method further includes:
acquiring equipment logs corresponding to a plurality of mobile terminals respectively; the equipment log comprises a WiFi network identifier connected with the mobile terminal and a user identifier logged in on the mobile terminal;
determining a mapping relation between the WiFi network identifier and the user identifier based on the equipment logs corresponding to the mobile terminals respectively;
and determining the at least one association relation information based on the mapping relation.
In one possible implementation manner, the performing abnormal query detection based on the target query information and the target association relationship information to obtain a target abnormal query detection result corresponding to the target query operation includes:
comparing the target query information with the target association relation information, if the target query information comprises the target information, determining the target query operation as abnormal query operation, and if the target query information does not comprise the target information, determining the target query operation as normal query operation; the target information is used to characterize information related to the target user identification.
In one possible implementation manner, after the performing the abnormal query detection based on the target query information and the target association relationship information to obtain a target abnormal query detection result corresponding to the target query operation, the method further includes:
and if the target query operation is an abnormal query operation, performing a research and judgment process on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
In one possible implementation manner, before the performing the grinding and judging process on the target query operation to obtain the target grinding and judging result corresponding to the target query operation, the method further includes:
judging whether the target alarm quantity corresponding to the target inquiry information is larger than a target threshold value or not; the target alarm amount is determined based on the target query information and the target association relation information;
the performing a research and judgment process on the target query operation to obtain a target research and judgment result corresponding to the target query operation includes:
if yes, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
In one possible implementation manner, after the determining whether the alarm amount corresponding to the target query information is greater than the target threshold, the method further includes:
If not, carrying out interception processing on the target query operation.
In one possible implementation manner, after the performing the abnormal query detection based on the target query information and the target association relationship information to obtain a target abnormal query detection result corresponding to the target query operation, the method further includes:
and if the target query operation is an abnormal query operation, sending out alarm information.
In a second aspect, embodiments of the present disclosure provide an abnormal query detection apparatus, including:
the first acquisition module is used for acquiring a target query user identifier and target query information corresponding to target query operation when the target query operation aiming at the target application system is monitored; the target query information comprises target request information and/or target response information corresponding to the target query operation;
the second acquisition module is used for acquiring corresponding target association relation information based on the target inquiry user identification; the target association relationship information comprises a target user identifier associated with the target query user identifier; the target association relation information is determined based on the WiFi network identifier connected with the mobile terminal corresponding to the target inquiry user identifier;
And the abnormal query detection module is used for carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
In one possible implementation manner, the second obtaining module is specifically configured to:
determining corresponding target association relation information from at least one association relation information based on the target inquiry user identification; the association relation information comprises user identifications corresponding to mobile terminals connected with the same WiFi network.
In one possible implementation manner, the abnormal query detection apparatus further includes:
the third acquisition module is used for acquiring the equipment logs corresponding to the mobile terminals respectively; the equipment log comprises a WiFi network identifier connected with the mobile terminal and a user identifier logged in on the mobile terminal;
the first determining module is used for determining a mapping relation between the WiFi network identifier and the user identifier based on the equipment logs corresponding to the mobile terminals respectively;
and the second determining module is used for determining the at least one association relation information based on the mapping relation.
In one possible implementation manner, the abnormal query detection module is specifically configured to:
Comparing the target query information with the target association relation information, if the target query information comprises the target information, determining the target query operation as abnormal query operation, and if the target query information does not comprise the target information, determining the target query operation as normal query operation; the target information is used to characterize information related to the target user identification.
In one possible implementation manner, the abnormal query detection apparatus further includes:
and the research and judgment processing module is used for carrying out research and judgment processing on the target query operation if the target query operation is abnormal query operation, so as to obtain a target research and judgment result corresponding to the target query operation.
In one possible implementation manner, the abnormal query detection apparatus further includes:
the judging module is used for judging whether the target alarm quantity corresponding to the target inquiry information is larger than a target threshold value or not; the target alarm amount is determined based on the target query information and the target association relation information;
the above-mentioned research judgement processing module is specifically used for:
and if the target alarm quantity corresponding to the target query information is larger than a target threshold value, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
In one possible implementation manner, the abnormal query detection apparatus further includes:
and the interception processing module is used for intercepting the target query operation if the target alarm quantity corresponding to the target query information is smaller than or equal to a target threshold value.
In one possible implementation manner, the abnormal query detection apparatus further includes:
and the alarm module is used for sending alarm information if the target query operation is abnormal query operation.
In a third aspect, embodiments of the present disclosure provide an electronic device, including: a processor and a memory;
the processor is connected with the memory;
the memory is used for storing executable program codes;
the processor executes a program corresponding to the executable program code stored in the memory by reading the executable program code for performing the method provided by the first aspect of the embodiments of the present specification or any one of the possible implementations of the first aspect.
In a fourth aspect, embodiments of the present specification provide a computer storage medium having stored thereon a plurality of instructions adapted to be loaded by a processor and to carry out the method provided by the first aspect of embodiments of the present specification or any one of the possible implementations of the first aspect.
In a fifth aspect, embodiments of the present description provide a computer program product comprising instructions which, when run on a computer or a processor, cause the computer or the processor to perform the method provided by the first aspect of embodiments of the present description or any one of the possible implementations of the first aspect.
In the embodiment of the specification, when a target query operation for a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are acquired, wherein the target query information comprises target request information and/or target response information corresponding to the target query operation; acquiring corresponding target association relation information based on the target inquiry user identification, wherein the target association relation information comprises target user identification associated with the target inquiry user identification, and the target association relation information is determined based on the WiFi network identification connected with the mobile terminal corresponding to the target inquiry user identification; the target association relation information of the target inquiry user identification, namely the target user identification associated with the target inquiry user identification, can be simply and efficiently determined by directly using the WiFi network identification connected with the mobile terminal corresponding to the target inquiry user identification, can be used as a trusted defense strategy, and can timely detect the abnormal inquiry condition that the target inquiry user identification does not expect to inquire the information of the target user identification associated with the target inquiry user identification by combining the target inquiry information (target request information and/or target response information) corresponding to the target inquiry user identification.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present description, the drawings that are required in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an abnormal query detection system according to an exemplary embodiment of the present disclosure;
FIG. 2 is a flowchart of an abnormal query detection method according to an exemplary embodiment of the present disclosure;
fig. 3 is a schematic diagram of an implementation flow for determining association information according to an exemplary embodiment of the present disclosure;
fig. 4 is a schematic diagram of an implementation process for determining association information according to an exemplary embodiment of the present disclosure;
FIG. 5 is a schematic diagram illustrating an exception query processing procedure according to an exemplary embodiment of the present disclosure;
FIG. 6 is a flowchart of another method for detecting abnormal queries according to an exemplary embodiment of the present disclosure;
fig. 7 is a schematic diagram of an implementation process of an abnormal query detection method according to an exemplary embodiment of the present disclosure;
Fig. 8 is a schematic structural diagram of an abnormal query detection device according to an exemplary embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification.
The terms first, second, third and the like in the description and in the claims and in the above drawings, are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.
It should be noted that, information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data for analysis, stored data, presented data, etc.), and signals according to the embodiments of the present disclosure are all authorized by the user or are fully authorized by the parties, and the collection, use, and processing of relevant data is required to comply with relevant laws and regulations and standards of relevant countries and regions. For example, the target query information, the device log, and the like referred to in this specification are acquired with sufficient authorization.
When an enterprise customer service (querier) logs in office software installed on a mobile terminal of the enterprise customer service (querier) by using an account number (target query user identification), the customer service can only query customer information which needs to contact the outside of some enterprises under normal conditions, often cannot touch data of people related to the enterprise, and under abnormal conditions, data of people related to the enterprise, such as information of relatives, friends, colleagues and the like of the querier, can be unexpectedly queried. Therefore, in order to timely detect the abnormal query situation, the embodiment of the specification provides an abnormal query detection method, which can determine target association relation information through the WiFi network identifier connected with the mobile terminal corresponding to the target query user identifier, and serve as a trusted defense strategy, and realize efficient detection of abnormal query operation based on the target query information (target request information and/or target response information) corresponding to the target query user identifier, thereby protecting the data information security of staff in an application system and improving the attack defense performance of the application system.
Next, please refer to fig. 1, which is a schematic diagram illustrating an abnormal query detection system according to an exemplary embodiment of the present disclosure. As shown in fig. 1, the abnormal inquiry detection system includes: mobile terminal 110 and server 120. Wherein:
Mobile terminal 110 may interact with server 120 over a network to receive messages from server 120 or to send messages to server 120, or mobile terminal 110 may interact with server 120 over a network to receive messages or data sent by other users to server 120. The mobile terminal 120 may be hardware or software. When mobile terminal 120 is hardware, it may be a variety of electronic devices including, but not limited to, smartwatches, smartphones, tablets, laptop portable computers, desktop computers, and the like. When the mobile terminal 110 is software, it may be installed in the electronic device as listed above, and may be implemented as a plurality of software or software modules (for example, to provide distributed services), or may be implemented as a single software or software module, which is not specifically limited herein.
Mobile terminal 110 may include one or more user terminals. User version software may be installed in the mobile terminal 110 to implement functions such as querying data of the target application system. The mobile terminal 110 may be triggered to send a target query request to the server 120 corresponding to the target application system through the network based on clicking, sliding, etc. of the user, receive a target response packet returned by the server 120 based on the target query request through the network, and so on.
It should be noted that, in the embodiment of the present disclosure, the user corresponding to the mobile terminal 110 may be, but not limited to, a target application system that can log in to an enterprise through an account number or the like, and inquire about customer information outside the enterprise or staff responsible for providing services for personnel outside the enterprise, such as, but not limited to, customer service, etc.
The server 120 may be a server capable of providing various query services, such as, but not limited to, a server corresponding to a target application system of an enterprise, and the like. The server 120 may be hardware or software. When the server 120 is hardware, it may be implemented as a distributed server cluster formed by a plurality of servers, or may be implemented as a single server. When the server 120 is software, it may be implemented as a plurality of software or software modules (for example, to provide distributed services), or may be implemented as a single software or software module, which is not specifically limited herein. The server 120 may be, but is not limited to, a hardware server, a virtual server, a cloud server, etc.
In this embodiment of the present disclosure, when the server 120 monitors a target query operation for a target application system, a target query user identifier and target query information corresponding to the target query operation may be obtained first, where the target query information includes target request information and/or target response information corresponding to the target query operation; then, acquiring corresponding target association relation information based on the target inquiry user identification, wherein the target association relation information comprises target user identification associated with the target inquiry user identification, and the target association relation information is determined based on the WiFi network identification connected with the mobile terminal 110 corresponding to the target inquiry user identification; and finally, carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
The network may be, but is not limited to, a medium that provides a communication link between mobile terminal 110 and server 120, or the internet that includes network devices and transmission media. The transmission medium may be a wired link, such as, but not limited to, coaxial cable, fiber optic and digital subscriber lines (digital subscriber line, DSL), etc., or a wireless link, such as, but not limited to, wireless internet (wireless fidelity, WIFI), hypertext transfer protocol (Hypertext Transfer Protocol, HTTP), bluetooth, a mobile device network, etc.
It will be appreciated that the number of mobile terminals 110 and servers 120 in the abnormal query detection system shown in fig. 1 is by way of example only, and that any number of mobile terminals 110 and servers 120 may be included in the abnormal query detection system in a particular implementation.
Next, referring to fig. 1, an abnormal query detection method provided in an embodiment of the present disclosure will be described. Referring specifically to fig. 2, a flow chart of an abnormal query detection method according to an exemplary embodiment of the present disclosure is shown. As shown in fig. 2, the abnormal inquiry detection method includes the following steps:
s202, when target query operation aiming at a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are obtained.
Specifically, when the data in the target application system is queried, the flow log of the target application system corresponding to the current target query operation is recorded, wherein the flow log comprises a query account identifier (target query user identifier) of the mobile terminal corresponding to the querier, a sent target query request packet (target request information), a target response packet (target response information) returned by the server corresponding to the target application system, and the like. When an employee, such as customer service, normally queries data in the target application system, only information of a person outside the enterprise having no association with the querier or only information of a person outside the enterprise having no association with the querier can be queried. At this time, if the employee requests the information of the person having the association relationship with the employee corresponding to the target query user identifier, or obtains the response including the information of the person having the association relationship with the employee, the target query operation of the target query user identifier can be considered to belong to unexpected abnormal query behavior, and the defending process can be performed on the target query operation in time.
Specifically, when the target query operation for the target application system is monitored, the target query user identifier and the target query information corresponding to the target query operation need to be determined first, where the target query user identifier may include, but is not limited to, an account identifier or a device identifier that is used by a target query user including the target query operation when the target application system queries, and the target query information may include, but is not limited to, target request information and/or target response information corresponding to the target query operation, so that determination of target association relationship information corresponding to the target query user identifier and simple and efficient anomaly detection processing on the target query operation can be facilitated.
S204, acquiring corresponding target association relation information based on the target inquiry user identification, wherein the target association relation information comprises target user identification associated with the target inquiry user identification, and the target association relation information is determined based on the WiFi network identification connected with the mobile terminal corresponding to the target inquiry user identification.
Optionally, after the target query user identifier corresponding to the target query operation is obtained, the WiFi network identifier connected to the corresponding mobile terminal may be obtained based on the target query user identifier, and then the corresponding connection information may be obtained based on the WiFi network identifier, where the connection information includes the target user identifiers corresponding to one or more mobile terminals connected to the WiFi network corresponding to the WiFi network identifier. Because the mobile terminals corresponding to the target user identifier and the target query user identifier are connected with the same WiFi network, a certain association relationship exists between the target user identifier and the target query user identifier, and therefore the target user identifier in the connection information of the WiFi network identifier can be directly determined to be the target association relationship information corresponding to the target query user identifier.
Optionally, at least one piece of association information may be pre-stored in a server corresponding to the target application system, where the association information includes a user identifier corresponding to a mobile terminal connected to the same WiFi network, and is used to characterize that an association exists between multiple user identifiers connected to the same WiFi network. After the target query user identifier corresponding to the target query operation is obtained, corresponding target association relationship information can be determined from at least one piece of pre-stored association relationship information based on the target query user identifier, for example, but not limited to, the target association relationship information including the target query user identifier is queried from the at least one piece of association relationship information. In the related art, part of association relation information of a querier can be obtained only by obtaining an address book, but in the embodiment of the specification, the association relation information of a person (querier) can be greatly compensated through a WiFi network in a geographic position, and further abnormal query detection can be performed on query operation of the querier more accurately through the association relation information.
Further, the at least one association information needs to be determined before the corresponding target association information is determined from the at least one association information based on the target query user identification. As shown in fig. 3, the implementation process for determining the at least one association information may include:
S302, obtaining device logs corresponding to the mobile terminals.
Specifically, before the target query operation for the target application system is monitored, the server corresponding to the target application system may acquire the device logs reported by each of the plurality of mobile terminals. The device log may include a WiFi network identifier to which the mobile terminal is connected and a user identifier logged on the mobile terminal. The user identification may include, but is not limited to, an account identification of a user logged on the mobile terminal or a device identification of the mobile terminal used by the user, and so on.
S304, determining the mapping relation between the WiFi network identifier and the user identifier based on the equipment logs corresponding to the mobile terminals.
Specifically, after obtaining the device log reported by each of the plurality of mobile terminals, a mapping relationship between the WiFi network identifier and the user identifier can be directly constructed according to the WiFi network identifier connected by the mobile terminal in the device log and the user identifier logged on the mobile terminal.
S306, determining at least one association relation information based on the mapping relation.
In particular, persons connected to the same WiFi network have a direct or indirect relationship by default. Therefore, after the mapping relation between the WiFi network identifier and the user identifier is determined, all the user identifiers corresponding to the same WiFi network identifier can be counted directly based on the mapping relation, and at least one piece of association relation information is obtained.
It can be understood that one association information corresponds to one WiFi network identifier, that is, there are several different WiFi network identifiers in the mapping relationship, and finally, several corresponding association information can be determined.
For example, as shown in fig. 4, if the mapping relationship between the WiFi network identifier and the user identifier includes a WiFi network a, a user identifier B, and a user identifier c registered on one or more mobile terminals connected to the WiFi network a, and a WiFi network B, a user identifier c, a user identifier d, a user identifier e, and a user identifier f registered on one or more mobile terminals connected to the WiFi network B, the association relationship information a and the association relationship information B may be determined based on the mapping relationship. The association information A comprises a user identifier a, a user identifier B and a user identifier c which are connected with the WiFi network A, namely, the association among the user identifier a, the user identifier B and the user identifier c is shown, the association information B comprises a user identifier c, a user identifier d, a user identifier e and a user identifier f which are connected with the WiFi network B, namely, the association among the user identifier c, the user identifier d, the user identifier e and the user identifier f is shown. If the target query user identifier is the user identifier a, the target association relationship information (i.e. the association relationship information a) corresponding to the user identifier a can be directly found from the association relationship information a and the association relationship information B based on the user identifier a.
According to the embodiment of the specification, the association relation information between the corresponding user identifications of each mobile terminal can be efficiently, simply and accurately determined through the WiFi network identifications and the corresponding user identifications which are connected in the equipment log reported by the mobile terminal, and based on the WiFi network of the same geographic position, so that the query operation of a querier can be more accurately abnormal query and detection through the association relation information.
Next, please refer to fig. 2, as shown in fig. 2, in S204, after obtaining the corresponding target association relationship information based on the target query user identifier, the abnormal query detection method further includes:
s206, carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
In the embodiment of the specification, the target association relation information of the target query user identifier, namely the target user identifier associated with the target query user identifier, can be simply and efficiently determined directly through the WiFi network identifier connected with the mobile terminal corresponding to the target query user identifier, can be used as a trusted defense strategy, and can be combined with target query information (target request information and/or target response information) corresponding to the target query user identifier to timely detect the abnormal query condition that the target query user identifier does not expect to query the information of the target user identifier associated with the target query user identifier, so that the efficient detection of abnormal query operation is realized, the data information safety of staff in an application system is protected, and the attack defense performance of the application system is improved.
Optionally, after the corresponding target association relationship information is acquired based on the target query user identifier, target request information and/or target response information in the target query information may be directly matched with the target association relationship information, for example, but not limited to, calculating a correlation between the target request information and the target association relationship information and/or a correlation between the target response information and the target association relationship information, and the like. If the target request information or the target response information is matched with the target association relation information, namely the correlation between the target request information and the target association relation information is larger than a target correlation threshold value or the correlation between the target response information and the target association relation information is larger than a target correlation threshold value, the information related to the target association relation information can be determined to be included in the target query information, and the target query operation can be determined to be an abnormal query operation; if the target request information or the target response information is not matched with the target association relationship information, that is, the correlation between the target request information and the target association relationship information is smaller than or equal to a target correlation threshold value or the correlation between the target response information and the target association relationship information is smaller than or equal to a target correlation threshold value, the target query operation can be determined to be a normal query operation.
Optionally, in S206, performing abnormal query detection based on the target query information and the target association relationship information, the obtaining a target abnormal query detection result corresponding to the target query operation may also include: comparing the target query information with the target association relationship information, if the target query information comprises the target information, the target query user identification can be considered to unexpectedly request the information of the target user identification with the association relationship, or the target query user identification unexpectedly queries the information of the target user identification with the association relationship, and then the target query operation can be determined to be an abnormal query operation; if the target query information does not include the target information, the target query user identification can be considered to only expect the information of the user identification which has requested no association relationship with the target query user identification, or the target query user identification only expects to query the information of the user identification which has no association relationship with the target query user identification, and the target query operation can be determined to be the normal query operation. The target information is used for representing information related to the target user identification. The target information can also be sensitive information of target user identification, so that the abnormal detection and defense are carried out only aiming at the target query operation of request information or response information of the sensitive information of the target user identification with the association relationship, and unexpected query behavior of sensitive data of a target application system (office application system) initiated by an employee is realized.
In some possible embodiments, after performing the abnormal query detection based on the target query information and the target association relationship information to obtain the target abnormal query detection result corresponding to the target query operation, as shown in fig. 5, if the target query operation is the abnormal query operation, which indicates that the target query operation has a risk of data leakage, and is likely to be an attack operation of an attacker on the target application system, the target query operation may be further subjected to the research and judgment process to obtain the target research and judgment result corresponding to the target query operation. The above-mentioned research and judgment processing on the target query operation may be that the target query operation is subjected to research and judgment verification based on the target query user identifier and the target query information corresponding to the target query operation, or an audit terminal may be set, and the target query user identifier and the target query information corresponding to the target query operation are sent to the audit terminal, so that the audit terminal performs research and judgment processing on the target query operation based on the target query user identifier and the target query information, and receives the target research and judgment result obtained after the research and judgment processing by the audit terminal, thereby further verifying the security of the target query operation, and avoiding the influence of erroneous judgment on the normal query operation.
In some possible embodiments, after performing the abnormal query detection based on the target query information and the target association relationship information to obtain the target abnormal query detection result corresponding to the target query operation, as shown in fig. 5, if the target query operation is the abnormal query operation, which indicates that the target query operation has a risk of data leakage, and is likely to be an attack operation of an attacker on the target application system, alarm information may be sent, and a manager of the target application system may be timely reminded of the abnormal query condition, so that the manager can timely process the abnormal query operation, thereby further guaranteeing information security of the target user identifier having an association relationship with the target query user identifier in the target application system.
Next, please refer to fig. 6, which is a flowchart illustrating another abnormal query detection method according to an exemplary embodiment of the present disclosure. As shown in fig. 6, the abnormal inquiry detection method includes the following steps:
s602, when target query operation aiming at a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are acquired.
Specifically, S602 corresponds to S202, and will not be described here.
S604, acquiring corresponding target association relation information based on the target inquiry user identification, wherein the target association relation information comprises target user identification associated with the target inquiry user identification, and the target association relation information is determined based on the WiFi network identification connected with the mobile terminal corresponding to the target inquiry user identification.
Specifically, S604 corresponds to S204, and will not be described here again.
S606, carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
Specifically, S606 corresponds to S206, and will not be described here.
S608, if the target query operation is an abnormal query operation, judging whether the target alarm amount corresponding to the target query information is larger than a target threshold value.
Specifically, the target alert amount is determined based on the target query information and the target association relationship information. The target query information comprises target request information and/or target response information corresponding to the target query operation. The target association information includes a target user identifier associated with the target query user identifier. The target alert amount may be, but not limited to, the number of different target user identifiers related to the target request information or the target response information, for example, the target request information includes 3 pieces of information of target user identifiers associated with the target query user identifier, and then the target alert amount corresponding to the target query information may be directly determined to be 3. The target threshold may be, but is not limited to, 1, 2, etc.
And S610, if the target alarm quantity corresponding to the target query information is greater than the target threshold value, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
Specifically, if the target query operation is an abnormal query operation and the target alarm amount corresponding to the target query information is greater than the target threshold value, which indicates that the target query operation has more unexpected query information, if direct interception has a great influence on the work of the inquirer corresponding to the target query user identifier, the target query operation can be firstly subjected to a research and judgment process, and whether the target query operation belongs to unexpected or abnormal behaviors can be further confirmed. And then under the condition that the target query operation is confirmed to be unexpected or abnormal after the judgment, the target query operation is intercepted or the target query user identification is directly added into a query blacklist of a target application system, and the like.
Next, referring to fig. 6, as shown in fig. 6, in S608, if the target query operation is an abnormal query operation, after determining whether the alarm amount corresponding to the target query information is greater than the target threshold, the abnormal query detection method may further include:
S612, if the target alarm quantity corresponding to the target query information is smaller than or equal to the target threshold value, intercepting the target query operation.
Specifically, if the target query operation is an abnormal query operation and the target alarm amount corresponding to the target query information is smaller than or equal to the target threshold value, which indicates that the target query operation has less unexpected query information, if the direct interception has little influence on the work of the inquirer corresponding to the target query user identification, the target query operation can be directly intercepted, so that the data information security of staff in the application system can be ensured, and meanwhile, the work of the inquirer corresponding to the target query user identification is ensured not to be greatly influenced.
Next, please refer to fig. 7, which is a schematic diagram illustrating an implementation process of an abnormal query detection method according to an exemplary embodiment of the present disclosure. As shown in fig. 7, a server corresponding to the target application system may collect, by the mobile terminal, a corresponding on-terminal log (device log) and obtain, by data cleaning, a WiFi network identifier connected to the mobile terminal and a user identifier logged on the mobile terminal, so as to construct a mapping relationship between the WiFi network identifier and the user identifier. Since the user identifiers connected to the same WiFi network may have a direct or indirect relationship by default, the association relationship information between the user identifiers (i.e., the association relationship between the users) may be further determined according to the mapping relationship between the WiFi network identifiers and the user identifiers. In performing abnormal query detection for a target application system (office application system), the server may collect office network application system traffic logs first, and filter out query behaviors of staff (querier) through data cleaning, for example, but not limited to, query behaviors for sensitive data (target query operation). Then, the information of the inquirer (target inquiry user identifier) can be used for acquiring the association relation person of the inquirer (namely, the target association relation information corresponding to the target inquiry user identifier), and abnormal inquiry detection can be carried out on the inquiry behavior (target inquiry operation) according to the request of the inquiry behavior and whether the data of the association relation person (namely, the information of the target user identifier associated with the target inquiry user identifier) is hit in the response packet (target inquiry information). If the data of the association relation person is hit in the request and response package (target query information) of the query behavior, the query behavior (target query operation) is an unexpected behavior, and further research and judgment processing is needed, so that unexpected query behavior of the data of the target user identification related to the query behavior in the office application system initiated by staff can be resisted.
Next, please refer to fig. 8, which is a schematic diagram illustrating a structure of an abnormal query detection apparatus according to an exemplary embodiment of the present disclosure. As shown in fig. 8, the abnormal inquiry detection apparatus 800 includes:
the first obtaining module 810 is configured to obtain, when a target query operation for a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation; the target query information comprises target request information and/or target response information corresponding to the target query operation;
a second obtaining module 820, configured to obtain corresponding target association information based on the target query user identifier; the target association relationship information comprises a target user identifier associated with the target query user identifier; the target association relation information is determined based on the WiFi network identifier connected with the mobile terminal corresponding to the target inquiry user identifier;
the abnormal query detection module 830 is configured to perform abnormal query detection based on the target query information and the target association relationship information, to obtain a target abnormal query detection result corresponding to the target query operation.
In one possible implementation manner, the second obtaining module 820 is specifically configured to:
Determining corresponding target association relation information from at least one association relation information based on the target inquiry user identification; the association relation information comprises user identifications corresponding to mobile terminals connected with the same WiFi network.
In one possible implementation manner, the abnormal query detection apparatus 800 further includes:
the third acquisition module is used for acquiring the equipment logs corresponding to the mobile terminals respectively; the equipment log comprises a WiFi network identifier connected with the mobile terminal and a user identifier logged in on the mobile terminal;
the first determining module is used for determining a mapping relation between the WiFi network identifier and the user identifier based on the equipment logs corresponding to the mobile terminals respectively;
and the second determining module is used for determining the at least one association relation information based on the mapping relation.
In one possible implementation manner, the abnormal query detection module 830 is specifically configured to:
comparing the target query information with the target association relation information, if the target query information comprises the target information, determining the target query operation as abnormal query operation, and if the target query information does not comprise the target information, determining the target query operation as normal query operation; the target information is used to characterize information related to the target user identification.
In one possible implementation manner, the abnormal query detection apparatus 800 further includes:
and the research and judgment processing module is used for carrying out research and judgment processing on the target query operation if the target query operation is abnormal query operation, so as to obtain a target research and judgment result corresponding to the target query operation.
In one possible implementation manner, the abnormal query detection apparatus 800 further includes:
the judging module is used for judging whether the target alarm quantity corresponding to the target inquiry information is larger than a target threshold value or not; the target alarm amount is determined based on the target query information and the target association relation information;
the above-mentioned research judgement processing module is specifically used for:
and if the target alarm quantity corresponding to the target query information is larger than a target threshold value, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
In one possible implementation manner, the abnormal query detection apparatus 800 further includes:
and the interception processing module is used for intercepting the target query operation if the target alarm quantity corresponding to the target query information is smaller than or equal to a target threshold value.
In one possible implementation manner, the abnormal query detection apparatus 800 further includes:
And the alarm module is used for sending alarm information if the target query operation is abnormal query operation. The division of the modules in the abnormal inquiry detection device is only used for illustration, and in other embodiments, the abnormal inquiry detection device can be divided into different modules according to the requirement, so as to complete all or part of the functions of the abnormal inquiry detection device. The implementation of each module in the abnormal inquiry detection apparatus provided in the embodiments of the present specification may be in the form of a computer program. The computer program may run on a mobile terminal or a server. Program modules of the computer program may be stored in the memory of the mobile terminal or server. The computer program, when executed by a processor, implements all or part of the steps of the anomaly query detection method described in the embodiments of the present specification.
Next, please refer to fig. 9, which is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure. As shown in fig. 9, the electronic device 900 may include: at least one processor 910, at least one communication bus 920, a user interface 930, at least one network interface 940, and a memory 950.
Wherein the communication bus 920 may be used to implement the connectivity communications of the various components described above.
The user interface 930 may include a Display screen (Display) and a Camera (Camera), and the optional user interface may further include a standard wired interface and a wireless interface.
The network interface 940 may optionally include, among other things, a bluetooth module, a near field communication (Near Field Communication, NFC) module, a wireless fidelity (Wireless Fidelity, wi-Fi) module, and the like.
Wherein the processor 910 may include one or more processing cores. The processor 910 utilizes various interfaces and lines to connect various portions of the overall electronic device 900, perform various functions of routing the electronic device 900, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 950, and invoking data stored in the memory 950. Alternatively, the processor 910 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 910 may integrate one or a combination of several of a processor (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 910 and may be implemented by a single chip.
The Memory 950 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (ROM). Optionally, the memory 950 includes a non-transitory computer readable medium. Memory 950 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 950 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as an acquisition function, an abnormal query detection function, a determination function, etc.), instructions for implementing the various method embodiments described above, and the like; the storage data area may store data or the like referred to in the above respective method embodiments. Memory 950 may also optionally be at least one storage device located remotely from the processor 910. As shown in fig. 9, an operating system, network communication modules, user interface modules, and program instructions may be included in memory 950, which is a type of computer storage medium.
In some possible embodiments, the electronic device 900 may be the above-mentioned abnormal query detection apparatus, and the processor 910 may be configured to call the program instructions stored in the memory 950, and specifically perform the following operations:
When target query operation aiming at a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are obtained; the target query information comprises target request information and/or target response information corresponding to the target query operation.
Acquiring corresponding target association relation information based on the target inquiry user identification; the target association relationship information comprises a target user identifier associated with the target query user identifier; the target association relation information is determined based on the WiFi network identifier connected with the mobile terminal corresponding to the target inquiry user identifier.
And carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
In some possible embodiments, when the processor 910 executes the obtaining the corresponding target association information based on the target query user identifier, the method is specifically configured to:
determining corresponding target association relation information from at least one association relation information based on the target inquiry user identification; the association relation information comprises user identifications corresponding to mobile terminals connected with the same WiFi network.
In some possible embodiments, before the processor 910 performs the determining, based on the target query user identifier, corresponding target association information from at least one association information, the method further includes:
acquiring equipment logs corresponding to a plurality of mobile terminals respectively; the equipment log comprises WiFi network identifiers connected with the mobile terminal and user identifiers logged on the mobile terminal.
And determining the mapping relation between the WiFi network identifier and the user identifier based on the equipment logs corresponding to the mobile terminals.
And determining the at least one association relation information based on the mapping relation.
In some possible embodiments, when the processor 910 performs the abnormal query detection based on the target query information and the target association information to obtain a target abnormal query detection result corresponding to the target query operation, the method is specifically configured to perform:
comparing the target query information with the target association relation information, if the target query information comprises the target information, determining the target query operation as abnormal query operation, and if the target query information does not comprise the target information, determining the target query operation as normal query operation; the target information is used to characterize information related to the target user identification.
In some possible embodiments, after the processor 910 performs the abnormal query detection based on the target query information and the target association information, the method further includes:
and if the target query operation is an abnormal query operation, performing a research and judgment process on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
In some possible embodiments, before the processor 910 performs the above-mentioned grinding process on the target query operation to obtain a target grinding result corresponding to the target query operation, the method is further used to perform:
judging whether the target alarm quantity corresponding to the target inquiry information is larger than a target threshold value or not; the target alert amount is determined based on the target query information and the target association relationship information.
The processor 910 is specifically configured to execute the above-mentioned performing a grinding and judging process on the target query operation to obtain a target grinding and judging result corresponding to the target query operation:
if yes, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
In some possible embodiments, after the processor 910 performs the determining whether the alert amount corresponding to the target query information is greater than a target threshold, the method is further configured to:
if not, carrying out interception processing on the target query operation.
In some possible embodiments, after the processor 910 performs the abnormal query detection based on the target query information and the target association information, the method further includes:
and if the target query operation is an abnormal query operation, sending out alarm information.
The present description also provides a computer-readable storage medium having instructions stored therein, which when executed on a computer or processor, cause the computer or processor to perform one or more steps of the above embodiments. The respective constituent modules of the abnormality query detection apparatus may be stored in the computer-readable storage medium if implemented in the form of software functional units and sold or used as independent products.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product described above includes one or more computer instructions. When the computer program instructions described above are loaded and executed on a computer, the processes or functions described in accordance with the embodiments of the present specification are all or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a digital versatile Disk (Digital Versatile Disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Those skilled in the art will appreciate that implementing all or part of the above-described embodiment methods may be accomplished by way of a computer program, which may be stored in a computer-readable storage medium, instructing relevant hardware, and which, when executed, may comprise the embodiment methods as described above. And the aforementioned storage medium includes: various media capable of storing program code, such as ROM, RAM, magnetic or optical disks. The technical features in the present examples and embodiments may be arbitrarily combined without conflict.
The above-described embodiments are merely preferred embodiments of the present disclosure, and do not limit the scope of the disclosure, and various modifications and improvements made by those skilled in the art to the technical solution of the disclosure should fall within the scope of protection defined by the claims.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims and description may be performed in an order different from that in the embodiments recited in the description and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Claims (12)

1. An abnormal query detection method, the method comprising:
when target query operation aiming at a target application system is monitored, a target query user identifier and target query information corresponding to the target query operation are acquired; the target query information comprises target request information and/or target response information corresponding to the target query operation;
acquiring corresponding target association relation information based on the target query user identification; the target association relationship information comprises a target user identifier associated with the target query user identifier; the target association relation information is determined based on the WiFi network identifier connected with the mobile terminal corresponding to the target inquiry user identifier;
and carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
2. The method of claim 1, wherein the obtaining the corresponding target association information based on the target query user identification comprises:
determining corresponding target association relation information from at least one association relation information based on the target query user identification; the association relation information comprises user identifications corresponding to mobile terminals connected with the same WiFi network.
3. The method of claim 2, wherein before determining corresponding target association information from at least one association information based on the target query user identification, the method further comprises:
acquiring equipment logs corresponding to a plurality of mobile terminals respectively; the equipment log comprises a WiFi network identifier connected with the mobile terminal and a user identifier logged in on the mobile terminal;
determining a mapping relation between the WiFi network identifier and the user identifier based on the equipment logs corresponding to the mobile terminals respectively;
and determining the at least one association relation information based on the mapping relation.
4. The method of claim 1, wherein the performing the abnormal query detection based on the target query information and the target association information to obtain the target abnormal query detection result corresponding to the target query operation includes:
comparing the target query information with the target association relation information, if the target query information comprises target information, determining the target query operation as abnormal query operation, and if the target query information does not comprise target information, determining the target query operation as normal query operation; the target information is used for representing information related to the target user identification.
5. The method of claim 1, wherein after the performing the abnormal query detection based on the target query information and the target association information to obtain the target abnormal query detection result corresponding to the target query operation, the method further comprises:
and if the target query operation is an abnormal query operation, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
6. The method of claim 5, wherein before performing the grinding process on the target query operation to obtain the target grinding result corresponding to the target query operation, the method further comprises:
judging whether the target alarm quantity corresponding to the target inquiry information is larger than a target threshold value or not; the target alarm amount is determined based on the target query information and the target association relationship information;
the step of performing the research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation includes:
if yes, performing research and judgment processing on the target query operation to obtain a target research and judgment result corresponding to the target query operation.
7. The method of claim 6, wherein after the determining whether the alert amount corresponding to the target query information is greater than a target threshold, the method further comprises:
If not, intercepting the target query operation.
8. The method of claim 1, wherein after the performing the abnormal query detection based on the target query information and the target association information to obtain the target abnormal query detection result corresponding to the target query operation, the method further comprises:
and if the target query operation is an abnormal query operation, sending out alarm information.
9. An abnormal inquiry detection apparatus, the apparatus comprising:
the first acquisition module is used for acquiring a target query user identifier and target query information corresponding to target query operation when the target query operation aiming at the target application system is monitored; the target query information comprises target request information and/or target response information corresponding to the target query operation;
the second acquisition module is used for acquiring corresponding target association relation information based on the target inquiry user identification; the target association relationship information comprises a target user identifier associated with the target query user identifier; the target association relation information is determined based on the WiFi network identifier connected with the mobile terminal corresponding to the target inquiry user identifier;
And the abnormal query detection module is used for carrying out abnormal query detection based on the target query information and the target association relation information to obtain a target abnormal query detection result corresponding to the target query operation.
10. An electronic device, comprising: a processor and a memory;
the processor is connected with the memory;
the memory is used for storing executable program codes;
the processor runs a program corresponding to executable program code stored in the memory by reading the executable program code for performing the method according to any one of claims 1-8.
11. A computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method steps of any of claims 1-8.
12. A computer program product comprising instructions which, when run on a computer or processor, cause the computer or processor to perform the method of any of claims 1-8.
CN202311476682.9A 2023-11-08 2023-11-08 Abnormal query detection method, device, equipment, medium and program product Pending CN117640153A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311476682.9A CN117640153A (en) 2023-11-08 2023-11-08 Abnormal query detection method, device, equipment, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311476682.9A CN117640153A (en) 2023-11-08 2023-11-08 Abnormal query detection method, device, equipment, medium and program product

Publications (1)

Publication Number Publication Date
CN117640153A true CN117640153A (en) 2024-03-01

Family

ID=90034753

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311476682.9A Pending CN117640153A (en) 2023-11-08 2023-11-08 Abnormal query detection method, device, equipment, medium and program product

Country Status (1)

Country Link
CN (1) CN117640153A (en)

Similar Documents

Publication Publication Date Title
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US10944795B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US9038178B1 (en) Detection of malware beaconing activities
CN111800395A (en) Threat information defense method and system
US20140380478A1 (en) User centric fraud detection
JP6703616B2 (en) System and method for detecting security threats
US9769688B2 (en) Device and method for prompting information about Wi-Fi signal
US20160065594A1 (en) Intrusion detection platform
CN107040494B (en) User account abnormity prevention method and system
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US11374954B1 (en) Detecting anomalous network behavior
CN111031035B (en) Sensitive data access behavior monitoring method and device
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
CN104348809A (en) Network security monitoring method and system
US10362046B1 (en) Runtime behavior of computing resources of a distributed environment
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
EP3343421A1 (en) System to detect machine-initiated events in time series data
CN111756745B (en) Alarm method, alarm device, terminal equipment and computer readable storage medium
JP2016143320A (en) Log monitoring method, log monitor, log monitoring system, and log monitoring program
CN102664913B (en) Method and device for webpage access control
CN117640153A (en) Abnormal query detection method, device, equipment, medium and program product
US8874528B1 (en) Systems and methods for detecting cloud-based data leaks
US8463235B1 (en) Protection from telephone phishing
US11126713B2 (en) Detecting directory reconnaissance in a directory service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination