CN117640159A

CN117640159A - Abnormal access detection method, device, equipment, medium and program product

Info

Publication number: CN117640159A
Application number: CN202311479381.1A
Authority: CN
Inventors: 柳寒; 张园超; 高嵩
Original assignee: Zhejiang eCommerce Bank Co Ltd
Current assignee: Zhejiang eCommerce Bank Co Ltd
Priority date: 2023-11-08
Filing date: 2023-11-08
Publication date: 2024-03-01

Abstract

The embodiment of the specification discloses an abnormal access detection method, device, equipment, medium and product. Wherein the method comprises the following steps: when a target access operation aiming at a target application system is monitored, a target access behavior log corresponding to the target access operation is acquired; determining a target response relation pair corresponding to the target access operation based on the target access behavior log; and performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation, wherein the trusted response relation pair is obtained by combining at least two trusted access relation items, the at least two trusted access relation items are obtained based on a historical access behavior log of the target application system, and one trusted access relation item in the at least two trusted access relation items is a trusted response data type item.

Description

Abnormal access detection method, device, equipment, medium and program product

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to an abnormal access detection method, apparatus, device, medium, and program product.

Background

At present, network technology is developed more and more, the network has higher and higher requirements on security, and more illegal and stolen data abnormal attack behaviors exist in the current network. For enterprise information security construction, unified account number, authentication, authorization, audit and the like are mainly performed at present to ensure the legitimacy of the identity of a visitor, and the conventional abnormal access detection basically uses audit to perform data security audit or perform abnormal access judgment according to access source address information and address information in a trusted address resource pool.

Disclosure of Invention

The embodiment of the specification provides an abnormal access detection method, device, equipment, medium and program product, which realize high-efficiency abnormal detection of access operation based on response data type of the access operation, protect data information safety related to an application system and improve attack defense performance of the application system. The technical scheme is as follows:

in a first aspect, an embodiment of the present disclosure provides an abnormal access detection method, where the method includes:

when target access operation aiming at a target application system is monitored, a target access behavior log corresponding to the target access operation is obtained;

Determining a target response relation pair corresponding to the target access operation based on the target access behavior log;

performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation; the trusted response relation is obtained by combining at least two trusted access relation items; the at least two trusted access relation items are obtained based on the historical access behavior log of the target application system; one of the at least two trusted access relationship items is a trusted response data type item.

In one possible implementation manner, the determining, based on the target access behavior log, a target response relationship pair corresponding to the target access operation includes:

extracting at least two target behavior attributes from the target access behavior log; one target behavior attribute exists in the at least two target behavior attributes and is a target response data type corresponding to the target access operation;

and respectively taking the at least two target behavior attributes as target access relation items, and combining the at least two target access relation items to obtain a target response relation pair corresponding to the target access operation.

In a possible implementation manner, one target behavior attribute is a target access user identifier corresponding to the target access operation, and one trusted access relationship item is a trusted access user identifier corresponding to the trusted response data type item;

or (b)

One target access interface corresponding to the target application system is also present in the at least two target behavior attributes, and one trusted access interface corresponding to the trusted response data type item is also present in the at least two trusted access relationship items;

or (b)

Among the at least two target behavior attributes, there are also the following two target behavior attributes: the target access user identifier corresponding to the target access operation and the target access interface corresponding to the target application system, wherein the at least two trusted access relation items also have the following two trusted access relation items: and the trusted access user identification item and the trusted access interface item corresponding to the trusted response data type item.

In a possible implementation manner, before the performing abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, the method further includes:

Acquiring a history access behavior log in the security access period of the target application system;

extracting at least two historical behavior attributes from the historical access behavior log;

and respectively taking the at least two historical behavior attributes as trusted access relation items, and combining the at least two trusted access relation items to obtain a trusted response relation pair corresponding to the target application system.

In one possible implementation manner, the target access behavior log includes a target response packet corresponding to the target access operation;

after the target access behavior log corresponding to the target access operation is obtained, before the target response relation pair corresponding to the target access operation is determined based on the target access behavior log, the method further includes:

judging whether sensitive data exists in the target response packet;

the determining, based on the target access behavior log, a target response relationship pair corresponding to the target access operation includes:

if yes, determining a target response relation pair corresponding to the target access operation based on the target access behavior log.

In one possible implementation manner, after the determining whether the sensitive data exists in the target response packet, the method further includes:

If not, and the target access interface corresponding to the target access operation belongs to the sensitive data access interface, determining that the target access operation is an abnormal access operation.

In one possible implementation manner, the performing abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation includes:

and comparing the target response relation pair with the trusted response relation pair, if the target response relation pair is in the trusted response relation pair, determining that the target access operation is a normal access operation, and if the target response relation pair is not in the trusted response relation pair, determining that the target access operation is an abnormal access operation.

In one possible implementation manner, after the detecting the abnormal access based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, the method further includes:

and if the target access operation is an abnormal access operation, performing a grinding and judging process on the target access operation to obtain a target grinding and judging result corresponding to the target access operation.

In one possible implementation manner, after the performing the grinding and judging process on the target access operation to obtain a target grinding and judging result corresponding to the target access operation, the method further includes:

and if the target research and judgment result is that the target access operation is a normal access operation, updating the trusted response relation pair based on the target response relation corresponding to the target access operation.

In a second aspect, embodiments of the present specification provide an abnormal access detection apparatus, including:

the first acquisition module is used for acquiring a target access behavior log corresponding to target access operation when the target access operation aiming at the target application system is monitored;

the first determining module is used for determining a target response relation pair corresponding to the target access operation based on the target access behavior log;

the abnormal access detection module is used for carrying out abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation; the trusted response relation is obtained by combining at least two trusted access relation items; the at least two trusted access relation items are obtained based on the historical access behavior log of the target application system; one of the at least two trusted access relationship items is a trusted response data type item.

In one possible implementation manner, the first determining module includes:

the extraction unit is used for extracting at least two target behavior attributes from the target access behavior log; one target behavior attribute exists in the at least two target behavior attributes and is a target response data type corresponding to the target access operation;

and the combination unit is used for respectively taking the at least two target behavior attributes as target access relation items and combining the at least two target access relation items to obtain a target response relation pair corresponding to the target access operation.

or (b)

Or (b)

In one possible implementation manner, the abnormal access detection apparatus further includes:

the second acquisition module is used for acquiring the history access behavior log in the security access period of the target application system;

the extraction module is used for extracting at least two historical behavior attributes from the historical access behavior log;

and the combination module is used for respectively taking the at least two historical behavior attributes as trusted access relation items and combining the at least two trusted access relation items to obtain a trusted response relation pair corresponding to the target application system.

the abnormality access detection device further includes:

The judging module is used for judging whether sensitive data exists in the target response packet;

the first determining module is specifically configured to:

and the second determining module is used for determining that the target access operation is abnormal access operation if the target access interface corresponding to the target access operation belongs to the sensitive data access interface.

In one possible implementation manner, the abnormal access detection module is specifically configured to:

and the research and judgment processing module is used for carrying out research and judgment processing on the target access operation if the target access operation is abnormal access operation, so as to obtain a target research and judgment result corresponding to the target access operation.

and the updating module is used for updating the trusted response relation pair based on the target response relation corresponding to the target access operation if the target research result is that the target access operation is the normal access operation.

In a third aspect, embodiments of the present disclosure provide an electronic device, including: a processor and a memory;

the processor is connected with the memory;

the memory is used for storing executable program codes;

the processor executes a program corresponding to the executable program code stored in the memory by reading the executable program code for performing the method provided by the first aspect of the embodiments of the present specification or any one of the possible implementations of the first aspect.

In a fourth aspect, embodiments of the present specification provide a computer storage medium having stored thereon a plurality of instructions adapted to be loaded by a processor and to carry out the method provided by the first aspect of embodiments of the present specification or any one of the possible implementations of the first aspect.

In a fifth aspect, embodiments of the present description provide a computer program product comprising instructions which, when run on a computer or a processor, cause the computer or the processor to perform the method provided by the first aspect of embodiments of the present description or any one of the possible implementations of the first aspect.

In the embodiment of the present disclosure, when a target access operation for a target application system is monitored, a target access behavior log corresponding to the target access operation is obtained; determining a target response relation pair corresponding to the target access operation based on the target access behavior log; and performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation, wherein the trusted response relation pair is obtained by combining at least two trusted access relation items, the at least two trusted access relation items are obtained based on a historical access behavior log of the target application system, one trusted access relation item in the at least two trusted access relation items is a trusted response data type item, and therefore the trusted access relation pair constructed by the trusted response data type of the target application system in the security access period is used as a trusted defense strategy of the target application system, efficient abnormal detection of the target access operation is realized based on the target response relation pair of the target access operation, data information security related to the target application system is protected, and attack defense performance of the target application system is improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present description, the drawings that are required in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present description, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of an abnormal access detection system according to an exemplary embodiment of the present disclosure;

FIG. 2 is a flowchart of an abnormal access detection method according to an exemplary embodiment of the present disclosure;

FIG. 3 is a schematic diagram of an implementation process for determining a target response relationship pair according to an exemplary embodiment of the present disclosure;

FIGS. 4A-4C are schematic diagrams of a target response relationship pair and a trusted response relationship pair provided in an exemplary embodiment of the present description;

FIG. 5 is a schematic flow chart of an implementation of determining a trusted response relationship pair according to an exemplary embodiment of the present disclosure;

FIG. 6 is a schematic diagram of an update process of a trusted response relationship pair according to an exemplary embodiment of the present disclosure;

FIG. 7 is a flowchart illustrating another method for detecting abnormal access according to an exemplary embodiment of the present disclosure;

FIG. 8 is a schematic diagram illustrating an implementation process of abnormal access detection according to an exemplary embodiment of the present disclosure;

fig. 9 is a schematic structural diagram of an abnormal access detection apparatus according to an exemplary embodiment of the present disclosure;

fig. 10 is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure.

Detailed Description

The technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification.

The terms first, second, third and the like in the description and in the claims and in the above drawings, are used for distinguishing between different objects and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.

It should be noted that, information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data for analysis, stored data, presented data, etc.), and signals according to the embodiments of the present disclosure are all authorized by the user or are fully authorized by the parties, and the collection, use, and processing of relevant data is required to comply with relevant laws and regulations and standards of relevant countries and regions. For example, the target access behavior log, the history access behavior log, and the like referred to in this specification are obtained with sufficient authorization.

Next, please refer to fig. 1, which is a schematic diagram illustrating an architecture of an anomaly access detection system according to an exemplary embodiment of the present disclosure. As shown in fig. 1, the abnormal access detection system includes: a terminal 110 and a server 120. Wherein:

terminal 110 may interact with server 120 over a network to receive messages from server 120 or to send messages to server 120, or terminal 110 may interact with server 120 over a network to receive messages or data sent by other users to server 120. The terminal 120 may be hardware or software. When the terminal 120 is hardware, it may be a variety of electronic devices including, but not limited to, a smart watch, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like. When the terminal 110 is software, it may be installed in the above-listed electronic device, and it may be implemented as a plurality of software or software modules (for example, to provide distributed services), or may be implemented as a single software or software module, which is not specifically limited herein.

Terminal 110 may include one or more clients. User version software may be installed in the terminal 110 for implementing functions such as accessing data of the target application system terminal. The terminal 110 may be triggered to send a target access request to the server 120 corresponding to the target application system through the network based on clicking, sliding, etc. operations of the user, receive a target response packet returned from the server 120 through the network, etc.

The server 120 may be a business server providing various services, such as, but not limited to, a server corresponding to each of a plurality of application systems. The server 120 may be hardware or software. When the server 120 is hardware, it may be implemented as a distributed server cluster formed by a plurality of servers, or may be implemented as a single server. When the server 120 is software, it may be implemented as a plurality of software or software modules (for example, to provide distributed services), or may be implemented as a single software or software module, which is not specifically limited herein. The server 120 may be, but is not limited to, a hardware server, a virtual server, a cloud server, etc.

In the embodiment of the present disclosure, when the server 120 monitors a target access operation for a target application system, a target access behavior log corresponding to the target access operation is obtained; then, the server 120 determines a target response relationship pair corresponding to the target access operation based on the target access behavior log; finally, the server 120 may perform abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, where the trusted response relationship pair is obtained by combining at least two trusted access relationship items, the at least two trusted access relationship items are obtained based on a historical access behavior log of the target application system, and one trusted access relationship item in the at least two trusted access relationship items is a trusted response data type item.

The network may be a medium providing a communication link between the terminal 110 and the server 120, or may be the internet including network devices and transmission media, but is not limited thereto. The transmission medium may be a wired link, such as, but not limited to, coaxial cable, fiber optic and digital subscriber lines (digital subscriber line, DSL), etc., or a wireless link, such as, but not limited to, wireless internet (wireless fidelity, WIFI), hypertext transfer protocol (Hypertext Transfer Protocol, HTTP), bluetooth, a mobile device network, etc.

It will be appreciated that the number of terminals 110 and servers 120 in the anomaly access detection system shown in FIG. 1 is by way of example only, and that any number of terminals 110 and servers 120 may be included in the anomaly access detection system in a particular implementation.

Next, referring to fig. 1, an abnormal access detection method provided in an embodiment of the present specification will be described. Referring specifically to fig. 2, a flow chart of an abnormal access detection method according to an exemplary embodiment of the present disclosure is shown. As shown in fig. 2, the abnormal access detection method includes the steps of:

s202, when target access operation aiming at a target application system is monitored, a target access behavior log corresponding to the target access operation is obtained.

Optionally, when the target application system is accessed, the target access behavior log corresponding to the target application system of the current target access operation is recorded, where the log includes an access account identifier (target access user identifier) of a client corresponding to a visitor (target access user), an IP address, a specific operation performed, a domain name to which the target application system is accessed, an accessed target access interface, a target request packet, a target response packet returned corresponding to the target access interface, and the like, and when the target application system is normally accessed, the data type in the target response packet returned by the target access user identifier or the target access interface corresponding to the target application system is usually relatively fixed, and a malicious attacker does not know what type of data the target access interface of the target application system should return or hardly uses a trusted access user identifier of the target application system to perform malicious access, where the malicious attacker generally cannot return data by using other access user identifiers or accessing through the target access interface, or the response data type in the returned target response packet is different from the response data type (trusted response data type) in the historical access behavior log corresponding to the trusted access user identifier or the target access interface.

Based on the above, it is explained that by analyzing the target response relation pair corresponding to the target access operation of the target application system and the trusted response relation pair during the secure access, it is known whether the target access operation corresponding to the target application system is an abnormal operation, and the defending process can be performed on the target access operation in time.

Specifically, when the target access operation for the target application system is monitored, the target access behavior log corresponding to the target access operation needs to be determined first, where the target access behavior log may include, but is not limited to, a target request packet, a target response packet, a target access user identifier, an IP address corresponding to the target access user identifier, an identifier of a used device, a specific operation performed, a target access interface accessed by the target application system, a target domain name, and the like of the target application system, so as to facilitate determination of a target response relationship pair corresponding to a subsequent target access operation and more accurate research and judgment processing of the target access operation.

S204, determining a target response relation pair corresponding to the target access operation based on the target access behavior log.

Specifically, as shown in fig. 3, after a target access behavior log corresponding to a target access operation is obtained, at least two target behavior attributes are extracted from the target access behavior log, one of the at least two target behavior attributes is a target response data type corresponding to the target access operation, then the at least two target behavior attributes are respectively used as target access relation items, and at least two target access relation items corresponding to the at least two target behavior attributes are combined to obtain a target response relation pair corresponding to the target access operation.

If the target access behavior log includes a target access interface a accessed by the target application system, a target access user identifier a accessed by the target application system, and a target response packet B corresponding to the target access user identifier a and returned to the client corresponding to the target access user identifier a, where the data corresponding to the target response packet B is a mobile phone number, the 3 target behavior attributes of the target access user identifier a, the target access interface a, and the target response data type "mobile phone number" in the target access behavior log may be directly used as target access relation items, and then the target response relation pair "target access user identifier a-target access interface a-mobile phone number" corresponding to the target access operation is obtained by combining.

S206, performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation.

Specifically, the trusted response relation is obtained by combining at least two trusted access relation items. The at least two trusted access relationship terms are derived based on a historical access behavior log of the target application system. One of the at least two trusted access relationship items is a trusted response data type item.

It will be appreciated that to ensure the accuracy and feasibility of anomaly access detection based on the target and trusted response relationship pairs, the types of target access relationship items in the target response relationship pair and trusted access relationship items in the trusted response relationship pair should be consistent.

Optionally, as shown in fig. 4A, in addition to one target behavior attribute being a target response data type, there may also be one target access user identifier corresponding to the target access operation in the at least two target behavior attributes, that is, the target response relationship pair may be a "target access user identifier-target response data type". In addition to one trusted access relation item being a trusted response data type item, one trusted access relation item may also be a trusted access user identification item corresponding to the trusted response data type item, that is, the trusted response relation pair may be a trusted access user identification-trusted response data type. It can be understood that the target response relationship pair corresponds to the same target application system with the trusted response relationship, that is, the target access user identifier and the trusted access user identifier are access user identifiers corresponding to the same target application system, and the target response data type and the trusted response data type are types of data returned by the same target application system according to access requests corresponding to the respective corresponding access user identifiers.

Optionally, as shown in fig. 4B, in addition to one target behavior attribute being a target response data type, there may also be one target access interface corresponding to the target application system in the at least two target behavior attributes, that is, the target response relationship pair may be a "target access interface-target response data type". In addition to one trusted access relation item being a trusted response data type item, one trusted access relation item may also be a trusted access interface item corresponding to the trusted response data type item, that is, the trusted response relation pair may be a trusted access interface-trusted response data type. It can be understood that the target response relationship pair corresponds to the same target application system with the trusted response relationship, that is, the target access interface and the trusted access interface are access interfaces of the same target application system, and the target response data type and the trusted response data type are types of data returned by the same target application system from the access interfaces corresponding to the target application system and the trusted response data type.

Optionally, as shown in fig. 4C, in addition to one target behavior attribute being a target response data type, the following two target behavior attributes may exist in the at least two target behavior attributes: the target access user identifier corresponding to the target access operation and the target access interface corresponding to the target application system, namely the target response relation pair can be 'target access user identifier-target response data type-target access interface'. In addition to one trusted access relationship item being a trusted response data type item, the at least two trusted access relationship items include the following two trusted access relationship items: the trusted access user identification item and the trusted access interface item corresponding to the trusted response data type item, that is, the trusted response relation pair may be a trusted access interface-trusted response data type-trusted access interface. It will be appreciated that the target response relationship pair corresponds to the same target application system as the trusted response relationship.

It can be understood that, because the types of response data returned by different interfaces are different, in order to enhance protection of the sensitive data in the target application system and improve the sensitivity of abnormal access detection for the access operation of returning the sensitive data, the trusted access interface may be a sensitive interface which is recorded in the history access behavior log and can return the sensitive data, for example, but not limited to, whether the response packet returned by each interface of the target application system has the sensitive data or not, and the specific type of the returned sensitive data, for example, an identity identifier or a mobile phone number, etc.

Specifically, the performing abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation may include: comparing the target response relation pair corresponding to the target access operation with the trusted response relation pair corresponding to the target application system, if the target response relation pair is in the trusted response relation pair, indicating that the target response data type corresponding to the target access operation corresponding to the target access user identifier or the target access interface is consistent with the history access behavior log, namely that the target behavior attribute corresponding to the target access operation does not exceed the range of the history behavior attribute, and determining that the target access operation is a normal access operation; if the target response relation pair is not in the trusted response relation pair, the target response data type corresponding to the target access operation corresponding to the target access user identifier or the target response data type corresponding to the target access interface is inconsistent with the historical access behavior log, namely the target behavior attribute corresponding to the target access operation exceeds the range of the historical behavior attribute, and the target access operation can be determined to be the abnormal access operation.

In some possible embodiments, before the abnormal access detection is performed on the target access operation, a trusted policy, that is, a trusted response relationship pair, of the HTTP response packet corresponding to the target application system is also determined. As shown in fig. 5 of the determining flow Cheng Ru of the trusted response relationship pair corresponding to the target application system, that is, before performing abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation in S206, the abnormal access detection method further includes:

s502, acquiring a historical access behavior log in a target application system security access period.

Specifically, the historical access behavior log may include, but is not limited to, a request packet received during historical secure access of the target application system, a response packet corresponding to feedback, an access user identifier, an IP address corresponding to the access user identifier, an identifier of a used device, a specific operation performed, a trusted access interface accessed by the target application system, a domain name, and the like.

It may be appreciated that the step S502 may be performed before the step S202, that is, after the trusted response relationship pairs corresponding to the plurality of application systems are predetermined, and the target access operation for the target application system is monitored, the trusted response relationship pairs corresponding to the target application system are taken out from the trusted response relationship pairs corresponding to the plurality of application systems, and abnormal access detection is performed; the step S502 may be executed after the step S202 and before the step S206, that is, after the target access operation for the target application system is monitored, not only the target response relationship pair corresponding to the target access operation is determined according to the target access behavior log of the target application system, but also the trusted response relationship pair of the target application system is determined according to the historical access behavior log of the target application system, and finally abnormal access detection is performed according to the target response relationship pair and the trusted response relationship pair.

It will be appreciated that the target access behavior log is an access behavior log that occurs after the historical access behavior log. The history access behavior log records various access behavior-related information occurring at a time during the security access in the history period of the target application system.

S504, at least two historical behavior attributes are extracted from the historical access behavior log.

Specifically, a plurality of historical access operations for the target application system are recorded in the historical access behavior log, and the at least two historical behavior attributes are at least two historical behavior attributes corresponding to the plurality of historical access operations respectively. The types of the historical behavior attributes extracted corresponding to different historical access operations should be the same to ensure the consistency of the trusted response relationship pairs.

S506, at least two historical behavior attributes are respectively used as trusted access relation items, and at least two trusted access relation items are combined to obtain a trusted response relation pair corresponding to the target application system.

In an exemplary embodiment, if the history access behavior log includes a history access operation a, a history access operation B, and a history access operation C for the target application system during the history secure access, at least two history behavior attributes corresponding to the history access operation a include a trusted access interface a and a trusted response data type corresponding to the trusted access interface a is an "identity", at least two history behavior attributes corresponding to the history access operation C include a trusted access interface B and a trusted response data type corresponding to the trusted access interface B is a "mobile phone number", at least two history behavior attributes corresponding to the history access operation C include a trusted access interface C and a trusted response data type corresponding to the trusted access interface C is a "bank card number", the two history behavior attributes corresponding to each history access operation may be directly used as a trusted access relation item, and the trusted response relation pair corresponding to the target application includes a "trusted access interface a-identity", "trusted access interface B-mobile phone number", and a "trusted access interface C-bank card number".

In the embodiment of the specification, no additional labor cost is needed, no additional data is needed to be acquired, the defending strategy (trusted response relation pair) of the target application system can be directly determined according to the historical access behavior log in the historical security access period of the target application system, the cost of the defending strategy is low, the defending strategy obtained according to the actual historical access behavior log is more effective, the actual access condition of the target application system is more attached, and the defending performance of the target application system is further improved.

In some possible embodiments, after performing abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, as shown in fig. 6, if the target abnormal access detection result is that the target access operation is an abnormal access operation, which indicates that the target access operation has a risk of data leakage, it is likely that the target access operation is an attack operation of an attacker on the target application system, then the target access operation may be further subjected to a research and judgment process to obtain a target research and judgment result corresponding to the target access operation. The above-mentioned performing the research and judgment processing on the target access operation may be performing research and judgment verification on the target access operation based on the target access behavior log corresponding to the target access operation, or may set an audit terminal, and send the target access behavior log corresponding to the target access operation to the audit terminal, so that the audit terminal performs research and judgment processing on the target access operation based on the target access data, and receives the target research and judgment result obtained after the research and judgment processing by the audit terminal, thereby further verifying the security of the target access operation, so as to avoid the influence of erroneous judgment on the normal access operation.

Further, as shown in fig. 6, in the case that the target access operation is abnormal access detection based on the trusted response relationship, and the target access operation is abnormal access operation as a result of the target abnormality detection, after the target access operation is subjected to the grinding and judging process, the target access operation is obtained, if the target grinding and judging result is that the target access operation is normal access operation, it is indicated that the target access operation is unexpected but safe, and there is no risk of leaking data, the trusted response relationship pair may be updated based on the target response relationship pair corresponding to the target access operation, for example, but not limited to, the target response relationship pair may be directly added into the trusted response relationship pair.

In the embodiment of the specification, for a new employee (target access user identifier) or an interface of the new employee after updating the target application system, a new function may be added to cause that the target response relationship is not in such unexpected access condition in the trusted response relationship pair of the target application system, no additional labor cost or additional operation is needed, and only after the target access operation is determined to be the normal access operation by studying and judging, the trusted response relationship pair corresponding to the target application system can be directly updated according to the target response relationship pair corresponding to the target access operation, so that the defending performance of the target application system can be automatically enhanced, the accuracy of abnormal access detection can be improved, and the validity of the defending strategy (trusted response relationship pair) of the target application system and the timeliness of updating can be ensured.

Next, please refer to fig. 7, which is a flowchart illustrating another method for detecting abnormal access according to an exemplary embodiment of the present disclosure. As shown in fig. 7, the abnormal access detection method includes the steps of:

s702, when target access operation aiming at a target application system is monitored, a target access behavior log corresponding to the target access operation is obtained.

Specifically, S702 is identical to S202, and will not be described here again.

S704, judging whether sensitive data exists in the target response packet.

Optionally, the target application recorded in the target access behavior log is based on a target response packet returned by the target access operation, and if the target access interface corresponding to the target access operation is a sensitive interface of the target application system, that is, an interface for returning sensitive data, whether the sensitive data exists in the target response packet and a data type corresponding to the sensitive data when the sensitive data exists can be determined by a method such as regular matching, but not limited to. That is, embodiments of the present disclosure may, but are not limited to, perform abnormal access detection only for target access operations of a sensitive interface, thereby pertinently enhancing defensive performance against sensitive data of a target application system.

S706, if yes, determining a target response relation pair corresponding to the target access operation based on the target access behavior log.

Specifically, if the target access operation is targeted, the target application system returns sensitive data, which indicates that there is a risk of sensitive data leakage, abnormal access detection needs to be performed on the target access operation, and a target response relation pair corresponding to the target access operation needs to be determined based on the target access behavior log.

Optionally, if no sensitive data is returned by the target application system for the target access operation, which indicates that there may be no risk of sensitive data leakage, abnormal access detection is not required for the target access operation.

S708, performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation.

Specifically, S708 corresponds to S206, and will not be described here.

Next, please refer to fig. 7, as shown in fig. 7, after determining whether there is sensitive data in the target response packet in S704, the method further includes:

s710, if not, and the target access interface corresponding to the target access operation belongs to the sensitive data access interface, determining that the target access operation is an abnormal access operation.

Specifically, the sensitive interface of the target application system accessed by the normal user usually returns sensitive data, but in the attack attempt stage of the attack activity of the attacker, the sensitive data cannot be effectively returned, and the phenomenon does not accord with the normal service condition. Therefore, if no sensitive data exists in the target response packet and the target access interface corresponding to the target access operation belongs to the sensitive data access interface, the target access operation can be directly determined to be the abnormal access operation, so that the abnormal access behavior of an attacker to the office application system can be effectively resisted.

Next, please refer to fig. 8, which is a schematic diagram illustrating an implementation process of an abnormal access detection method according to an exemplary embodiment of the present disclosure. As shown in fig. 8, when a normal user accesses a sensitive interface of a service system (target application system), the sensitive interface expects to return sensitive data corresponding to the sensitive data type, and then a trusted policy (trusted response relation pair) of an HTTP response packet in the expectation can be generated according to such expected situation (historical access behavior log). The above-mentioned business system (target application system) expects the trusted policy (trusted response relation pair) of the HTTP response packet to be able to test the access behavior against the abnormal attack of the sensitive interface of the target application system initiated by the attacker, i.e. in the attack attempt stage of the attacker, the sensitive data cannot be returned effectively in general. In the formal attack stage of the attacker, after the attacker obtains the sensitive data returned by the sensitive interface through the access operation (target access operation), the embodiment of the description can timely identify the abnormal access operation corresponding to the attacker through the trusted response relation pair and the target response relation pair determined according to the sensitive data type of the access operation (target access operation) corresponding to the attacker, the sensitive interface and the like, so that the situation of data leakage of the target application system can be timely known and pertinently protected.

Next, please refer to fig. 9, which is a schematic diagram illustrating a configuration of an abnormal access detection apparatus according to an exemplary embodiment of the present disclosure. As shown in fig. 9, the abnormality access detection apparatus 900 includes:

a first obtaining module 910, configured to obtain a target access behavior log corresponding to a target access operation when a target access operation for a target application system is monitored;

a first determining module 920, configured to determine a target response relationship pair corresponding to the target access operation based on the target access behavior log;

the abnormal access detection module 930 is configured to perform abnormal access detection based on the target response relationship pair and the trusted response relationship pair, to obtain a target abnormal access detection result corresponding to the target access operation; the trusted response relation is obtained by combining at least two trusted access relation items; the at least two trusted access relation items are obtained based on the historical access behavior log of the target application system; one of the at least two trusted access relationship items is a trusted response data type item.

In one possible implementation manner, the first determining module 920 includes:

or (b)

Or (b)

In one possible implementation manner, the abnormal access detection apparatus 900 further includes:

the abnormality access detection device 900 further includes:

the first determining module 920 is specifically configured to:

In one possible implementation manner, the abnormal access detection module 930 is specifically configured to:

The division of the modules in the abnormal access detection device is only used for illustration, and in other embodiments, the abnormal access detection device may be divided into different modules as required to complete all or part of the functions of the abnormal access detection device. The implementation of each module in the abnormality access detection apparatus provided in the embodiments of the present specification may be in the form of a computer program. The computer program may run on a terminal or a server. Program modules of the computer program may be stored in the memory of the terminal or server. The computer program, when executed by a processor, implements all or part of the steps of the anomaly access detection method described in the embodiments of the present specification.

Next, please refer to fig. 10, which is a schematic structural diagram of an electronic device according to an exemplary embodiment of the present disclosure. As shown in fig. 10, the electronic device 1000 may include: at least one processor 1010, at least one communication bus 1020, a user interface 1030, at least one network interface 1040, and a memory 1050.

Wherein a communication bus 1020 may be used to enable communication of the connections of the various components described above.

The user interface 1030 may include a Display (Display) and a Camera (Camera), and the optional user interface may also include a standard wired interface, a wireless interface, among others.

The network interface 1040 may optionally include, among other things, a bluetooth module, a near field communication (Near Field Communication, NFC) module, a wireless fidelity (Wireless Fidelity, wi-Fi) module, and the like.

Wherein the processor 1010 may include one or more processing cores. The processor 1010 utilizes various interfaces and lines to connect various portions of the overall electronic device 1000, perform various functions for routing the electronic device 1000 and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1050, and invoking data stored in the memory 1050. Alternatively, the processor 1010 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 1010 may integrate one or a combination of several of a processor (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 1010 and may be implemented by a single chip.

The Memory 1050 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (ROM). Optionally, the memory 1050 includes a non-transitory computer readable medium. Memory 1050 may be used to store instructions, programs, code, sets of codes, or instruction sets. The memory 1050 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as an acquisition function, an anomaly detection function, a determination function, etc.), instructions for implementing the various method embodiments described above, and the like; the storage data area may store data or the like referred to in the above respective method embodiments. Memory 1050 may also optionally be at least one storage device located remotely from the processor 1010. As shown in FIG. 10, the memory 1050, which is a computer storage medium, may include an operating system, a network communication module, a user interface module, and program instructions.

In some possible embodiments, the electronic device 1000 may be the foregoing abnormality access detection apparatus, and the processor 1010 may be configured to call the program instructions stored in the memory 1050, and specifically perform the following operations:

When target access operation aiming at a target application system is monitored, a target access behavior log corresponding to the target access operation is obtained; determining a target response relation pair corresponding to the target access operation based on the target access behavior log; performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation; the trusted response relation is obtained by combining at least two trusted access relation items; the at least two trusted access relation items are obtained based on the historical access behavior log of the target application system; one of the at least two trusted access relationship items is a trusted response data type item.

In some possible embodiments, the processor 1010 executes the determining, based on the target access behavior log, a target response relationship pair corresponding to the target access operation, specifically configured to execute:

extracting at least two target behavior attributes from the target access behavior log; one target behavior attribute exists in the at least two target behavior attributes and is a target response data type corresponding to the target access operation; and respectively taking the at least two target behavior attributes as target access relation items, and combining the at least two target access relation items to obtain a target response relation pair corresponding to the target access operation.

In some possible embodiments, one target behavior attribute of the at least two target behavior attributes is a target access user identifier corresponding to the target access operation, and one trusted access relationship item of the at least two trusted access relationship items is a trusted access user identifier corresponding to the trusted response data type item;

or (b)

In some possible embodiments, before the processor 1010 performs the abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, the method is further configured to perform: acquiring a history access behavior log in the security access period of the target application system; extracting at least two historical behavior attributes from the historical access behavior log; and respectively taking the at least two historical behavior attributes as trusted access relation items, and combining the at least two trusted access relation items to obtain a trusted response relation pair corresponding to the target application system.

In some possible embodiments, the target access behavior log includes a target response packet corresponding to the target access operation;

after the processor 1010 executes the obtaining the target access behavior log corresponding to the target access operation, before determining the target response relationship pair corresponding to the target access operation based on the target access behavior log, the processor is further configured to execute: judging whether sensitive data exists in the target response packet;

the processor 1010 executes the determining, based on the target access behavior log, a target response relationship pair corresponding to the target access operation, specifically configured to execute: if yes, determining a target response relation pair corresponding to the target access operation based on the target access behavior log.

In some possible embodiments, after the processor 1010 executes the determining whether sensitive data exists in the target response packet, the method further includes:

In some possible embodiments, when the processor 1010 performs the abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, the method is specifically configured to perform:

In some possible embodiments, after executing the abnormal access detection based on the target response relationship pair and the trusted response relationship pair, the processor 1010 is further configured to execute:

In some possible embodiments, after the processor 1010 performs the above-mentioned grinding process on the target access operation to obtain a target grinding result corresponding to the target access operation, the method is further used to perform:

The present description also provides a computer-readable storage medium having instructions stored therein, which when executed on a computer or processor, cause the computer or processor to perform one or more steps of the above embodiments. The respective constituent modules of the abnormality access detection device may be stored in the computer-readable storage medium if implemented in the form of software functional units and sold or used as independent products.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product described above includes one or more computer instructions. When the computer program instructions described above are loaded and executed on a computer, the processes or functions described in accordance with the embodiments of the present specification are all or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a digital versatile Disk (Digital Versatile Disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

Those skilled in the art will appreciate that implementing all or part of the above-described embodiment methods may be accomplished by way of a computer program, which may be stored in a computer-readable storage medium, instructing relevant hardware, and which, when executed, may comprise the embodiment methods as described above. And the aforementioned storage medium includes: various media capable of storing program code, such as ROM, RAM, magnetic or optical disks. The technical features in the present examples and embodiments may be arbitrarily combined without conflict.

The above-described embodiments are merely preferred embodiments of the present disclosure, and do not limit the scope of the disclosure, and various modifications and improvements made by those skilled in the art to the technical solution of the disclosure should fall within the scope of protection defined by the claims.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims and description may be performed in an order different from that in the embodiments recited in the description and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

Claims

1. An abnormal access detection method, the method comprising:

when a target access operation aiming at a target application system is monitored, a target access behavior log corresponding to the target access operation is acquired;

performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation; the trusted response relation is obtained by combining at least two trusted access relation items; the at least two trusted access relation items are obtained based on a historical access behavior log of the target application system; one of the at least two trusted access relationship items is a trusted response data type item.

2. The method of claim 1, the determining, based on the target access behavior log, a target response relationship pair corresponding to the target access operation, comprising:

3. The method of claim 2, wherein one of the at least two target behavior attributes further includes a target access user identifier corresponding to the target access operation, and one of the at least two trusted access relation items further includes a trusted access user identifier corresponding to the trusted response data type item;

or (b)

The at least two target behavior attributes also include the following two target behavior attributes: the target access user identifier corresponding to the target access operation and the target access interface corresponding to the target application system, wherein the at least two trusted access relation items also have the following two trusted access relation items: and the trusted access user identification item and the trusted access interface item corresponding to the trusted response data type item.

4. The method of claim 1, wherein before the performing the abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain the target abnormal access detection result corresponding to the target access operation, the method further comprises:

acquiring a historical access behavior log in the security access period of the target application system;

5. The method of claim 1, wherein the target access behavior log includes a target response packet corresponding to the target access operation;

judging whether sensitive data exists in the target response packet;

6. The method of claim 1, after said determining whether sensitive data is present in the target response packet, the method further comprising:

7. The method of claim 1, wherein the performing abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation includes:

comparing the target response relation pair with the trusted response relation pair, if the target response relation pair is in the trusted response relation pair, determining that the target access operation is a normal access operation, and if the target response relation pair is not in the trusted response relation pair, determining that the target access operation is an abnormal access operation.

8. The method of claim 7, wherein after performing abnormal access detection based on the target response relationship pair and the trusted response relationship pair to obtain a target abnormal access detection result corresponding to the target access operation, the method further comprises:

And if the target access operation is the abnormal access operation, performing grinding and judging processing on the target access operation to obtain a target grinding and judging result corresponding to the target access operation.

9. The method of claim 8, wherein after performing the grinding process on the target access operation to obtain the target grinding result corresponding to the target access operation, the method further comprises:

and if the target research and judgment result is that the target access operation is the normal access operation, updating the trusted response relation pair based on the target response relation corresponding to the target access operation.

10. An abnormal access detection apparatus, the apparatus comprising:

the abnormal access detection module is used for carrying out abnormal access detection based on the target response relation pair and the trusted response relation pair to obtain a target abnormal access detection result corresponding to the target access operation; the trusted response relation is obtained by combining at least two trusted access relation items; the at least two trusted access relation items are obtained based on a historical access behavior log of the target application system; one of the at least two trusted access relationship items is a trusted response data type item.

11. An electronic device, comprising: a processor and a memory;

the processor is connected with the memory;

the memory is used for storing executable program codes;

the processor runs a program corresponding to executable program code stored in the memory by reading the executable program code for performing the method according to any one of claims 1-9.

12. A computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method steps of any of claims 1-9.

13. A computer program product comprising instructions which, when run on a computer or processor, cause the computer or processor to perform the method of any of claims 1-9.