CN118396388A - Enterprise information technology management early warning platform and early warning method - Google Patents

Enterprise information technology management early warning platform and early warning method Download PDF

Info

Publication number
CN118396388A
CN118396388A CN202410826520.1A CN202410826520A CN118396388A CN 118396388 A CN118396388 A CN 118396388A CN 202410826520 A CN202410826520 A CN 202410826520A CN 118396388 A CN118396388 A CN 118396388A
Authority
CN
China
Prior art keywords
abnormal
staff
score
employee
operation data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410826520.1A
Other languages
Chinese (zh)
Other versions
CN118396388B (en
Inventor
程武阳
雷申文
华明山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Jian'an Runxing Safety Technology Co ltd
Original Assignee
Shenzhen Jian'an Runxing Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Jian'an Runxing Safety Technology Co ltd filed Critical Shenzhen Jian'an Runxing Safety Technology Co ltd
Priority to CN202410826520.1A priority Critical patent/CN118396388B/en
Publication of CN118396388A publication Critical patent/CN118396388A/en
Application granted granted Critical
Publication of CN118396388B publication Critical patent/CN118396388B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an enterprise information technology management early warning platform and an enterprise information technology management early warning method, wherein the method comprises the following steps: analyzing and determining abnormal operation data of staff operation data through a preset enterprise information technology risk prediction model; calculating the abnormal operation score of the staff according to the abnormal operation data in the first preset time interval, and drawing an abnormal operation score curve of the staff; determining abnormal staff through staff abnormal operation score curves, and performing staff risk early warning; analyzing the abnormal probabilities of the first equipment and the second equipment according to the predicted operation data of the staff in the next first preset time interval, determining the first abnormal equipment and the second abnormal equipment, and determining the staff corresponding to the first abnormal equipment and the second abnormal equipment as staff focused on; and when the real-time operation data of the staff is focused on to trigger the preset limiting conditions, carrying out staff risk early warning. According to the method, the probability of occurrence of the enterprise information risk is calculated through the employee operation data, abnormal employees are determined, early warning and reminding are carried out, and enterprise risk loss is reduced.

Description

Enterprise information technology management early warning platform and early warning method
Technical Field
The application relates to the technical field of enterprise information management, in particular to an enterprise information technology management early warning platform and an enterprise information technology management early warning method.
Background
The enterprise information technology management early warning method is an early warning system for predicting risks and problems which possibly occur by monitoring and evaluating the information technology application, management and safety conditions of an enterprise in real time. The early warning method comprises daily monitoring, data analysis, anomaly detection, triggering of early warning signals and the like of enterprise information technology. By the technical means, the problems of loopholes, faults, security threats and the like of enterprise information technologies can be found in time, and early warning signals are sent to enterprise managers to remind the enterprise managers to pay attention to and process the problems in time.
The existing enterprise information technology management early warning method mainly analyzes enterprise information technology data generated in practice to determine whether enterprise information technology risks exist, the enterprise information technology risks are mainly caused by improper operation of staff, whether early warning and reminding are carried out is determined through analyzing the staff actual operation data, the same monitoring means are adopted for all staff, system operation pressure is high, and early warning and reminding possibly cannot be carried out in time. In addition, the existing enterprise information technology management early warning method is not combined with the reasons for abnormality generation, and staff operation data are analyzed, for example, the abnormal operation times of new staff are more than those of old staff, data fluctuation and the like are caused by system updating, so that the enterprise information technology management early warning accuracy is low, and the situations of false report and missing report exist.
Therefore, the prior art has defects, and improvement is needed.
Disclosure of Invention
In view of the above problems, the present invention aims to provide an enterprise information technology management early warning platform and an enterprise information technology management early warning method, which are capable of determining abnormal users affecting the occurrence probability of enterprise information risk by analyzing employee operation data, performing early warning and reminding by user identity information of the abnormal users, and simultaneously monitoring real-time operation data of important attention employees possibly causing enterprise information risk occurrence, and performing early warning and reminding before the enterprise information risk occurrence, so that management staff can conveniently process risk factors affecting enterprise information risk occurrence.
The first aspect of the invention provides an enterprise information technology management early warning method, which comprises the following steps:
Acquiring employee operation data;
Analyzing the employee operation data through a preset enterprise information technology risk prediction model to determine abnormal operation data;
Calculating an abnormal operation score of the staff according to the operation type, the abnormal grade and the abnormal frequency of the abnormal operation data in the first preset time interval;
Drawing an employee abnormal operation score curve according to the abnormal operation score;
Performing abnormal marking on staff through the staff abnormal operation scoring curve to determine abnormal staff, and performing staff risk early warning based on staff identity information of the abnormal staff;
Predicting employee operation data in a next first preset time interval according to the employee abnormal operation score curve and the employee operation data in the current first preset time interval to obtain predicted operation data;
Performing anomaly probability analysis on the first equipment and the second equipment based on the predicted operation data, determining the first anomaly equipment and the second anomaly equipment, and determining staff corresponding to the first anomaly equipment and the second anomaly equipment as staff focused on;
and monitoring the real-time operation data of the staff with important attention in real time, and performing staff risk early warning when the real-time operation data of the staff with important attention triggers a preset limiting condition.
In this scheme, still include:
acquiring historical employee operation data and historical enterprise information technology risk triggering data;
Performing abnormal labeling on the historical staff operation data based on the historical enterprise information technology risk triggering data, determining sample operation data, and establishing an enterprise information technology risk management database;
and establishing a preset enterprise information technology risk prediction model based on sample operation data of the enterprise information technology risk management database.
In this scheme, through predetermining the enterprise information technology risk prediction model to the staff operation data analysis, confirm unusual operation data includes:
Analyzing and determining access data through employee operation data; the access data comprises system access data and network access data;
performing exception marking on the access data which does not meet the employee permission, and determining the exception access data;
weighting calculation is carried out on the abnormal types, the abnormal grades and the abnormal access frequency of the abnormal access data of the staff in the first preset time interval, and an abnormal access score is determined;
determining an abnormality cause and a first operation score based on employee identity information and a system running state;
Comparing the abnormal access score with the corresponding first operation score based on the abnormal type of the abnormal access data, and determining the abnormal access data with the abnormal access score larger than the corresponding first operation score as the abnormal operation data.
In this solution, the determining the abnormal staff by performing the abnormal marking on the staff by the staff abnormal operation score curve includes:
determining an area formed between the staff abnormal operation score curve, the sample operation score curve with the same abnormal cause and the coordinate axis as a first area; the first region comprises a second region and a third region;
determining an area with the employee abnormal operation score being greater than the sample operation score of the same abnormal cause as a second area;
determining an area with the employee abnormal operation score smaller than the sample operation score of the same abnormal cause as a third area;
Calculating a first region area score according to the region areas of the second region and the third region;
When the first area score is greater than a first preset area score threshold, marking the employee as an abnormal employee;
otherwise, comparing the employee abnormal operation score curve with a sample operation score curve with the same abnormal cause to determine the similarity of the curves;
Weighting calculation is carried out on the curve similarity and the first area score, and staff operation scores are determined;
And marking the staff as abnormal staff when the staff operation score is smaller than a first preset operation score threshold.
In this scheme, still include:
and updating the sample operation score curve through the abnormal operation score curve of the non-abnormal staff in the first preset time interval.
In this solution, the performing, based on the predicted operation data, analysis of anomaly probabilities of the first device and the second device, and determining the first anomaly device and the second anomaly device includes:
Determining a first anomaly probability of the first device through the employee's predicted operational data;
Determining a second anomaly probability of the second device by weighting the predicted operation data of the same department staff;
Weighting calculation is carried out on the second abnormal probability of the same second equipment based on the department attribute, and a third abnormal probability of the second equipment is determined;
Determining a first device with a first abnormality probability greater than a first preset abnormality probability threshold as a first abnormality device;
and determining the second device with the third abnormal probability larger than the second preset abnormal probability threshold as the second abnormal device.
In this scheme, the real-time monitoring is performed on the real-time operation data of the staff with important attention, and when the real-time operation data of the staff with important attention triggers a preset limiting condition, staff risk early warning is performed, including:
analyzing the real-time operation data of the staff with important attention by a preset enterprise information technology risk prediction model, and determining a first abnormal score of an operation type corresponding to the real-time operation data according to the operation type and the abnormal grade of the real-time operation data;
accumulating the first abnormal scores of the same operation type to determine a second abnormal score;
When the second abnormal score of any operation type is larger than the corresponding first preset abnormal score threshold value, determining that the real-time operation data of the important attention staff trigger a preset limiting condition, and limiting the operation of the important attention staff;
and generating early warning information based on employee identity information of the employee focused on, and carrying out employee risk early warning.
In this scheme, still include:
calculating an enterprise risk loss score according to the equipment attribute and the first anomaly probability of each first equipment, the equipment attribute and the third anomaly probability of each second equipment;
and when the enterprise risk loss score is larger than a preset loss score threshold value, carrying out enterprise risk early warning.
The second aspect of the present invention provides an enterprise information technology management and early warning platform, which is configured to implement the enterprise information technology management and early warning method, including:
The data acquisition module is used for acquiring employee operation data;
The model analysis module is used for analyzing the employee operation data through a preset enterprise information technology risk prediction model and determining abnormal operation data;
the first early warning module is used for calculating abnormal operation scores of the staff according to the operation types, the abnormal grades and the abnormal frequencies of the abnormal operation data in a first preset time interval; drawing an employee abnormal operation score curve according to the abnormal operation score; performing abnormal marking on staff through the staff abnormal operation scoring curve to determine abnormal staff, and performing staff risk early warning based on staff identity information of the abnormal staff;
The second early warning module predicts employee operation data in a next first preset time interval through an employee abnormal operation score curve and employee operation data in a current first preset time interval to obtain predicted operation data; performing anomaly probability analysis on the first equipment and the second equipment based on the predicted operation data, determining the first anomaly equipment and the second anomaly equipment, and determining staff corresponding to the first anomaly equipment and the second anomaly equipment as staff focused on; and monitoring the real-time operation data of the staff with important attention in real time, and performing staff risk early warning when the real-time operation data of the staff with important attention triggers a preset limiting condition.
A third aspect of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes an enterprise information technology management pre-warning method program, where the method is executed by a processor to implement the steps of the enterprise information technology management pre-warning method as described above.
The invention discloses an enterprise information technology management early warning platform and an enterprise information technology management early warning method, wherein the method comprises the following steps: analyzing and determining abnormal operation data of staff operation data through a preset enterprise information technology risk prediction model; calculating the abnormal operation score of the staff according to the abnormal operation data in the first preset time interval, and drawing an abnormal operation score curve of the staff; determining abnormal staff through staff abnormal operation score curves, and performing staff risk early warning; analyzing the abnormal probabilities of the first equipment and the second equipment according to the predicted operation data of the staff in the next first preset time interval, determining the first abnormal equipment and the second abnormal equipment, and determining the staff corresponding to the first abnormal equipment and the second abnormal equipment as staff focused on; and when the real-time operation data of the staff is focused on to trigger the preset limiting conditions, carrying out staff risk early warning. According to the method, the probability of occurrence of the enterprise information risk is calculated through the employee operation data, abnormal employees are determined, early warning and reminding are carried out, and enterprise risk loss is reduced.
Drawings
FIG. 1 shows a flow chart of an enterprise information technology management early warning method provided by the invention;
FIG. 2 is a flow chart illustrating a method of determining abnormal operation data provided by the present invention;
FIG. 3 is a flow chart illustrating a first and second anomaly device determination method provided by the present invention;
fig. 4 shows a block diagram of an enterprise information technology management early warning platform provided by the invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present application will be more clearly understood, a more particular description of the application will be rendered by reference to the appended drawings and appended detailed description. It should be noted that, without conflict, the embodiments of the present application and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways than those described herein, and therefore the scope of the present invention is not limited to the specific embodiments disclosed below.
Fig. 1 shows a flowchart of an enterprise information technology management early warning method provided by the invention.
As shown in fig. 1, the invention discloses an enterprise information technology management early warning method, which comprises the following steps:
s102, staff operation data are obtained;
s104, analyzing employee operation data through a preset enterprise information technology risk prediction model, and determining abnormal operation data;
s106, calculating an abnormal operation score of the staff according to the operation type, the abnormal grade and the abnormal frequency of the abnormal operation data in the first preset time interval;
s108, drawing an employee abnormal operation score curve according to the abnormal operation score;
S110, carrying out abnormal marking on staff through a staff abnormal operation scoring curve to determine abnormal staff, and carrying out staff risk early warning based on staff identity information of the abnormal staff;
S112, predicting employee operation data in a next first preset time interval according to the employee abnormal operation score curve and the employee operation data in the current first preset time interval to obtain predicted operation data;
S114, carrying out anomaly probability analysis on the first equipment and the second equipment based on the predicted operation data, determining the first anomaly equipment and the second anomaly equipment, and determining staff corresponding to the first anomaly equipment and the second anomaly equipment as staff focused on;
And S116, monitoring the real-time operation data of the important staff, and performing staff risk early warning when the real-time operation data of the important staff triggers a preset limiting condition.
According to the embodiment of the invention, the employee operation data ensure that each piece of equipment operation data generated by an employee in an enterprise process comprises system access data, network access data and the like, the employee operation data is analyzed through a preset enterprise information technology risk prediction model, abnormal access data is marked, weighted calculation is carried out according to the abnormal type, the abnormal grade and the abnormal access frequency of the abnormal access data of the employee in a first preset time interval, and an abnormal access score is determined. And determining an abnormal cause and a first operation score through the employee identity information and the system running state, comparing the abnormal access score with the first operation score, and determining abnormal operation data. The preset enterprise information technology risk prediction model is obtained by training historical employee operation data and historical enterprise information technology risk triggering data. The employee identity information is information data which can prove the identity of the employee, such as employee name, job number, identity card number, job position and the like.
Calculating an abnormal operation score of the staff member by calculating the operation type, the abnormal level and the abnormal frequency of the abnormal operation data in the first preset time interval, wherein the calculation method of the abnormal operation score of the staff member is expressed as follows by a formula:
Wherein P c is an abnormal operation score, P a(i) is an abnormal type of the ith abnormal operation data, P b(i) is an abnormal level of the ith abnormal operation data, P c(i) is an abnormal access frequency of the ith abnormal operation data, n is a total number of abnormal operation data, and k 1、k2 and k 3 are influence weights of the abnormal type, the abnormal level and the abnormal access frequency, respectively.
Establishing a coordinate axis with an x-axis as a first preset time interval and with a y-axis as an abnormal operation score of an employee, drawing an abnormal operation score curve of the employee through abnormal operation scores of the employee in a plurality of adjacent first preset time intervals, calculating a first area score through the abnormal operation score curve of the employee, a sample operation score curve with the same abnormal cause and the area of a second area and a third area formed between the coordinate axes, and judging whether the employee corresponding to the abnormal operation score curve of the current employee is an abnormal employee according to the similarity of the abnormal operation score curve of the employee and the sample operation score curve with the same abnormal cause, and performing employee risk early warning according to the employee identity information of the abnormal employee.
And predicting the employee operation data in the next first preset time interval according to the employee abnormal operation score curve and the employee operation data in the current first preset time interval to obtain predicted operation data. Determining a first abnormal probability of the first equipment according to the predicted operation data of the current staff, determining a second abnormal probability of the second equipment according to the predicted operation data of the staff of the same department, performing weighted calculation on the second abnormal probability of the same second equipment, and determining a third abnormal probability of the second equipment. And comparing the first abnormal probability of the first equipment and the third abnormal probability of the second equipment with a corresponding first preset abnormal probability threshold value and a corresponding second preset abnormal probability threshold value respectively, and determining the first abnormal equipment and the second abnormal equipment. The relevant staff influencing the abnormality probabilities of the first abnormality device and the second abnormality device are determined as the staff of great concern. Setting corresponding preset limiting conditions for each operation type based on the operation type of the employee operation data, wherein the preset limiting conditions are that the second abnormal score is lower than a first preset abnormal score threshold set by the system under the current operation type, analyzing the real-time operation data of the important attention employees through a preset enterprise information technology risk prediction model, determining the operation type and the first abnormal score of the real-time operation data, accumulating the first abnormal score based on the operation type, determining the second abnormal score of each operation type, and performing employee risk early warning when the second abnormal score of any operation type meets the preset limiting conditions. The early warning information of the employee risk early warning at least comprises employee identity information, risk early warning reasons and real-time operation data of a current first preset time interval. Meanwhile, related personnel are notified to perform exception handling, and the exception handling method comprises virus killing, system updating, vulnerability repairing, staff training and the like.
The first preset time interval is set by a person skilled in the art according to actual requirements, for example, the first preset time interval is set to 5 working days.
According to an embodiment of the present invention, further comprising:
acquiring historical employee operation data and historical enterprise information technology risk triggering data;
Performing abnormal labeling on historical employee operation data based on historical enterprise information technology risk triggering data, determining sample operation data, and establishing an enterprise information technology risk management database;
And establishing a preset enterprise information technology risk prediction model based on sample operation data of the enterprise information technology risk management database.
It should be noted that, the historical employee operation data includes system access data and network access data generated by an employee in a historical working process, and the historical enterprise information technology risk triggering data is enterprise information technology risk data (such as network security risk, system fault risk and data leakage risk) and historical early warning data (including employee risk early warning based on employee operation, enterprise risk early warning for loss of company economy, personnel and reputation, etc.). And cleaning the collected historical employee operation data and historical enterprise information technology risk triggering data, and filtering repeated data and missing data in the collected data. And analyzing staff operation data in the same risk triggering or early warning in the historical enterprise information technology risk triggering data, and carrying out abnormal labeling on the staff operation data which causes risk triggering or early warning. And establishing an enterprise information technology risk management database through the interrelation between employee operation data and enterprise information technology risk triggering conditions in the sample operation data. And training the sample operation data to establish a preset enterprise information technology risk prediction model.
Fig. 2 shows a flowchart of the abnormal operation data determination method provided by the present invention.
As shown in fig. 2, according to an embodiment of the present invention, by analyzing employee operation data through a preset enterprise information technology risk prediction model, determining abnormal operation data includes:
s202, analyzing and determining access data through employee operation data; the access data includes system access data and network access data;
S204, carrying out exception marking on the access data which does not meet the employee permission, and determining the exception access data;
S206, carrying out weighted calculation on the abnormal type, the abnormal grade and the abnormal access frequency of the abnormal access data of the staff in the first preset time interval, and determining an abnormal access score;
S208, determining an abnormality cause and a first operation score based on employee identity information and a system running state;
s210, comparing the abnormal access score with the corresponding first operation score based on the abnormal type of the abnormal access data, and determining the abnormal access data with the abnormal access score larger than the corresponding first operation score as the abnormal operation data.
It should be noted that, according to the access path of the employee access data, the access data may be divided into system access data accessing the enterprise system server and network access data accessing other web pages, employee authority is determined by the employee identity information, and the access data which does not satisfy the preset specification of the system is marked as abnormal access data by judging whether the access path of the access data satisfies the authority level of the employee authority, whether the access time satisfies the specified access time, whether the access ip address satisfies the specified access area, whether the access frequency of the access path satisfies the authority level, whether the security risk exists in the web page website, and the like.
The abnormal types of the abnormal access data comprise that an access path does not meet employee permission, an access time does not meet a specified access time, an access ip address does not meet a specified access area, safety risks exist in an access webpage website and the like, the abnormal grade is determined according to triggering probability of enterprise information technology risks caused by current abnormal access data in sample data, and the abnormal access frequency is determined according to occurrence frequency of abnormal access times in a first preset time interval in total access.
The calculation method of the abnormal access score is expressed as:
wherein, P f is an abnormal access score, P a(j) is an abnormal type of the jth abnormal access data, P b(j) is an abnormal level of the jth abnormal access data, P c(j) is an abnormal access frequency of the jth abnormal access data, m is a total number of the abnormal access data, and k 4、k5 and k 6 are influence weights of the abnormal type, the abnormal level and the abnormal access frequency, respectively.
The abnormal reasons are determined according to the employee identity information and the system running state, and a first operation score preset by the system is adjusted based on the abnormal reasons. The reasons for the abnormality are mainly divided into three cases, namely, the new staff is used by an engineering system, and the system update staff is suitable for the new system and the malicious operation of the staff. And dynamically adjusting the value of the first operation score through the accumulated working time of the staff, the system updating time and the system updating size.
According to the embodiment of the invention, the staff is marked with the abnormality through the staff abnormal operation score curve to determine the abnormal staff, which comprises the following steps:
Determining an area formed between the staff abnormal operation score curve, the sample operation score curve with the same abnormal cause and the coordinate axis as a first area; the first region comprises a second region and a third region;
determining an area with the employee abnormal operation score being greater than the sample operation score of the same abnormal cause as a second area;
determining an area with the employee abnormal operation score smaller than the sample operation score of the same abnormal cause as a third area;
Calculating a first region area score according to the region areas of the second region and the third region;
when the first area score is greater than a first preset area score threshold, marking the staff as abnormal staff;
otherwise, comparing the employee abnormal operation score curve with a sample operation score curve with the same abnormal cause to determine the similarity of the curves;
Weighting calculation is carried out on the curve similarity and the first area score, and the employee operation score is determined;
and marking the staff as abnormal staff when the staff operation score is smaller than a first preset operation score threshold.
It should be noted that, an average curve is calculated for the abnormal operation score curve of each employee in the historical employee operation data by a system preset method (such as calculation by MATLAB program), so as to determine a sample operation score curve. In the calculation process of the sample operation score curve, the abnormal operation score curves of the staff in the historical staff operation data are split according to the abnormal reasons, and the sample operation score curves of different abnormal reasons are determined. For example, screening the abnormal operation score curves of the staff in the trial period (3 months in the staff in-process) and determining the sample operation score curve in the use process of the new staff engineering system; screening the abnormal operation score curves of the staff in 7-14 days of system updating, and determining a sample operation score curve in the process that the system updating staff adapts to a new system.
Judging whether the operation data of the current staff is a problem existing in the operation process of most staff by calculating the area score of the first area, wherein the second area represents that the abnormal operation score of the current staff is larger than the average abnormal operation score of the historical staff, and the current staff possibly has abnormal operation behaviors which cause enterprise risks in the time interval corresponding to the second area; the third region indicates that the abnormal operation score of the current employee is smaller than the average abnormal operation score of the historical employees, and the current employee does not have abnormal operation behaviors which cause enterprise risks in the time interval corresponding to the third region. Accumulating the area of each second area to determine the total area of the second areas; and accumulating the area of each third area to determine the total area of the third areas. And calculating the area difference between the total area of the second area and the total area of the third area to obtain the area score of the first area. Comparing the first area score with a first preset area score threshold, judging whether the operation data of the current staff is abnormal, and marking the staff with abnormal operation data as abnormal staff.
And then, analyzing employee abnormal operation score curves of other employees except the abnormal employees, and calculating the curve similarity of the employee abnormal operation score curves and sample operation score curves of the same abnormal reasons through a Pearson correlation coefficient calculation method (or a curve similarity calculation method such as cosine similarity). And respectively determining influence weights of the curve similarity and the first area score based on the abnormality reasons, multiplying the curve similarity and the first area score by the corresponding influence weights, accumulating calculation results, and determining employee operation scores. Comparing the employee operation score with a first preset operation score threshold value set by the system, judging whether the operation data of the current employee is abnormal, and marking the employee with abnormal operation data as an abnormal employee.
The values of the first preset area score threshold and the first preset operation score threshold can be set and adjusted by a person skilled in the art according to actual requirements.
According to an embodiment of the present invention, further comprising:
and updating the sample operation score curve through the abnormal operation score curve of the non-abnormal staff in the first preset time interval.
In order to ensure the accuracy of the sample operation score curve, the sample operation score curve is adjusted and updated at regular time. The non-abnormal staff indicates staff with abnormal operation behaviors, but the abnormal operation behaviors of the staff do not trigger the enterprise information technology risk, the critical value triggering the enterprise information technology risk is determined by analyzing the abnormal operation score curve of the non-abnormal staff in the first preset time interval, and the abnormal staff cannot be determined through the sample operation score curve due to data fluctuation is avoided for the sample operation score curve.
Fig. 3 shows a flowchart of a first abnormal device and a second abnormal device determining method provided by the present invention.
As shown in fig. 3, according to an embodiment of the present invention, performing anomaly probability analysis of a first device and a second device based on predicted operation data, determining the first anomaly device and the second anomaly device includes:
S302, determining a first abnormal probability of the first equipment according to the predicted operation data of staff;
S304, determining a second abnormal probability of the second equipment by carrying out weighted calculation on the predicted operation data of the staff of the same department;
s306, carrying out weighted calculation on second abnormal probabilities of the same second equipment based on department attributes, and determining third abnormal probabilities of the second equipment;
s308, determining a first device with the first abnormality probability larger than a first preset abnormality probability threshold as a first abnormality device;
s310, determining the second device with the third abnormal probability larger than the second preset abnormal probability threshold as the second abnormal device.
It should be noted that, the first device is a device used by a current employee, such as a computer, a mobile phone, etc., and the second device is an enterprise system, a server, a database, etc. The method comprises the steps of analyzing operation types, abnormal grades and abnormal frequencies of abnormal operation data in employee prediction operation data in combination with sample operation data of an enterprise information technology risk management database, determining triggering probability of abnormal operation data of each type, which causes abnormal occurrence of first equipment under the current abnormal grades and abnormal frequencies, accumulating the triggering probability of all types of abnormal operation data, and determining first abnormal probability of the first equipment. The abnormal reasons of the first device include that the first device crashes, the system crashes or the enterprise data is leaked through the current first device, etc. For example, a software program downloaded through a non-compliant website carries a virus, resulting in a system crash, a computer crash, etc. Or in an unknown network environment, access to the enterprise database by the mobile device results in leakage of enterprise data, etc.
Counting the abnormal times and abnormal grades of abnormal operation data of each operation type in the predicted operation data of staff in the same department, giving corresponding influence weights to each abnormal operation data according to the operation type and the abnormal grade of the abnormal operation data, multiplying each abnormal operation data by the corresponding influence weights respectively, accumulating the calculation results, and determining the second abnormal probability of the second equipment. The reasons for the abnormality of the second equipment comprise that an enterprise system, a server or a database is wholly crashed or partially crashed, and the like, the influence degree of the abnormality of the second equipment on the work of a department is determined based on the department attribute, for example, the crashed enterprise purchasing subsystem influences the purchasing work of the purchasing department and the warehousing work of the warehousing department, and the abnormality has no influence on the work of personnel departments. And determining the influence weight of the second abnormal probability of each department according to the influence degree of the second equipment abnormality on the department work, multiplying each second abnormal probability by the corresponding influence weight respectively, and accumulating the calculation result to determine the third abnormal probability. And comparing the first abnormal probability of the first equipment and the third abnormal probability of the second equipment with a corresponding first preset abnormal probability threshold value and a corresponding second preset abnormal probability threshold value respectively, and determining the first abnormal equipment and the second abnormal equipment. The first preset abnormal probability threshold and the second preset abnormal probability threshold are set by a person skilled in the art according to actual requirements.
According to the embodiment of the invention, the real-time operation data of the important staff is monitored in real time, and when the real-time operation data of the important staff triggers a preset limiting condition, the staff risk early warning is carried out, which comprises the following steps:
Analyzing the real-time operation data of the staff focused on by a preset enterprise information technology risk prediction model, and determining a first abnormal score of an operation type corresponding to the real-time operation data according to the operation type and the abnormal level of the real-time operation data;
accumulating the first abnormal scores of the same operation type to determine a second abnormal score;
When the second abnormal score of any operation type is larger than the corresponding first preset abnormal score threshold value, determining that the real-time operation data of the important attention staff trigger a preset limiting condition, and limiting the operation of the important attention staff;
and generating early warning information based on employee identity information of the employee focused on, and carrying out employee risk early warning.
It should be noted that, the real-time operation data of the staff focused on affects the occurrence probability of the abnormality of the first device and the second device, the real-time operation data of the staff focused on is analyzed by presetting an enterprise information technology risk prediction model, the real-time operation data of the staff focused on is compared with the sample operation data of the enterprise information technology risk management database, the first abnormality score of the operation type corresponding to the real-time operation data is determined according to the operation type and the abnormality level of the real-time operation data, the real-time operation data of all the staff focused on is analyzed, the first abnormality scores of the real-time operation data of the same operation type are accumulated, and the second abnormality score of each operation type is determined. Comparing the second abnormal score of each operation type with a corresponding first preset abnormal score threshold value respectively, judging whether an employee risk early warning condition is met, wherein the preset limiting condition is that the second abnormal score is lower than the first preset abnormal score threshold value set by the system under the current operation type, when the second abnormal score is smaller than the corresponding first preset abnormal score threshold value, the enterprise information technology risk occurrence probability is lower, early warning processing is not needed, monitoring on real-time operation data of important attention employees is continued, when the second abnormal score of any operation type is larger than the corresponding first preset abnormal score threshold value, limiting conditions are set on the operation behaviors of the current operation type, when the real-time operation data of any important attention employee is the current limiting operation type, the preset limiting conditions are triggered, and operation limitation is carried out on the important attention employees. And generating early warning information based on employee identity information of the employee focused on, carrying out employee risk early warning, and informing related personnel to carry out exception handling.
Wherein the first preset anomaly score threshold value is set by a person skilled in the art according to actual requirements.
According to an embodiment of the present invention, further comprising:
calculating an enterprise risk loss score according to the equipment attribute and the first anomaly probability of each first equipment, the equipment attribute and the third anomaly probability of each second equipment;
and when the enterprise risk loss score is larger than a preset loss score threshold value, carrying out enterprise risk early warning.
It should be noted that, according to the device attribute, corresponding influence weights are given to each first device and each second device, the first abnormal probability of each first device and the third abnormal probability of each second device are multiplied by the corresponding influence weights respectively, the calculation results are accumulated, and the enterprise risk loss score is determined. Carrying out enterprise risk early warning according to enterprise risk loss score, when enterprise risk loss score is greater than preset loss score threshold value, representing that enterprise information technology risk takes place and is higher than enterprise bearing range to enterprise loss (including economic loss, personnel loss, reputation loss) that enterprise caused, should in time inform relevant personnel to carry out abnormal handling, avoid enterprise information technology risk to take place. Wherein the preset loss score threshold is set by a person skilled in the art according to actual requirements.
Fig. 4 shows a block diagram of an enterprise information technology management early warning platform provided by the invention.
As shown in fig. 4, the second aspect of the present invention provides an enterprise information technology management and early warning platform, configured to implement the above enterprise information technology management and early warning method, including:
The data acquisition module is used for acquiring employee operation data;
the model analysis module is used for analyzing the employee operation data through a preset enterprise information technology risk prediction model and determining abnormal operation data;
The first early warning module is used for calculating abnormal operation scores of staff according to the operation types, the abnormal grades and the abnormal frequencies of the abnormal operation data in the first preset time interval; drawing an employee abnormal operation score curve according to the abnormal operation score; performing abnormal marking on staff through a staff abnormal operation score curve to determine abnormal staff, and performing staff risk early warning based on staff identity information of the abnormal staff;
The second early warning module predicts employee operation data in a next first preset time interval through an employee abnormal operation score curve and employee operation data in a current first preset time interval to obtain predicted operation data; performing anomaly probability analysis on the first equipment and the second equipment based on the predicted operation data, determining the first anomaly equipment and the second anomaly equipment, and determining staff corresponding to the first anomaly equipment and the second anomaly equipment as staff focused on; and monitoring the real-time operation data of the staff focused on in real time, and performing staff risk early warning when the real-time operation data of the staff focused on triggers a preset limiting condition.
The third aspect of the present invention provides a computer readable storage medium, where the computer readable storage medium includes an enterprise information technology management pre-warning method program, and when the enterprise information technology management pre-warning method program is executed by a processor, the steps of the enterprise information technology management pre-warning method are implemented.
Information (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data for analysis, stored data, presented data, etc.), and signals (including but not limited to signals transmitted between a user terminal and other devices, etc.) referred to by the present application are all user-authorized or fully authorized by parties, and the collection, use, and processing of relevant data is required to comply with relevant laws and regulations and standards of relevant countries and regions. For example, references in this disclosure to "employee operation data," "historical enterprise information technology risk triggering data," "employee identity information," etc., are all obtained with sufficient authorization.
The invention discloses an enterprise information technology management early warning platform and an enterprise information technology management early warning method, wherein the method comprises the following steps: analyzing and determining abnormal operation data of staff operation data through a preset enterprise information technology risk prediction model; calculating the abnormal operation score of the staff according to the abnormal operation data in the first preset time interval, and drawing an abnormal operation score curve of the staff; determining abnormal staff through staff abnormal operation score curves, and performing staff risk early warning; analyzing the abnormal probabilities of the first equipment and the second equipment according to the predicted operation data of the staff in the next first preset time interval, determining the first abnormal equipment and the second abnormal equipment, and determining the staff corresponding to the first abnormal equipment and the second abnormal equipment as staff focused on; and when the real-time operation data of the staff is focused on to trigger the preset limiting conditions, carrying out staff risk early warning. According to the method, the probability of occurrence of the enterprise information risk is calculated through the employee operation data, abnormal employees are determined, early warning and reminding are carried out, and enterprise risk loss is reduced.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or optical disk, or the like, which can store program codes.
Or the above-described integrated units of the invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.

Claims (10)

1. An enterprise information technology management early warning method is characterized by comprising the following steps:
Acquiring employee operation data;
Analyzing the employee operation data through a preset enterprise information technology risk prediction model to determine abnormal operation data;
Calculating an abnormal operation score of the staff according to the operation type, the abnormal grade and the abnormal frequency of the abnormal operation data in the first preset time interval;
Drawing an employee abnormal operation score curve according to the abnormal operation score;
Performing abnormal marking on staff through the staff abnormal operation scoring curve to determine abnormal staff, and performing staff risk early warning based on staff identity information of the abnormal staff;
Predicting employee operation data in a next first preset time interval according to the employee abnormal operation score curve and the employee operation data in the current first preset time interval to obtain predicted operation data;
Performing anomaly probability analysis on the first equipment and the second equipment based on the predicted operation data, determining the first anomaly equipment and the second anomaly equipment, and determining staff corresponding to the first anomaly equipment and the second anomaly equipment as staff focused on;
and monitoring the real-time operation data of the staff with important attention in real time, and performing staff risk early warning when the real-time operation data of the staff with important attention triggers a preset limiting condition.
2. The enterprise information technology management pre-warning method of claim 1, further comprising:
acquiring historical employee operation data and historical enterprise information technology risk triggering data;
Performing abnormal labeling on the historical staff operation data based on the historical enterprise information technology risk triggering data, determining sample operation data, and establishing an enterprise information technology risk management database;
and establishing a preset enterprise information technology risk prediction model based on sample operation data of the enterprise information technology risk management database.
3. The method for managing and pre-warning enterprise information technology according to claim 1, wherein the analyzing the employee operation data by the preset enterprise information technology risk prediction model to determine abnormal operation data includes:
Analyzing and determining access data through employee operation data; the access data comprises system access data and network access data;
performing exception marking on the access data which does not meet the employee permission, and determining the exception access data;
weighting calculation is carried out on the abnormal types, the abnormal grades and the abnormal access frequency of the abnormal access data of the staff in the first preset time interval, and an abnormal access score is determined;
determining an abnormality cause and a first operation score based on employee identity information and a system running state;
Comparing the abnormal access score with the corresponding first operation score based on the abnormal type of the abnormal access data, and determining the abnormal access data with the abnormal access score larger than the corresponding first operation score as the abnormal operation data.
4. The method for managing and early warning enterprise information technology according to claim 1, wherein the determining abnormal staff by performing abnormal marking on staff through the staff abnormal operation score curve includes:
determining an area formed between the staff abnormal operation score curve, the sample operation score curve with the same abnormal cause and the coordinate axis as a first area; the first region comprises a second region and a third region;
determining an area with the employee abnormal operation score being greater than the sample operation score of the same abnormal cause as a second area;
determining an area with the employee abnormal operation score smaller than the sample operation score of the same abnormal cause as a third area;
Calculating a first region area score according to the region areas of the second region and the third region;
When the first area score is greater than a first preset area score threshold, marking the employee as an abnormal employee;
otherwise, comparing the employee abnormal operation score curve with a sample operation score curve with the same abnormal cause to determine the similarity of the curves;
Weighting calculation is carried out on the curve similarity and the first area score, and staff operation scores are determined;
And marking the staff as abnormal staff when the staff operation score is smaller than a first preset operation score threshold.
5. The enterprise information technology management pre-warning method of claim 1, further comprising:
and updating the sample operation score curve through the abnormal operation score curve of the non-abnormal staff in the first preset time interval.
6. The method for enterprise information technology management and early warning according to claim 1, wherein the performing anomaly probability analysis of the first device and the second device based on the predicted operation data, determining the first anomaly device and the second anomaly device, includes:
Determining a first anomaly probability of the first device through the employee's predicted operational data;
Determining a second anomaly probability of the second device by weighting the predicted operation data of the same department staff;
Weighting calculation is carried out on the second abnormal probability of the same second equipment based on the department attribute, and a third abnormal probability of the second equipment is determined;
Determining a first device with a first abnormality probability greater than a first preset abnormality probability threshold as a first abnormality device;
and determining the second device with the third abnormal probability larger than the second preset abnormal probability threshold as the second abnormal device.
7. The enterprise information technology management and early warning method according to claim 1, wherein the real-time monitoring of the real-time operation data of the staff with important attention, and when the real-time operation data of the staff with important attention triggers a preset limiting condition, performing staff risk early warning, includes:
analyzing the real-time operation data of the staff with important attention by a preset enterprise information technology risk prediction model, and determining a first abnormal score of an operation type corresponding to the real-time operation data according to the operation type and the abnormal grade of the real-time operation data;
accumulating the first abnormal scores of the same operation type to determine a second abnormal score;
When the second abnormal score of any operation type is larger than the corresponding first preset abnormal score threshold value, determining that the real-time operation data of the important attention staff trigger a preset limiting condition, and limiting the operation of the important attention staff;
and generating early warning information based on employee identity information of the employee focused on, and carrying out employee risk early warning.
8. The enterprise information technology management pre-warning method of claim 6, further comprising:
calculating an enterprise risk loss score according to the equipment attribute and the first anomaly probability of each first equipment, the equipment attribute and the third anomaly probability of each second equipment;
and when the enterprise risk loss score is larger than a preset loss score threshold value, carrying out enterprise risk early warning.
9. An enterprise information technology management and early warning platform for implementing the enterprise information technology management and early warning method according to any one of claims 1-8, comprising:
The data acquisition module is used for acquiring employee operation data;
The model analysis module is used for analyzing the employee operation data through a preset enterprise information technology risk prediction model and determining abnormal operation data;
the first early warning module is used for calculating abnormal operation scores of the staff according to the operation types, the abnormal grades and the abnormal frequencies of the abnormal operation data in a first preset time interval; drawing an employee abnormal operation score curve according to the abnormal operation score; performing abnormal marking on staff through the staff abnormal operation scoring curve to determine abnormal staff, and performing staff risk early warning based on staff identity information of the abnormal staff;
The second early warning module predicts employee operation data in a next first preset time interval through an employee abnormal operation score curve and employee operation data in a current first preset time interval to obtain predicted operation data; performing anomaly probability analysis on the first equipment and the second equipment based on the predicted operation data, determining the first anomaly equipment and the second anomaly equipment, and determining staff corresponding to the first anomaly equipment and the second anomaly equipment as staff focused on; and monitoring the real-time operation data of the staff with important attention in real time, and performing staff risk early warning when the real-time operation data of the staff with important attention triggers a preset limiting condition.
10. The enterprise information technology management pre-warning platform of claim 9 wherein said determining abnormal employees by performing abnormal labeling on employees via the employee abnormal operation score curve comprises:
determining an area formed between the staff abnormal operation score curve, the sample operation score curve with the same abnormal cause and the coordinate axis as a first area; the first region comprises a second region and a third region;
determining an area with the employee abnormal operation score being greater than the sample operation score of the same abnormal cause as a second area;
determining an area with the employee abnormal operation score smaller than the sample operation score of the same abnormal cause as a third area;
Calculating a first region area score according to the region areas of the second region and the third region;
When the first area score is greater than a first preset area score threshold, marking the employee as an abnormal employee;
otherwise, comparing the employee abnormal operation score curve with a sample operation score curve with the same abnormal cause to determine the similarity of the curves;
Weighting calculation is carried out on the curve similarity and the first area score, and staff operation scores are determined;
And marking the staff as abnormal staff when the staff operation score is smaller than a first preset operation score threshold.
CN202410826520.1A 2024-06-25 2024-06-25 Enterprise information technology management early warning platform and early warning method Active CN118396388B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410826520.1A CN118396388B (en) 2024-06-25 2024-06-25 Enterprise information technology management early warning platform and early warning method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410826520.1A CN118396388B (en) 2024-06-25 2024-06-25 Enterprise information technology management early warning platform and early warning method

Publications (2)

Publication Number Publication Date
CN118396388A true CN118396388A (en) 2024-07-26
CN118396388B CN118396388B (en) 2024-08-30

Family

ID=91992967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410826520.1A Active CN118396388B (en) 2024-06-25 2024-06-25 Enterprise information technology management early warning platform and early warning method

Country Status (1)

Country Link
CN (1) CN118396388B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050096953A1 (en) * 2003-11-01 2005-05-05 Ge Medical Systems Global Technology Co., Llc Methods and apparatus for predictive service for information technology resource outages
CN113361963A (en) * 2021-06-30 2021-09-07 支付宝(杭州)信息技术有限公司 Method and device for identifying risk of enterprise
CN113869623A (en) * 2020-06-30 2021-12-31 国信优易数据股份有限公司 Enterprise risk level determination method and device and readable storage medium
CN116502806A (en) * 2023-06-26 2023-07-28 辰风策划(深圳)有限公司 Enterprise information management method and system based on cloud computing platform
CN117391436A (en) * 2023-09-22 2024-01-12 国家电投集团资本控股有限公司 Enterprise risk monitoring method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050096953A1 (en) * 2003-11-01 2005-05-05 Ge Medical Systems Global Technology Co., Llc Methods and apparatus for predictive service for information technology resource outages
CN113869623A (en) * 2020-06-30 2021-12-31 国信优易数据股份有限公司 Enterprise risk level determination method and device and readable storage medium
CN113361963A (en) * 2021-06-30 2021-09-07 支付宝(杭州)信息技术有限公司 Method and device for identifying risk of enterprise
CN116502806A (en) * 2023-06-26 2023-07-28 辰风策划(深圳)有限公司 Enterprise information management method and system based on cloud computing platform
CN117391436A (en) * 2023-09-22 2024-01-12 国家电投集团资本控股有限公司 Enterprise risk monitoring method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张有;王开云;张春瑞;邓妙然;: "基于用户行为日志的内部威胁检测综述", 计算机时代, no. 09, 10 September 2020 (2020-09-10) *

Also Published As

Publication number Publication date
CN118396388B (en) 2024-08-30

Similar Documents

Publication Publication Date Title
CN107239707B (en) Threat data processing method for information system
CN111404909B (en) Safety detection system and method based on log analysis
CN111859393B (en) Risk assessment system and method based on situation awareness alarm
CN113515433B (en) Alarm log processing method, device, equipment and storage medium
CN110620759A (en) Network security event hazard index evaluation method and system based on multidimensional correlation
CN103026345B (en) For the dynamic multidimensional pattern of event monitoring priority
US20050086529A1 (en) Detection of misuse or abuse of data by authorized access to database
KR20180013998A (en) Account theft risk identification method, identification device, prevention and control system
CN112653678B (en) Network security situation perception analysis method and device
CN101459537A (en) Network security situation sensing system and method based on multi-layer multi-angle analysis
CN111865982B (en) Threat assessment system and method based on situation awareness alarm
US20230328087A1 (en) Method for training credit threshold, method for detecting ip address, computer device and storage medium
CN110020687B (en) Abnormal behavior analysis method and device based on operator situation perception portrait
CN110620696A (en) Grading method and device for enterprise network security situation awareness
CN109376537B (en) Asset scoring method and system based on multi-factor fusion
CN114615016B (en) Enterprise network security assessment method and device, mobile terminal and storage medium
CN116366374B (en) Security assessment method, system and medium for power grid network management based on big data
CN117375985A (en) Method and device for determining security risk index, storage medium and electronic device
CN116112292A (en) Abnormal behavior detection method, system and medium based on network flow big data
CN117834308B (en) Network security situation awareness method, system and medium
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
CN118396388B (en) Enterprise information technology management early warning platform and early warning method
CN112861142A (en) Database risk level determination method and device, storage medium and electronic device
KR20060058186A (en) Information technology risk management system and method the same
CN115632884B (en) Network security situation perception method and system based on event analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant