CN1588889A - Abnormal detection method for user access activity in attached net storage device - Google Patents
Abnormal detection method for user access activity in attached net storage device Download PDFInfo
- Publication number
- CN1588889A CN1588889A CN 200410078322 CN200410078322A CN1588889A CN 1588889 A CN1588889 A CN 1588889A CN 200410078322 CN200410078322 CN 200410078322 CN 200410078322 A CN200410078322 A CN 200410078322A CN 1588889 A CN1588889 A CN 1588889A
- Authority
- CN
- China
- Prior art keywords
- system call
- user
- storage device
- behavior
- characteristic values
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 7
- 230000000694 effects Effects 0.000 title claims description 24
- 238000001514 detection method Methods 0.000 title description 3
- 238000000034 method Methods 0.000 claims abstract description 29
- 230000004044 response Effects 0.000 claims abstract description 4
- 239000011159 matrix material Substances 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 17
- 230000005856 abnormality Effects 0.000 claims description 9
- 239000000284 extract Substances 0.000 claims description 9
- 230000008878 coupling Effects 0.000 claims description 3
- 238000010168 coupling process Methods 0.000 claims description 3
- 238000005859 coupling reaction Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 abstract description 24
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 3
- 230000004888 barrier function Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
A method for testing abnormal access behaviors in attached network storage devices is to extract and match with the character value by a system dispatch series generated by user access behaviors to identify the abnormal behavior by normal behavior characters and generate response to prevent users in the network from abnormal access operation to the attached network storage device which not only can prevent the non-authorized users from illegal access, but also can prevent the authorized users from power-exceeds access.
Description
Technical field
The invention belongs to the Network storage technology field, particularly the unusual recognition technology of user access activity in the attached net storage device.
Background technology
It is storage and the Processing Technology and the application of carrier that the explosive increase of digital information has promoted with light, magnetizing mediums, and along with the fast-developing of computer network and apply, the memory module of data more and more presents the trend of decentralization.The operating system that attached net storage (NAS) technology makes memory device pass through special use directly links to each other with network, serves as the server of function special use in network, becomes the memory node in the network information system.The difference of the nas server of this special use and traditional webserver maximum is: it has optimized the system hardware and software architecture, the original many inapplicable computing functions of generic server have been removed, and communication and file memory function only are provided, be specifically designed to stores service.The NAS technology is transferred to data on the node that is exclusively used in storage the network from traditional webserver rear end, no longer forms the storage and the service centre of high concentration.This network system has guaranteed online expansion, on-line maintenance and the telemanagement of storage system preferably.
Though NAS equipment has advantages such as high memory property, plug and play, manageability, along with enterprise to the improving constantly of demands such as data utilizability, fail safe, existing NAS product exposes the wretched insufficiency of access security aspect gradually.Though most of NAS equipment all have protection barriers such as authenticating user identification and file permission are provided with; also have peripheral guard technologies such as fire compartment wall in the network; but there is security vulnerabilities in this in aspects such as operating system, data access, network connection and management access the NAS technology, makes these traditional information protective technologies can not prevent all system exception incidents.Existing NAS product is not disposed the real-time and effective prevention policies at the security vulnerabilities of system yet, causes NAS equipment almost to become the memory node of fail safe most fragile in network environment, has seriously limited extensive popularization and the application of NAS technology in enterprise.
Summary of the invention
The inventor is by analyzing the system call sequence that the user capture process produces in the NAS equipment, this serialization information of discovery process has specificity and stability, be that different processes produce different system call sequences, repeatedly carry out same process and then obtain identical sequence.The variation of any one system call is all indicating the change of user behavior in the system call sequence of process.By the process requested system call, it is the only way that the user utilizes NAS equipment shared resource, while also is the critical point that the behavior of data in those attempt destruction equipment must be passed through, and therefore system call is monitored and can identify the unusual of user behavior effectively.
For to user's abnormal operation in the existing NAS equipment, especially the unauthorized access of disabled user's visit and validated user is monitored effectively and is shielded, the invention provides the method for detecting abnormality of user access activity in a kind of attached net storage device, scheme is as follows:
The method for detecting abnormality of user access activity in a kind of attached net storage device, it is characterized in that, this method is by carrying out the extraction and the coupling of characteristic value to the system call sequence that user access activity produced in the attached net storage device, utilize normal user behavior feature, identify the unusual of active user's behavior and produce response, stop the execution that the user operates the attached net storage device abnormal access in the network, specifically may further comprise the steps:
1) according to user's access rights, the user is carried out sublevel; To the system call sequence that user access activity produced, adopt the mode that adds sliding window along time shaft, with current call with sliding window in system call combine in twos, it is right to form system call; System call to the distance between, these system call centering two system calls, these three parameters associatings of user right sublevel, is formed the mode characteristic values of user access activity;
2) collect the system call information that the user normally visits behavior, extract the mode characteristic values of user access activity, attached net storage device is trained; In this stage, according to the actual system call number N of taking in the attached net storage device, in operating system, safeguard the storage matrix of a N * N, the row of this storage matrix number and row are number all corresponding to the numbering of system call, i.e. 0~N; Element in the matrix is used to store the mode characteristic values of normal users visit behavior;
3), in operating system nucleus, safeguard the mode characteristic values storage matrix of normal users visit behavior in the operation phase of attached net storage device; To the system call sequence that user access activity produced, adopt the aforementioned mode that adds sliding window along time shaft, extract the mode characteristic values that the active user visits behavior, and compare with respective element in the mode characteristic values storage matrix of being safeguarded, the identification active user visits the legitimacy of system call that behavior produces, and and then system call responded; If current system call is unusual, operating system will be ended the execution of current process, the while relevant information records in journal file; If current system call is normal, operating system continues to carry out current consumer process.
The present invention is after authentication, file permission, disposed user's flight in operating system inside, by the system call sequence that user access activity produced is monitored, cooperate user right information, designed and user behavior is carried out sublevel handled, and the execute exception identification and the method for detecting abnormality of replying fast.This method for detecting abnormality only need be in security context be simply trained system just can obtain the required normal behaviour pattern storehouse of unusual identification, and this pattern storehouse can be duplicated to untrained NAS equipment and use; The design of mode characteristic values storage matrix has reduced the memory space and the match query time of data.Compare with common intruding detection system, this method is implemented simple, and has very strong real-time.
Description of drawings
Fig. 1 is the overview flow chart of method for detecting abnormality.
Fig. 2 is the schematic diagram of mode characteristic values storage matrix of the present invention.
Embodiment
Further specify the present invention below in conjunction with accompanying drawing.
The user is in order to obtain file, perhaps equipment to be managed to the purpose of NAS visit.Legal users is carried out the operation that is authorized to, and process can produce corresponding system call sequence; Similarly, the disabled user carries out the invasion of malice to system, and validated user carries out uncommitted operation, and the process of these abnormal behaviours also can produce corresponding system call sequence.The system call sequence that abnormal behaviour and normal behaviour are produced always exists difference at aspects such as the function name of system call, call sequence, request number of times.
The method for detecting abnormality of user access activity in the attached net storage device provided by the invention, by the system call sequence that user access activity produced in the attached net storage device being carried out the extraction and the coupling of characteristic value, utilize normal user behavior feature, identify the unusual of user behavior and produce response, stop the execution that the user operates the attached net storage device abnormal access in the network, specifically may further comprise the steps, as shown in Figure 1.
At first, according to user's access rights, the user is carried out sublevel; To the system call sequence that user access activity produced, adopt the mode that adds sliding window along time shaft, with current call with sliding window in system call combine in twos, it is right to form system call; System call to the distance between, these system call centering two system calls, these three parameters associatings of user right sublevel, is formed the mode characteristic values of user access activity;
Is example with read-only user by the system call sequence that network reads the file process requested:
The user is divided into read-only user, read-write user, power user (keeper) and system user four classes according to the access rights difference, and corresponding respectively is positioned on the 0th, 1,2,3 rank, promptly produces user right sublevel information.
The system call sequence S={execve that user access activity produced, uname, brk, open, open, fstat64, fstat, old_mmap, close, open, read, fstat ..., chown, chmod, _ exit}.Represent that according to the system call sequence number this system call sequence is S={11,109,45,5,5,197,108,90,6,5,3,108 ..., 182,15,1}.
The length of sliding window can be selected according to NAS Device memory capacity, and selected sliding window is long in this example is to slide one by one from left to right along system call sequence in chronological order ω=9, obtains the short sequence of system call after the windowing, and is as shown in table 1.The short sequence of a windowing of each line display in the table, window is rightmost to liking current system call c, and leftmost to liking c the 8th system call before, the rest may be inferred by analogy for it.
Current calling is " close ", and promptly during c=6, the short sequence of the system call in the window is that the grey shading is capable in the table 1: W={execve, uname, brk, open, open, fstat64, fstat, old_mmap, close}, that is: W={11,109,45,5,5,197,108,90,6}
The short sequence of system call after table 1 windowing
Current system call is combined in twos with system call in the sliding window, and the system call of extracting in the window is right, and additional distance and user behavior sublevel, and compositional model characteristic value T (W[i], c, l, r).Here W[i] be the short sequence of system call in the sliding window, 0≤i≤8; C is current requested system call, is positioned at the low order end of window, i.e. W[8]; L=8-i, for system call to (W[i], the c) distance between two system calls; R is a user right sublevel information.
For current system call c, in sliding window, extract 8 characteristic values altogether.As shown in table 2.
The characteristic value that table 2 windowing is extracted
Sequence number W[i] c l r
1 11 6 8 0
2 109 6 7 0
3 45 6 6 0
4 5 6 5 0
5 5 6 4 0
6 197 6 3 0
7 108 6 2 0
8 90 6 1 0
Suppose that the system call number that defines in the operating system is 256, i.e. system call number is 0~255.The mode characteristic values storage matrix E of one 256 * 256 scale of definition, its row number and row are number all corresponding to the numbering of system call, the locational element of each of matrix has all been preserved calling information that the system call of its row, column correspondence forms, and initialization is 0 entirely.Element E[i among the definition matrix E] [j] data type is " unsighed long ", length is 32, totally four bytes, each can preserve the information of a characteristic value.Per 8 corresponding one-level user's sublevels.Like this mode characteristic values T of normal users behavior (W[i], c, l, event memory r) they are exactly matrix element E[W[i]] the corresponding position bit[b of [c]]=1, wherein the computing formula of memory location b is:
b=l-1+8×r
When window length is 9, the characteristic value bank bit of 0~3 rank user behavior is respectively bit[0]~bit[7], bit[8]~bit[15], bit[16]~bit[23], bit[24]~bit[31], form stepped storage, the behavioural characteristic between the same order user can not be confused.Be sequence number in the table 2 that 4,5 characteristic value (5,6,5,0), (5,6,4,0) are kept in the matrix for example, the result as shown in Figure 2.
Then, in the training stage of attached net storage device, collect the system call information that the user normally visits behavior, extract the mode characteristic values of user access activity, adopt aforementioned manner, set up the storage matrix of normal users visit behavior mode characteristic values, be stored in the data memory module.
Afterwards, the access to netwoks of open attached net storage device in operating system nucleus, is safeguarded the storage matrix of normal users visit behavior mode characteristic values.Each user access activity is carried out abnormality detection.The current system call c to liking consumer process that is monitored adds the system call in the sliding window forward.When sliding window length is 9, extract 8 characteristic values, compare with respective element in the storage matrix, check whether each mode characteristic values effective, promptly use mode characteristic values T (W[i], c, l, r) result of the information calculations memory location b in numbers as subscript with two system calls in the characteristic value then, takes out element E[W[i corresponding among the matrix E] [c], check the position bit[b of this element] whether be 1, if 1, illustrate that this characteristic value is effective, otherwise invalid.Unusual identifying has only 8 characteristic values all effective each characteristic value that inspection extracts, and can think that just current system call c is legal, normal system call; As long as and there have a characteristic value to be judged as to be invalid, then current system call c promptly is identified as unusually.
Identify current system call c normal or unusual after, system responds the result of unusual identification.If c is unusual, system will end the execution of current process, simultaneously relevant information records in journal file, comprise system call number, user number, operational order etc., in order to keeper's inquiry.If c is normal, system then continues to carry out current consumer process, when new system call is requested, when becoming current system call, carries out characteristic value again and extracts, discerns unusually, responds the process of handling.
Claims (1)
1. the method for detecting abnormality of user access activity in the attached net storage device, it is characterized in that, this method is by carrying out the extraction and the coupling of characteristic value to the system call sequence that user access activity produced in the attached net storage device, utilize normal user behavior feature, identify the unusual of active user's behavior and produce response, stop the execution that the user operates the attached net storage device abnormal access in the network, specifically may further comprise the steps:
1) according to user's access rights, the user is carried out sublevel; To the system call sequence that user access activity produced, adopt the mode that adds sliding window along time shaft, with current call with sliding window in system call combine in twos, it is right to form system call; System call to the distance between, these system call centering two system calls, these three parameters associatings of user right sublevel, is formed the mode characteristic values of user access activity;
2) collect the system call information that the user normally visits behavior, extract the mode characteristic values of user access activity, attached net storage device is trained; In this stage, according to the actual system call number N of taking in the attached net storage device, in operating system, safeguard the storage matrix of a N * N, the row of this storage matrix number and row are number all corresponding to the numbering of system call, i.e. 0~N; Element in the matrix is used to store the mode characteristic values of normal users visit behavior;
3), in operating system nucleus, safeguard the mode characteristic values storage matrix of normal users visit behavior in the operation phase of attached net storage device; To the system call sequence that user access activity produced, adopt the aforementioned mode that adds sliding window along time shaft, extract the mode characteristic values that the active user visits behavior, and compare with respective element in the mode characteristic values storage matrix of being safeguarded, the identification active user visits the legitimacy of system call that behavior produces, and and then system call responded; If current system call is unusual, operating system will be ended the execution of current process, the while relevant information records in journal file; If current system call is normal, operating system continues to carry out current consumer process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200410078322 CN1291569C (en) | 2004-09-24 | 2004-09-24 | Abnormal detection method for user access activity in attached net storage device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 200410078322 CN1291569C (en) | 2004-09-24 | 2004-09-24 | Abnormal detection method for user access activity in attached net storage device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1588889A true CN1588889A (en) | 2005-03-02 |
CN1291569C CN1291569C (en) | 2006-12-20 |
Family
ID=34604982
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 200410078322 Expired - Fee Related CN1291569C (en) | 2004-09-24 | 2004-09-24 | Abnormal detection method for user access activity in attached net storage device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1291569C (en) |
Cited By (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1333552C (en) * | 2005-03-23 | 2007-08-22 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
US7555482B2 (en) * | 2005-06-07 | 2009-06-30 | Varonis Systems, Inc. | Automatic detection of abnormal data access activities |
CN101887499A (en) * | 2010-07-08 | 2010-11-17 | 北京九合创胜网络科技有限公司 | User identity management method and system |
US8239925B2 (en) | 2007-04-26 | 2012-08-07 | Varonis Systems, Inc. | Evaluating removal of access permissions |
US8438612B2 (en) | 2007-11-06 | 2013-05-07 | Varonis Systems Inc. | Visualization of access permission status |
CN103188105A (en) * | 2011-12-31 | 2013-07-03 | 中国航天科工集团第二研究院七〇六所 | Safety enhancing system and method thereof of NAS equipment |
US8533787B2 (en) | 2011-05-12 | 2013-09-10 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US8561146B2 (en) | 2006-04-14 | 2013-10-15 | Varonis Systems, Inc. | Automatic folder access management |
US8578507B2 (en) | 2009-09-09 | 2013-11-05 | Varonis Systems, Inc. | Access permissions entitlement review |
US8601592B2 (en) | 2009-09-09 | 2013-12-03 | Varonis Systems, Inc. | Data management utilizing access and content information |
CN104318435A (en) * | 2014-09-25 | 2015-01-28 | 同济大学 | Immunization method for user behavior detection in electronic transaction process |
US9147180B2 (en) | 2010-08-24 | 2015-09-29 | Varonis Systems, Inc. | Data governance for email systems |
US9177167B2 (en) | 2010-05-27 | 2015-11-03 | Varonis Systems, Inc. | Automation framework |
CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
CN106470204A (en) * | 2015-08-21 | 2017-03-01 | 阿里巴巴集团控股有限公司 | User identification method based on request behavior characteristicss, device, equipment and system |
US9641334B2 (en) | 2009-07-07 | 2017-05-02 | Varonis Systems, Inc. | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements |
US9680839B2 (en) | 2011-01-27 | 2017-06-13 | Varonis Systems, Inc. | Access permissions management system and method |
US9679148B2 (en) | 2011-01-27 | 2017-06-13 | Varonis Systems, Inc. | Access permissions management system and method |
US9870480B2 (en) | 2010-05-27 | 2018-01-16 | Varonis Systems, Inc. | Automatic removal of global user security groups |
US9894071B2 (en) | 2007-10-11 | 2018-02-13 | Varonis Systems Inc. | Visualization of access permission status |
CN108107400A (en) * | 2017-12-04 | 2018-06-01 | 宁波三星医疗电气股份有限公司 | A kind of detection method and intelligent meter based on intelligent meter button |
US10037358B2 (en) | 2010-05-27 | 2018-07-31 | Varonis Systems, Inc. | Data classification |
US10229191B2 (en) | 2009-09-09 | 2019-03-12 | Varonis Systems Ltd. | Enterprise level data management |
US10296596B2 (en) | 2010-05-27 | 2019-05-21 | Varonis Systems, Inc. | Data tagging |
US10320798B2 (en) | 2013-02-20 | 2019-06-11 | Varonis Systems, Inc. | Systems and methodologies for controlling access to a file system |
CN109936548A (en) * | 2017-12-18 | 2019-06-25 | 航天信息股份有限公司 | Anomaly detection method and device based on PKI platform |
CN109977637A (en) * | 2019-01-17 | 2019-07-05 | 阿里巴巴集团控股有限公司 | Auxiliary determination vertically goes beyond one's commission, determines vertical method, apparatus and electronic equipment |
CN110855663A (en) * | 2019-11-12 | 2020-02-28 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
CN111092889A (en) * | 2019-12-18 | 2020-05-01 | 贾海芳 | Distributed data node abnormal behavior detection method and device and server |
CN114357436A (en) * | 2021-08-10 | 2022-04-15 | 中电积至(海南)信息技术有限公司 | Intrusion detection system and method combining user behavior portrait with equipment resource monitoring |
US11496476B2 (en) | 2011-01-27 | 2022-11-08 | Varonis Systems, Inc. | Access permissions management system and method |
US11706227B2 (en) | 2016-07-20 | 2023-07-18 | Varonis Systems Inc | Systems and methods for processing access permission type-specific access permission requests in an enterprise |
-
2004
- 2004-09-24 CN CN 200410078322 patent/CN1291569C/en not_active Expired - Fee Related
Cited By (62)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1333552C (en) * | 2005-03-23 | 2007-08-22 | 北京首信科技有限公司 | Detecting system and method for user behaviour abnormal based on machine study |
US7555482B2 (en) * | 2005-06-07 | 2009-06-30 | Varonis Systems, Inc. | Automatic detection of abnormal data access activities |
US7606801B2 (en) | 2005-06-07 | 2009-10-20 | Varonis Inc. | Automatic management of storage access control |
US8561146B2 (en) | 2006-04-14 | 2013-10-15 | Varonis Systems, Inc. | Automatic folder access management |
US9009795B2 (en) | 2006-04-14 | 2015-04-14 | Varonis Systems, Inc. | Automatic folder access management |
US9436843B2 (en) | 2006-04-14 | 2016-09-06 | Varonis Systems, Inc. | Automatic folder access management |
US9727744B2 (en) | 2006-04-14 | 2017-08-08 | Varonis Systems, Inc. | Automatic folder access management |
US8239925B2 (en) | 2007-04-26 | 2012-08-07 | Varonis Systems, Inc. | Evaluating removal of access permissions |
US10148661B2 (en) | 2007-10-11 | 2018-12-04 | Varonis Systems Inc. | Visualization of access permission status |
US9894071B2 (en) | 2007-10-11 | 2018-02-13 | Varonis Systems Inc. | Visualization of access permission status |
US9984240B2 (en) | 2007-11-06 | 2018-05-29 | Varonis Systems Inc. | Visualization of access permission status |
US8438612B2 (en) | 2007-11-06 | 2013-05-07 | Varonis Systems Inc. | Visualization of access permission status |
US8893228B2 (en) | 2007-11-06 | 2014-11-18 | Varonis Systems Inc. | Visualization of access permission status |
US9641334B2 (en) | 2009-07-07 | 2017-05-02 | Varonis Systems, Inc. | Method and apparatus for ascertaining data access permission of groups of users to groups of data elements |
US8601592B2 (en) | 2009-09-09 | 2013-12-03 | Varonis Systems, Inc. | Data management utilizing access and content information |
US10229191B2 (en) | 2009-09-09 | 2019-03-12 | Varonis Systems Ltd. | Enterprise level data management |
US11604791B2 (en) | 2009-09-09 | 2023-03-14 | Varonis Systems, Inc. | Automatic resource ownership assignment systems and methods |
US9106669B2 (en) | 2009-09-09 | 2015-08-11 | Varonis Systems, Inc. | Access permissions entitlement review |
US9912672B2 (en) | 2009-09-09 | 2018-03-06 | Varonis Systems, Inc. | Access permissions entitlement review |
US9904685B2 (en) | 2009-09-09 | 2018-02-27 | Varonis Systems, Inc. | Enterprise level data management |
US8578507B2 (en) | 2009-09-09 | 2013-11-05 | Varonis Systems, Inc. | Access permissions entitlement review |
US10176185B2 (en) | 2009-09-09 | 2019-01-08 | Varonis Systems, Inc. | Enterprise level data management |
US9660997B2 (en) | 2009-09-09 | 2017-05-23 | Varonis Systems, Inc. | Access permissions entitlement review |
US8805884B2 (en) | 2009-09-09 | 2014-08-12 | Varonis Systems, Inc. | Automatic resource ownership assignment systems and methods |
US9870480B2 (en) | 2010-05-27 | 2018-01-16 | Varonis Systems, Inc. | Automatic removal of global user security groups |
US9177167B2 (en) | 2010-05-27 | 2015-11-03 | Varonis Systems, Inc. | Automation framework |
US11138153B2 (en) | 2010-05-27 | 2021-10-05 | Varonis Systems, Inc. | Data tagging |
US10037358B2 (en) | 2010-05-27 | 2018-07-31 | Varonis Systems, Inc. | Data classification |
US10296596B2 (en) | 2010-05-27 | 2019-05-21 | Varonis Systems, Inc. | Data tagging |
US10318751B2 (en) | 2010-05-27 | 2019-06-11 | Varonis Systems, Inc. | Automatic removal of global user security groups |
US11042550B2 (en) | 2010-05-27 | 2021-06-22 | Varonis Systems, Inc. | Data classification |
CN101887499A (en) * | 2010-07-08 | 2010-11-17 | 北京九合创胜网络科技有限公司 | User identity management method and system |
US9712475B2 (en) | 2010-08-24 | 2017-07-18 | Varonis Systems, Inc. | Data governance for email systems |
US9147180B2 (en) | 2010-08-24 | 2015-09-29 | Varonis Systems, Inc. | Data governance for email systems |
US9679148B2 (en) | 2011-01-27 | 2017-06-13 | Varonis Systems, Inc. | Access permissions management system and method |
US11496476B2 (en) | 2011-01-27 | 2022-11-08 | Varonis Systems, Inc. | Access permissions management system and method |
US10476878B2 (en) | 2011-01-27 | 2019-11-12 | Varonis Systems, Inc. | Access permissions management system and method |
US10102389B2 (en) | 2011-01-27 | 2018-10-16 | Varonis Systems, Inc. | Access permissions management system and method |
US9680839B2 (en) | 2011-01-27 | 2017-06-13 | Varonis Systems, Inc. | Access permissions management system and method |
US10721234B2 (en) | 2011-04-21 | 2020-07-21 | Varonis Systems, Inc. | Access permissions management system and method |
US9721114B2 (en) | 2011-05-12 | 2017-08-01 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US9275061B2 (en) | 2011-05-12 | 2016-03-01 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US9721115B2 (en) | 2011-05-12 | 2017-08-01 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US8533787B2 (en) | 2011-05-12 | 2013-09-10 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US8875248B2 (en) | 2011-05-12 | 2014-10-28 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US8875246B2 (en) | 2011-05-12 | 2014-10-28 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
US9372862B2 (en) | 2011-05-12 | 2016-06-21 | Varonis Systems, Inc. | Automatic resource ownership assignment system and method |
CN103188105A (en) * | 2011-12-31 | 2013-07-03 | 中国航天科工集团第二研究院七〇六所 | Safety enhancing system and method thereof of NAS equipment |
US10320798B2 (en) | 2013-02-20 | 2019-06-11 | Varonis Systems, Inc. | Systems and methodologies for controlling access to a file system |
CN104318435A (en) * | 2014-09-25 | 2015-01-28 | 同济大学 | Immunization method for user behavior detection in electronic transaction process |
CN106470204A (en) * | 2015-08-21 | 2017-03-01 | 阿里巴巴集团控股有限公司 | User identification method based on request behavior characteristicss, device, equipment and system |
US11706227B2 (en) | 2016-07-20 | 2023-07-18 | Varonis Systems Inc | Systems and methods for processing access permission type-specific access permission requests in an enterprise |
CN106027577B (en) * | 2016-08-04 | 2019-04-30 | 四川无声信息技术有限公司 | A kind of abnormal access behavioral value method and device |
CN106027577A (en) * | 2016-08-04 | 2016-10-12 | 四川无声信息技术有限公司 | Exception access behavior detection method and device |
CN108107400A (en) * | 2017-12-04 | 2018-06-01 | 宁波三星医疗电气股份有限公司 | A kind of detection method and intelligent meter based on intelligent meter button |
CN109936548A (en) * | 2017-12-18 | 2019-06-25 | 航天信息股份有限公司 | Anomaly detection method and device based on PKI platform |
CN109977637A (en) * | 2019-01-17 | 2019-07-05 | 阿里巴巴集团控股有限公司 | Auxiliary determination vertically goes beyond one's commission, determines vertical method, apparatus and electronic equipment |
CN110855663A (en) * | 2019-11-12 | 2020-02-28 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
CN110855663B (en) * | 2019-11-12 | 2021-12-14 | 北京中安智达科技有限公司 | Identification method and system based on time-space correlation analysis |
CN111092889A (en) * | 2019-12-18 | 2020-05-01 | 贾海芳 | Distributed data node abnormal behavior detection method and device and server |
CN111092889B (en) * | 2019-12-18 | 2020-11-20 | 江苏美杜莎信息科技有限公司 | Distributed data node abnormal behavior detection method and device and server |
CN114357436A (en) * | 2021-08-10 | 2022-04-15 | 中电积至(海南)信息技术有限公司 | Intrusion detection system and method combining user behavior portrait with equipment resource monitoring |
Also Published As
Publication number | Publication date |
---|---|
CN1291569C (en) | 2006-12-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1291569C (en) | Abnormal detection method for user access activity in attached net storage device | |
Cheng et al. | Enterprise data breach: causes, challenges, prevention, and future directions | |
CN113661693B (en) | Detecting sensitive data exposure via log | |
CN108351946B (en) | System and method for anonymizing log entries | |
CN104283889B (en) | APT attack detectings and early warning system inside electric system based on the network architecture | |
JP6703616B2 (en) | System and method for detecting security threats | |
CN107851155A (en) | For the system and method across multiple software entitys tracking malicious act | |
CN112787992A (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
CN108268354A (en) | Data safety monitoring method, background server, terminal and system | |
CN107451476A (en) | Webpage back door detection method, system, equipment and storage medium based on cloud platform | |
CN107066883A (en) | System and method for blocking script to perform | |
CN106462703A (en) | System and method for analyzing patch file | |
CN113132311B (en) | Abnormal access detection method, device and equipment | |
CN101719846A (en) | Security monitoring method, device and system | |
EP3172692A1 (en) | Remedial action for release of threat data | |
CN106815229A (en) | Database virtual patch means of defence | |
CA2674327A1 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
CN1743992A (en) | Computer operating system safety protecting method | |
US20240056475A1 (en) | Techniques for detecting living-off-the-land binary attacks | |
CN115086081B (en) | Escape prevention method and system for honeypots | |
CN106250764A (en) | A kind of terminal control system | |
CN103051608B (en) | A kind of method and apparatus of movable equipment access monitoring | |
CN116599688A (en) | Method and system for realizing alarm event reporting on vehicle-mounted fireproof wall based on probe mechanism | |
Shang et al. | [Retracted] Computer Multimedia Security Protection System Based on the Network Security Active Defense Model | |
Suthaharan et al. | An approach for automatic selection of relevance features in intrusion detection systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C19 | Lapse of patent right due to non-payment of the annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |